私建CA签发证书
1、操作系统:CA、server 两台主机均为Centos 7;
=======================================================以下是创建CA过程=====================================================
2、查看配置文件,确保相关目录和文件已经存在;
查看配置文件
~]# cat /etc/pki/tls/openssl.cnf #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file
配置相关目录和文件
/etc/pki/CA/{certs,crl,newcerts} 目录必须存在
/etc/pki/CA/{serial,index.txt} 创建文件
第一次创建ca需要在serial中写入序列号:echo 01 > /etc/pki/CA/serial
3、生成私钥:
~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
4、生成自签证书,CA自己给自己签证;
# -x509:生成自签格式证书,专用于创建私有CA时;
~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
5、CA已经创建完成;注意:在创建CA自签证书的时候填写国家、省份、城市信息注意保存记住,后续其它应用申请证书时,填写的国家、省份、城市信息要保持一致;
=====================================================server http应用申请证书==================================================================
1、创建httpd的证书存放路径,一般建议在httpd的配置目录创建,便于管理;
~]# mkdir /etc/httpd/ssl
2、生成http私钥;
~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
3、生成证书签署请求;
~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
注意:在填写国家、省份、城市信息的时候和CA保持一致;
4、填写扩展信息;
~]# echo "subjectAltName = DNS:*.server.com, DNS: server.com" > /etc/httpd/ssl/http.ext
注意:填写的是服务访问的域名
5、将 /etc/httpd/ssl/http.ext 和 /etc/httpd/ssl/httpd.csr 通过可靠手段传输到CA的 /tmp 目录;
======================================================================CA 签署证书===============================================================
1、执行证书签署命令;
~]# openssl ca -in /tmp/http.csr -out /tmp/http.crt -days 365 -extfile /tmp/http.ext
2、将签署后的 /tmp/http.crt 传给 server主机;
====================================================================server httpd 配置使用证书===========================================================
1、安装httpd的ssl模块;
~]# yum install mod_ssl
2、将 CA 签署的证书 http.crt 拷贝到 /etc/httpd/ssl 中;
3、配置httpd的https;
~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/http.crt SSLCertificateKeyFile /etc/httpd/ssl/http.key
4、重启下 httpd 服务:systemctl restart httpd
===============================================================================浏览器配置=============================================================
1、导入根证书,CA机构的证书 /etc/pki/CA/cacert.pem;
谷歌浏览器:设置 -------> 搜索安全-------------> 管理证书 --------------> 选择 受信任的根证书办法机构 -----------> 导入 ------------> 选择文件的时候选择所有文件类型 --------> 完成导入即可。
2、修改浏览器机器的host配置文件,添加server的域名和ip配置;
3、使用https协议访问server的服务;https://server.com/
参考:https://www.cnblogs.com/will-space/p/11913744.html
解决Chrome不能识别证书通用名称NET::ERR_CERT_COMMON_NAME_INVALID错误;上面操作已经通过:
echo "subjectAltName = DNS:*.server.com, DNS: server.com" > /etc/httpd/ssl/http.ext 处理了
ip配置:
[root@CA ~]# vim http.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] IP.1=192.168.1.1 IP.2=192.168.1.2
DNS配置:
[root@CA ~]# vim http.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] DNS.1=test.com DNS.2=www.test.com
extendedKeyUsage 可以指定证书目的,即用途,一般有:
serverAuth:保证远程计算机的身份
clientAuth:向远程计算机证明你的身份
codeSigning:确保软件来自软件发布者,保护软件在发行后不被更改
emailProtection:保护电子邮件消息
timeStamping:允许用当前时间签名数据
如果不指定,则默认为 所有应用程序策略