系统安全-(私有的CA机构)

CA与web在同一台虚拟机

 

HTTPD + Openssl = HTTPS

配置CA服务器

========================================================

 

1.配置CA  生成CA自己的公钥 私钥 CA对自己进行证书自签名 (用脚本生成)

[root@ws1 ~]# vim /etc/pki/tls/openssl.cnf

169 # This goes against PKIX guidelines but some CAs do it and some software
170 # requires this to avoid interpreting an end user certificate as a CA.
171 
172 basicConstraints=CA:TURE

[root@ws1 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.......................+++
.............+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:    设置私钥密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:panda
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.panda.com
Email Address []:ca@panda.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok

Certificate Details:
        Serial Number:
            bd:c6:a3:34:68:2e:67:b9
        Validity
            Not Before: Jul 29 12:10:07 2019 GMT
            Not After : Jul 28 12:10:07 2022 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = beijing
            organizationName          = panda
            organizationalUnitName    = it
            commonName                = ca.panda.com
            emailAddress              = ca@panda.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                92:99:A7:72:67:24:08:6B:91:98:54:B1:A7:13:81:84:F6:89:D8:4C
            X509v3 Authority Key Identifier: 
                keyid:92:99:A7:72:67:24:08:6B:91:98:54:B1:A7:13:81:84:F6:89:D8:4C

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Jul 28 12:10:07 2022 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

etc/pki/CA/private/cakey.pem CA私钥

/etc/pki/CA/cacert.pem  CA证书
/etc/pki/CA/careq.pem   CA证书请求

 

配置web服务器

===============================================================

web 生成自己的私钥

[root@ws1 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 2048 bit long modulus
..........................+++
.........................................................................................
...................................+++e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:

 

生成证书请求（使用身份标识＋公钥）

[root@ws1 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /etc/httpd/conf.d/s
erver.csrEnter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:panda
Organizational Unit Name (eg, section) []:it  这几行必须与CA服务器的一致
Common Name (eg, your name or your server's hostname) []:www.wangs.com
Email Address []:www@wangs.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CA服务器对证书请求进行数字签名

=============================================================================

[root@ws1 ~]#  openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert
.pem -in /etc/httpd/conf.d/server.csr -out /etc/httpd/conf.d/server.crtUsing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            bd:c6:a3:34:68:2e:67:ba
        Validity
            Not Before: Jul 29 12:32:05 2019 GMT
            Not After : Jul 28 12:32:05 2020 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = beijing
            organizationName          = panda
            organizationalUnitName    = it
            commonName                = www.wangs.com
            emailAddress              = www@wangs.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                63:7B:00:92:89:A6:3F:B5:B5:B7:57:6B:33:05:5A:51:83:0F:B7:31
            X509v3 Authority Key Identifier: 
                keyid:92:99:A7:72:67:24:08:6B:91:98:54:B1:A7:13:81:84:F6:89:D8:4C

Certificate is to be certified until Jul 28 12:32:05 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

如果失败：

方法一：
[root@vlnx251106 ~]# rm /etc/pki/CA/index.txt
[root@vlnx251106 ~]# touch /etc/pki/CA/index.txt

方法二：
[root@vlnx251106 ~]# cat /etc/pki/CA/index.txt.attr
unique_subject = yes  --> no

配置web支持ssl实现https

==========================================================

 [root@ws1 ~]# yum install mod_ssl -y

 

 [root@ws1 ~]# vim /etc/httpd/conf.d/ssl.conf

 95 #   Server Certificate:
 96 # Point SSLCertificateFile at a PEM encoded certificate.  If
 97 # the certificate is encrypted, then you will be prompted for a
 98 # pass phrase.  Note that a kill -HUP will prompt again.  A new
 99 # certificate can be generated using the genkey(1) command.
100 SSLCertificateFile /etc/httpd/conf.d/server.crt
101 
102 #   Server Private Key:
103 #   If the key is not combined with the certificate, use this
104 #   directive to point at the key file.  Keep in mind that if
105 #   you've both a RSA and a DSA private key you can configure
106 #   both in parallel (to also allow the use of DSA ciphers, etc.)
107 SSLCertificateKeyFile /etc/httpd/conf.d/server.key

[root@ws1 ~]# systemctl restart httpd
Enter SSL pass phrase for 192.168.88.101:443 (RSA) : ******

[root@ws1 ~]# netstat -tunpl | grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      5151/http
d    

Client下载CA证书并导入到浏览器，然后访问www服务器

[root@ws1 ~]# scp /etc/pki/CA/cacert.pem  192.168.88.105:/tmp/
root@192.168.88.105's password: 
cacert.pem                                             100% 4438    91.6KB/s   00:00 

打开一个图形化界面的虚拟机

打开火狐浏览器的设置，然后点privacy & security