欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

CentOS 7 搭建CA认证中心实现https取证

程序员文章站 2022-07-03 15:24:04
...

 

TLS:传输层安全协议 Transport Layer Security的缩写

SSL:安全套接字层 Secure Socket Layer的缩写

TLS与SSL对于不是专业搞安全的开发人员来讲,可以认为是差不多的,这二者是并列关系,详细差异见 http://kb.cnblogs.com/page/197396/

KEY 通常指私钥。

CSR 是Certificate Signing Request的缩写,即证书签名请求,这不是证书,可以简单理解成公钥,生成证书时要把这个提交给权威的证书颁发机构。

CRT 即 certificate的缩写,即证书。

X.509 是一种证书格式.对X.509证书来说,认证者总是CA或由CA指定的人,一份X.509证书是一些标准字段的集合,这些字段包含有关用户或设备及其相应公钥的信息。

X.509的证书文件,一般以.crt结尾,根据该文件的内容编码格式,可以分为以下二种格式:

PEM - Privacy Enhanced Mail,打开看文本格式,以"-----BEGIN..."开头, "-----END..."结尾,内容是BASE64编码.
Apache和*NIX服务器偏向于使用这种编码格式.

DER - Distinguished Encoding Rules,打开看是二进制格式,不可读.
Java和Windows服务器偏向于使用这种编码格式

OpenSSL 相当于SSL的一个实现,如果把SSL规范看成OO中的接口,那么OpenSSL则认为是接口的实现。接口规范本身是安全没问题的,但是具体实现可能会有不完善的地方,比如之前的"心脏出血"漏洞,就是OpenSSL中的一个bug.

 

OpenSSL 是一个开源项目,其组成主要包括一下三个组件:

  1. openssl:多用途的命令行工具
  2. libcrypto:加密算法库
  3. libssl:加密模块应用库,实现了ssl及tls

openssl可以实现:秘钥证书管理、对称加密和非对称加密更多简介和官网。

指令

平时我们使用openssl最多的莫过于使用指令了,而最为常见的几个指令如下:

  1. genrsa 生成RSA参数
  2. req
  3. x509
  4. rsa
  5. ca

genrsa简介

平时主要用来生成私钥,选择使用的算法、对称加密密码和私钥长度来生成私钥。

基本用法:

openssl genrsa [args] [numbits]

其中常见的参数:【更多参数查看:openssl genrsa -help】

args1 对生成的私钥文件是否要使用加密算法进行对称加密: 
    -des : CBC模式的DES加密 
    -des3 : CBC模式的3DES加密 
    -aes128 : CBC模式的AES128加密 
    -aes192 : CBC模式的AES192加密 
    -aes256 : CBC模式的AES256加密 
args2 对称加密密码
    -passout passwords
    其中passwords为对称加密(des、3des、aes)的密码(使用这个参数就省去了console交互提示输入密码的环节) 
args3 输出文件
    -out file : 输出证书私钥文件 
[numbits]: **长度,理解为私钥长度 

生成一个2048位的RSA私钥,并用des3加密(密码为123456),保存为server.key文件

openssl genrsa -des3 -passout pass:123456 -out server.key   1024 
// -des3 是第一个参数args1;  
// -passout pass:123456 是第二个参数写法 args2
// -out server.key 第三个参数args3;   
// 2048 最后一个[numbits]参数

req

req的基本功能主要有两个:生成证书请求和生成自签名证书,当然这并不是其全部功能,但是这两个最为常见;

常见使用方法:

openssl req [args] outfile

主要参数:【更多参数查看:openssl req -help】

args1 是输入输入文件格式:-inform arg
    -inform DER 使用输入文件格式为DER
    -inform PEM 使用输入文件格式为PEM
args2 输出文件格式:-outform arg   
    -outform DER 使用输出文件格式为DER
    -outform PEM 使用输出文件格式为PEM
args3 是待处理文件 
    -in inputfilepath
args4 待输出文件
    -out outputfilepath
args5 用于签名待生成的请求证书的私钥文件的解密密码
    -passin passwords       
args6 用于签名待生成的请求证书的私钥文件
    -key file
args7指定输入**的编码格式 -keyform arg  
    -keyform  DER
    -keyform  NET
     -keyform  PEM
args8 生成新的证书请求 
    -new

args9输出一个X509格式的证书,签名证书时使用 
     -x509          
args10使用X509签名证书的有效时间  
    -days  // -days 3650 有效期10年
 
args11生成一个bits长度的RSA私钥文件,用于签发【生成私钥、并生成自签名证书】 
    -newkey rsa:bits 
  
args12设置HASH算法-[digest]【生成私钥指定的hash摘要算法】
    -md5
    -sha1  // 高版本浏览器开始不信任这种算法
    -md2
    -mdc2
    -md4
args13指定openssl配置文件,很多内容不容易通过参数配置,可以指定配置文件
    -config filepath   
args14 显示格式txt【用于查看证书、私钥信息】
    -text

使用的案例:利用私钥生成证书请求csr

openssl req -new -key server.key -out server.csr

使用案例:利用私钥生成自签名证书

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

x509

x509是一个功能很丰富的证书处理工具。可以用来显示证书的内容,转换其格式,给CSR签名等X.509证书的管理工作;

用法如下:

openssl x509 [args]

参数如下:【更多参数查看:openssl x509 -help】

args1 是输入输入文件格式:-inform arg
    -inform DER 使用输入文件格式为DER
    -inform PEM 使用输入文件格式为PEM
args2 输出文件格式:-outform arg   
    -outform DER 使用输出文件格式为DER
    -outform PEM 使用输出文件格式为PEM
args3 是待处理X509证书文件 
    -in inputfilepath
args4 待输出X509证书文件
    -out outputfilepath
args5表明输入文件是一个"请求签发证书文件(CSR)",等待进行签发
    -req            
args6签名证书的有效时间  
    -days  // -days 3650 有效期10年      
args7 指定用于签发请求证书的根CA证书 
    -CA arg 
args8 根CA证书格式(默认是PEM)     
    -CAform arg     
args9 指定用于签发请求证书的CA私钥证书文件    
    -CAkey arg      
args10 指定根CA私钥证书文件格式(默认为PEM格式)
    -CAkeyform arg  
args11 指定***文件(serial number file)    
    -CAserial arg   
args12 如果***文件(serial number file)没有指定,则自动创建它 
    -CAcreateserial 
args13设置HASH算法-[digest]【生成私钥指定的hash摘要算法】
    -md5
    -sha1  // 高版本浏览器开始不信任这种算法
    -md2
    -mdc2
    -md4

使用实例: 使用根CA证书[ca.crt]和私钥[ca.key]对"请求签发证书"[server.csr]进行签发,生成x509格式证书

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out serverx509.crt

使用实例:

rsa

ca

自签名过程

chrome自签名证书问题

hash/摘要算法sha1的不安全性

为什么Google急着杀死加密算法SHA-1;

Google官方博客宣布,将在Chrome浏览器中逐渐降低SHA-1证书的安全指示。但有意思的是Google.com目前使用的也是SHA-1签名的证书,但证书将在3个月内过期,Google将从2015年起使用SHA-2签名的证书。SHA-1算法目前尚未发现严重的弱点,但伪造证书所需费用正越来越低。

chrome提示缺失subjectAltName问题

原有的简单自签名证书在chrome里面不好使了,提示 missing_subjectAltName
missing_subjectAltName问题解决;

参考1:openssl详解
参考3:openssl介绍
参考2:自签名证书实践

 

 

 

 

 

 

CA认证中心简述

CA :CertificateAuthority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书

功能:证书发放、证书更新、证书撤销和证书验证。

作用:身份认证,数据的不可否认性

端口:443

证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书

一:搭建CA认证中心

配置一个自己的CA认证中心

准备:客户端centos7.7  服务端Centos7.7

准备工作

在服务端Centos7.7上面操作

/etc/pki/CA/index.txt 跟踪已颁发的证书,初始为空。注意是0字节,不然会报出一个错误。 wrong number of fields on line 1 (looking for field 6, got 1, '' left)

/etc/pki/CA/serial文件,最后一次颁发的证书的***,初始值01,也可以是00等其它值。

  1. touch /etc/pki/CA/index.txt

  2. echo 01 > /etc/pki/CA/serial

openssl.1.0.2k-19.el7

[aaa@qq.com CA]# cat ../tls/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

#dir		= /etc/pki/CA		# Where everything is kept
dir		= .
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use SHA-256 by default
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 2048
default_md		= sha256
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= cn
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= beijing

localityName			= Locality Name (eg, city)
localityName_default		= beijing

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= superred

# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= linux

commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_default            = aaa@qq.com
emailAddress_max		= 64

# SET-ex3			= SET extension number 3

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

unstructuredName		= An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir		= ./demoCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)

default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)

开始, 切换工作路径为/etc/pki/tls方便openssl文件引入。

 

[aaa@qq.com ~]# vim /etc/pki/tls/openssl.cnf + basicConstraints=CA:FALSE   # 把FALSE改成TRUE 把本机变成CA认证中心

配置认证中心,生成私钥与根证书

[aaa@qq.com CA]# pwd
/etc/pki/CA
[aaa@qq.com CA]# ls
certs  crl  index.txt  newcerts  private  serial

第一中方式: 

[aaa@qq.com CA]# /etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
[aaa@qq.com CA]# /etc/pki/tls/misc/CA -newca^C
[aaa@qq.com CA]# 
[aaa@qq.com CA]# /etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
[aaa@qq.com CA]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
..+++
..................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [superred]:
Organizational Unit Name (eg, section) [linux]:
Common Name (eg, your name or your server's hostname) []:www.kojihub.com
Email Address [aaa@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  2 02:07:06 2020 GMT
            Not After : Jun  2 02:07:06 2023 GMT
        Subject:
            countryName               = cn                      国家
            stateOrProvinceName       = beijing                 省 
            organizationName          = superred                组织/公司 
            organizationalUnitName    = linux                   组织结构,部门
            commonName                = www.kojihub.com    CN,最好写域名FQDN类型的全域名                                      hostname -f 查看FQDN全域名,配置全域名 1.cat /etc/sysconfig/network 
                                          NETWORKING=yes                      
                                          HOSTNAME=kojihub
                                          2.cat /etc/hosts              
                                          10.10.3.161   www.kojihub.com    kojihub
            emailAddress              = aaa@qq.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                45:DC:45:10:24:27:81:57:A1:66:FD:96:FA:C1:A1:82:0F:57:DB:32
            X509v3 Authority Key Identifier: 
                keyid:45:DC:45:10:24:27:81:57:A1:66:FD:96:FA:C1:A1:82:0F:57:DB:32

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Jun  2 02:07:06 2023 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

 生成的结构

[aaa@qq.com CA]# ls
cacert.pem  careq.pem  certs  crl  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old
[aaa@qq.com CA]# cat index.txt
V	230602021836Z		01	unknown	/C=cn/ST=beijing/O=superred/OU=linux/CN=www.kojihub.com/aaa@qq.com
V:代表可用
R:代表注销,不可用
[aaa@qq.com CA]# cat serial
02
[aaa@qq.com CA]# ls private/
cakey.pem

/etc/pki/CA/cacert.pem:ca服务器的ca根证书

/etc/pki/CA/private/cakey.pem:ca服务器的私钥  

/etc/pki/CA/careq.pem:ca服务器跟证书的请求文件

第二中方式: 本人经常用第二种方式

cd /etc/pki/koji/
mkdir {certs,private,confs}
touch index.txt
echo 01 > serial
cp /etc/pki/tls/openssl.cnf /etc/pki/koji/ssl.cnf
1.生成ca服务器的ca私钥:openssl genrsa -out private/koji_ca_cert.key 2048
2.利用1中的ca私钥生成ca自签名根证书:openssl req -config ssl.cnf -new -x509 -days 3650 -key private/koji_ca_cert.key -out koji_ca_cert.crt -extensions v3_ca

上面的最后一个命令将要求您确认有关所生成证书的许多项目。大概您已经在文件中编辑了国家,州/省,地区和组织的默认值,并且ssl.cnf只需要按Enter键即可。这是我们将在创建的各种证书中更改的组织单位和通用名称。对于CA本身,这些字段没有硬性要求。此证书的一个建议是使用服务器的FQDN。

如果您尝试通过配置管理工具自动执行此过程,则可以在一个命令中使用如下一行创建证书:

openssl req -config ssl.cnf -new -x509 \
-subj "/C=cn/ST=beijing/L=beijing/O=superred/OU=linux/CN=www.kojihub.com" \
-days 3650 -key private/koji_ca_cert.key -out koji_ca_cert.crt -extensions v3_ca

也可以转换成pem根式的

cat certs/koji_ca_cert.crt private/koji_ca_cert.key > koji_ca_cert.pem

第三种方式:

1、先在服务端上的/etc/pki/CA/目录生成rsa的私钥:

[aaa@qq.com CA]# pwd;ls
/etc/pki/CA
certs  crl  index.txt  newcerts  private  serial
[aaa@qq.com CA]# cd private/
[aaa@qq.com private]# ls
[aaa@qq.com private]# (umask 077;openssl genrsa -out cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.......................................................................................................................................++
.......................................................................................................................................................................................................++
e is 65537 (0x10001)
[aaa@qq.com private]# ll
total 4
-rw-------. 1 root root 3243 Jun  1 22:45 cakey.pem

2、在服务端上生成自签名证书

CentOS 7 搭建CA认证中心实现https取证

[aaa@qq.com CA]# pwd;ls
/etc/pki/CA
certs  crl  index.txt  newcerts  private  serial
[aaa@qq.com CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [superred]:
Organizational Unit Name (eg, section) [linux]:
Common Name (eg, your name or your server's hostname) []:www.kojihub.com
Email Address [aaa@qq.com]:
[aaa@qq.com CA]# ll
total 8
-rw-r--r--. 1 root root 2139 Jun  1 22:47 cacert.pem
drwxr-xr-x. 2 root root    6 Aug  8  2019 certs
drwxr-xr-x. 2 root root    6 Aug  8  2019 crl
-rw-r--r--. 1 root root    0 Jun  1 22:44 index.txt
drwxr-xr-x. 2 root root    6 Jun  1 22:44 newcerts
drwxr-xr-x. 2 root root   23 Jun  1 22:45 private
-rw-r--r--. 1 root root    3 Jun  1 22:44 serial

②查看自签名证书的详细内容

[aaa@qq.com CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

[aaa@qq.com CA]# openssl x509 -in /etc/pki/koji/certs/kojiadmin.crt -noout -serial -subject
[aaa@qq.com CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9d:4a:2c:38:ae:35:f0:a3
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=cn, ST=beijing, L=beijing, O=superred, OU=linux, CN=www.kojihub.com/aaa@qq.com
        Validity
            Not Before: Jun  2 02:47:33 2020 GMT
            Not After : Jun  2 02:47:33 2021 GMT
        Subject: C=cn, ST=beijing, L=beijing, O=superred, OU=linux, CN=kojihub.supered.com/aaa@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d8:a5:ea:05:34:11:75:fc:cd:89:87:2a:14:fa:
                    3c:0e:80:e4:95:02:bc:2a:77:41:f3:44:5b:20:5c:
                    6b:b3:f0:76:06:05:13:21:07:09:4c:f7:0e:27:2a:
                    15:d8:ec:c7:8d:30:2a:7a:ce:74:f9:b7:ff:22:ba:
                    1f:86:e1:05:ff:30:66:10:1d:eb:1f:45:ed:15:df:
                    15:bb:d8:f2:29:2d:4f:d0:32:3a:43:1c:38:87:0b:
                    e6:51:9b:b4:c1:10:b8:67:3c:fe:58:58:f9:55:e6:
                    5f:c5:85:71:92:ca:9b:b9:3a:f9:27:0b:9d:74:f6:
                    ad:9d:28:25:e1:ae:15:0f:8f:f6:f6:9a:ba:87:8b:
                    ab:69:ce:3e:eb:cf:68:51:2f:41:94:f3:16:e2:10:
                    6d:ae:eb:e5:0d:8d:55:04:1d:7b:7f:0d:c3:25:60:
                    58:10:5b:55:1a:ff:37:e6:c2:ea:bb:7b:fe:e7:1f:
                    a6:e8:63:d7:d2:aa:99:a1:e1:35:68:2b:02:70:8b:
                    52:1f:bd:87:dc:36:36:54:8d:58:3b:35:0c:9b:d3:
                    e6:cd:84:a1:2a:5d:a2:d2:ee:42:b2:ec:e5:9a:8a:
                    53:75:db:b1:b2:d8:09:69:09:9b:c4:c2:d5:8e:ce:
                    b4:5d:da:c3:c8:be:46:f6:df:f9:89:51:3e:09:1c:
                    80:61:d9:7d:9f:5a:4c:91:39:56:cf:e6:b9:57:54:
                    0b:f6:60:ce:23:2e:05:ee:85:2c:f2:fd:2e:23:2c:
                    69:5c:18:ab:89:e3:c2:21:1d:d8:34:6c:3e:ce:29:
                    67:c8:56:23:e2:ae:7f:46:cf:d1:1b:0b:4f:73:f2:
                    d1:44:e3:9d:50:ef:3c:83:68:72:78:2d:fd:cb:46:
                    7d:98:e3:4e:78:fe:6c:f8:d4:9e:28:d7:94:5c:1b:
                    a8:50:51:1d:70:a1:06:e5:8a:1b:7b:ae:01:2d:fe:
                    5f:2a:35:5f:04:af:46:b3:7f:3b:b4:fe:59:03:64:
                    d2:61:bb:e1:f9:e5:0d:70:61:09:2e:9e:fa:05:12:
                    40:fd:67:b8:c3:e1:f5:39:5a:4c:4c:e5:df:b2:a7:
                    e0:da:52:69:b6:32:80:cc:d9:33:de:14:b5:f0:24:
                    90:a2:4a:19:e8:c7:4d:00:d2:fa:9d:39:07:f0:d7:
                    73:52:55:c6:f6:3c:33:f1:e8:dc:a5:66:2a:da:e8:
                    8c:68:4a:91:c5:ea:05:14:ec:77:b3:b4:57:b6:c2:
                    93:ff:ef:55:3d:9f:ad:6e:12:c6:00:bc:07:e6:85:
                    36:8b:cc:af:77:cb:6f:e6:f3:7e:97:f6:db:b0:6a:
                    64:84:84:48:f2:8a:d2:b5:82:f2:7b:dc:d1:18:2e:
                    be:1c:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                2E:B4:54:9F:07:42:9A:EE:23:22:2C:AC:18:AD:5C:D2:B9:CD:2D:6E
            X509v3 Authority Key Identifier: 
                keyid:2E:B4:54:9F:07:42:9A:EE:23:22:2C:AC:18:AD:5C:D2:B9:CD:2D:6E

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         83:1a:c7:7a:a5:5c:b9:36:de:2f:a9:75:0d:d6:73:e3:0d:99:
         d6:c1:d7:8e:00:2a:23:3b:94:20:2f:12:25:6b:af:6d:88:68:
         34:7f:05:38:3f:e3:19:fe:78:e5:60:b6:f5:f0:a2:6a:27:b4:
         d6:1a:a5:53:d5:69:e7:40:e1:70:b6:6d:b4:88:a3:68:43:dc:
         14:76:90:f0:7b:52:a2:b4:8a:51:68:62:8c:ae:dd:fe:57:72:
         da:34:60:7a:31:86:3e:7f:da:27:72:c6:23:c8:3b:60:3a:41:
         a7:6c:cd:7a:40:ee:2f:af:4d:61:79:13:38:ef:e6:1f:63:e9:
         7c:32:ba:86:47:73:61:db:35:2c:8e:1e:98:f1:4a:3f:28:f0:
         71:2f:bc:c7:1f:ae:9a:b2:4c:35:93:f7:7a:78:31:7b:09:a6:
         34:4f:fe:9a:4a:c3:9a:05:4e:90:ef:1f:6a:c6:9e:68:27:8b:
         66:2f:28:55:3a:16:e5:7f:c3:b2:8a:3b:9d:f3:76:55:9e:90:
         6d:cc:ad:9b:3b:d6:7c:96:76:af:ae:21:6b:18:8d:ba:43:b1:
         a0:4f:9d:be:03:2c:6f:df:8d:d2:b0:b6:c3:1b:e8:cb:3b:31:
         a9:18:01:5a:6d:74:76:aa:0b:79:22:2e:61:f4:d6:2a:05:be:
         aa:aa:bc:d7:c8:ea:73:45:61:d5:79:7b:4a:8f:6d:87:4a:ad:
         ef:3b:85:d5:f7:96:48:ff:99:be:8e:6a:08:4e:ba:4b:b2:97:
         80:d0:c6:e0:56:c3:0f:2e:68:02:a8:cf:13:03:f5:92:22:a8:
         e8:8a:2e:5d:9a:a8:73:01:92:19:6d:1e:d7:91:d6:c5:4e:30:
         bf:76:80:22:ad:0d:f6:99:1e:7c:9d:4b:8b:f2:04:32:d5:f5:
         a7:5a:a7:14:49:53:49:48:d1:9e:4e:d1:14:27:92:af:cf:38:
         1e:45:08:fc:cf:a6:c3:87:ae:83:92:44:dc:92:46:13:86:f6:
         39:59:73:2c:1d:6a:0c:cc:12:1f:c3:41:6e:81:4c:61:37:02:
         0e:4c:2e:4e:94:63:ac:ff:36:c5:95:ad:a0:28:88:7a:28:1a:
         52:33:09:83:84:38:32:08:c0:9e:61:91:34:97:2c:3d:42:88:
         8c:5a:77:a8:db:6b:ca:c7:51:d9:4f:91:e6:48:f3:12:da:6f:
         48:89:79:83:db:31:05:fc:25:e3:5c:34:f1:f6:ab:72:2b:8e:
         62:c1:21:93:9a:3e:75:7a:70:39:db:48:54:d7:65:73:9d:f9:
         fa:a5:1c:30:c2:25:52:ba:03:4b:7c:42:44:fa:f3:ae:61:d1:
         06:ed:4e:e4:10:7b:8f:8e

 ③ 查看自签名证书简要内容和查看证书的有效期

[aaa@qq.com CA]# openssl x509 -in cacert.pem -noout -issuer
issuer= /C=cn/ST=beijing/L=beijing/O=superred/OU=linux/CN=www.kojihub.com/aaa@qq.com
[aaa@qq.com CA]# 

 

在客户端Centos7.7上面操作

二:使用证书搭建https

1、安装httpd :
[aaa@qq.com ~]# yum -y install httpd
[aaa@qq.com ~]# vim /etc/httpd/conf/httpd.conf 
// 把 #ServerName www.example.com:80 改成 ServerName www.kojiweb.com:80
[aaa@qq.com ~]# systemctl start httpd
2、client 生成证书请求文件


生一个私钥** :

[aaa@qq.com ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key 加密
[aaa@qq.com ~]# openssl genrsa  -out /etc/httpd/conf.d/server.key 不加密

查看客户端私钥

[aaa@qq.com conf.d]# ls
autoindex.conf  README  server.key  ssl.conf  userdir.conf  welcome.conf
[aaa@qq.com conf.d]# cat server.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,087E1B2B7A2E837A                           说明进行了二次加密

qmb6Q/XnVrJZVgfDezejjcuMElhdire7vUm5f2EodZc901oJTizB3yLTPhLI2KkF
upeCUsW6TSWkYEqv3IFXHMaEJGYu2qaKmkGEmmCglCmT198PXrHK8iHafbaehWRI
FTfltfBNOuBIE/8SiifigAWFbNyUL04beZSyDM+wLu0ExlzcFBg4IIz34dTixnA7
zAH4zs+gQ8bUEkNCHaSMiXuldBKGgoXOZ/RVFwrARUwAM3Cuv9/OZD3BEZ9DKNyr
ESHNLXp/qPI/BC4mrk3VTfgNTvjytgKH4R68inAaLRZL6HyPHiuCTVdSZ4tRe+4r
zQsMuSgjALFUAZN6cyfoVmlw2K3WQY9WouqztZ1QK8N7gaG6iazWUxIcfDl2P46Z
af2to4EZ6L3EdzIw6LfKQWjMZWPGqRYN4IMJAU3iGzT20hk9BPRPgWEbeln9XeEo
JU4LvRgMzmj710OgADRzhCmR/8INzHKLrwETZb3VKbrnLXN9jS5xH/9qRHRcQd5n
Xv7vAYtyKispeCaLkRM2/e3ENnYRZq0fsXZNyjRhEjDhw4YXNbxtuSKT5XoqZAv7
J909ENAyrnDXCmjvSH0CuDNvGlR/T1ZVPswVae6yqgPqrASFNC1um7bvj5l/nrJr
MtiTtiEmsMPrQeUCtAeHheVymaYZSbOxD0wwz3R9pd/doYYx7kv8LcQXhcY1vrDw
zm5bLhYxq87yYmgQ78g9eYlY0/53nWOXXtXx6koaLyBcsVY4RKydPKKywCXa62o4
xCNgmwC9JPlPdE24x/yVdMnINIG3OBOZ/kWnA6O5vqeMqhiTd3i4sZC4p4MWINfG
c6dJvxqcvtIWo8SAMLMHxrs39kCsYejsB/XunVqUn/WxSk85Rf8J6o3zkbuD1kAa
88V74hLDhJvxXckb/jTiPVuzoocH0TroItfAXE55gyW+t0jplTtjYSEEk2ywjwUk
Rg1lgvNZLUINSaw/a0TlHIfIdpoeog3HXeO8tH7NmT6WHHLUPmUcWlBzb79dJOdE
bFVTynhU6TZW4OFKVbi0gcXrxalFnbbVP+W+kRNrlNWOH6/ftR45r07A2adFPdjs
dqFzYS/cUfn/d8sXJw7c9qzBYm4Qcr+hmvV48iK0mEd7nglUzmxIg6JyWSxzcjqJ
jCM36CUMtUIoehlAF6/VEUkfvrNBQD+sZOnzDVqItyboUFp9PpUd5gk/C7r1nmI4
nZT04a/q6XY+U1sB6id24iE9eL5UdhO1n7jiHYZ9LEsJFsLvT5AwUkGsv4QBtK2W
I9h3XkG8lCpHNA0WDsnnGmm1rFMOPFIysZEZ4vMvJiKMshDVF18vGgUqwq4khcM6
gY1kZdQWdnIvMYgDyamNlQcaMasRm4/EV1xgVHp0GgjWziIqJw3K4vOzIe+KXXNP
vJ6kYc99eZReOp7oyKfybS8andohGa5fM5ytJ3hfTNqg2/ZtHVjVfW0Y2nd0BSVF
W7A8Twfn7QopkJsEziwds4d2K9eu3sRggeesZq8knYldCKFkOc1BLfhVK+ixFYuR
ztZORBUDkyf+gCNsbcwLmGPclDabkkJE1UMUmSpt8ACTxQgZJIdsIrITXVlcO7+d
-----END RSA PRIVATE KEY-----
[aaa@qq.com conf.d]

openssl rsa -in server.key-out server.key.unsecure 给私钥去除密码

或者不要在制作server.key时加入密码,或者直接用这个生成

openssl req -new -x509 -nodes -out server.crt -keyout server.key

生成请求文件 :

[aaa@qq.com conf.d]#  openssl req -config ssl.cnf -new -nodes -key /etc/httpd/conf.d/server.key -out certs/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:                    
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [superred]:
Organizational Unit Name (eg, section) [linux]:
Common Name (eg, your name or your server's hostname) []:www.kojiweb.com
Email Address [aaa@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

注意后期添加的国家,省,城市等信息要和服务器端的CA保持一致

3、将证书请求文件发给CA服务器:

[aaa@qq.com conf.d]# scp certs/server.csr 10.10.3.161:~

4、此步骤在ca服务器上面操作的不是客户端了。CA认证中心进行CA签名

[aaa@qq.com ~]# openssl ca -config ssl.cnf -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /root/server.csr -out /root/server.crt
或者
[aaa@qq.com ~]# openssl ca -config ssl.cnf  -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt -out certs/server.crt -outdir certs -infiles certs/server.csr

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:   输入密码 ca私钥密码
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jun  2 03:06:47 2020 GMT
            Not After : Jun  2 03:06:47 2021 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = beijing
            organizationName          = superred
            organizationalUnitName    = linux
            commonName                = www.kojiweb.com
            emailAddress              = aaa@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                12:B8:C9:28:90:68:A2:FB:33:59:49:58:F6:30:2E:96:A4:56:10:40
            X509v3 Authority Key Identifier: 
                keyid:64:C2:24:33:C7:CB:9E:36:CF:A2:75:2A:77:AB:6E:09:4D:C5:91:06

Certificate is to be certified until Jun  2 03:06:47 2021 GMT (365 days)
Sign the certificate? [y/n]:y  注册证书                         证书有效期    
 

1 out of 1 certificate requests certified, commit? [y/n]y  确认
Write out database with 1 new entries
Data Base Updated

这里的认证中心进行的签名是用自己的私钥进行签名/etc/pki/CA/private/cakey.pem

5、在服务器端CA认证中心进行颁发证书

在颁发之前,CA认证中心会使用自己的公钥进行加密

scp server.crt 10.10.3.193:~

在客户端执行:cat server.crt  private/server.key > server.pem
 server.pem文件和ca服务器上面自动生成的crets/01.pem 前半部分一样,只是ca服务端01.pem没有私钥信息

以上简洁一些执行就是

ca服务器上面执行centos7.7-01
cd /etc/pki/koji/
mkdir {certs,private,confs}
touch index.txt
echo 01 > serial
openssl genrsa -out private/koji_ca_cert.key 2048
openssl req -config ssl.cnf -new -x509 -days 3650 -key private/koji_ca_cert.key \
-out koji_ca_cert.crt -extensions v3_ca


要使用ca的客户端上面执行
caname=koji
user=server

openssl genrsa -out private/server.key 2048
openssl req  -config ssl.cnf -new -nodes -out certs/${user}.csr -key private/${user}.key
openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \
    -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
cat certs/${user}.crt private/${user}.key > ${user}.pem
mv ssl2.cnf confs/${user}-ssl.cnf
直接赋值
客户端执行生成私钥:openssl genrsa -out private/server.key 2048
客户端执行生成请求文件:openssl req -config ssl.cnf -new -nodes -out certs/server.csr -key private/server.key
把生成的 certs/server.csr请求文件传到ca服务器上面去,在服务器上面执行生成客户端ca证书如下:
openssl ca -config ssl.cnf -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt \
    -out certs/server.crt -outdir certs -infiles certs/server.csr
把server.crt证书传给客户端去,可以利用certs/server.crt和private/server.key 形成server.pem格式的文件
cat certs/server.crt private/server.key > server.pem
Generate a PKCS12 user certificate (for web browser) 浏览器p12格式的

openssl pkcs12 -export -inkey private/server.key -in certs/server.crt \ -CAfile koji_ca_cert.crt -out certs/server_browser_cert.p12

 

需要把服务端的koji_ca_cert.crt和给客户端生成的server.crt一起导入到浏览器中去,才可以。一个是ca根证书,一个是应用证书

 

三:使用证书实现https

SSL:(Secure Socket Layer)安全套接字层,通过一种机制在互联网上提供**传输 其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法 目前主流版本SSLV2、SSLV3(常用)。

SSL四次握手安全传输:

加密协议: SSL 3.0 或 TLS 1.0C ---------S  1. 请求一个安全的会话,协商算法

C <------------------------------------S  2. 将自己Server端的证书给客户端,证书中包括了64自己的公钥

C -----------------------------------> S  3. 客户端用浏览器中存放CA的根证书检测client证书,如果对,使用CA根证书中的公钥解密 得到CA的公钥; 然后生成一把对称的加***,用client的公钥加密这个**发给CA , 后期使用对称**加密数据

C <----------------------------------> S  4.client使用私钥解密,得到对称的加***然后,使用对称加***来进行安全快速传输数据=

1、配置HTTPSweb服务器

yum -y install mod_ssl    # 安装SSL模块
cp ~/server.crt /etc/httpd/conf.d/    # 复制证书
vim /etc/httpd/conf.d/ssl.conf
# SSLCertificateFile /etc/pki/tls/certs/localhost.crt 把路径改成/etc/httpd/conf.d/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 把路径改成/etc/httpd/conf.d/server.key
[aaa@qq.com conf.d]# systemctl restart httpd
Enter SSL pass phrase for 10.10.3.193:443 (RSA) : ********

测试 :

netstat -antup | grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      1634/httpd

访问https://10.10.3.193

 

到这就已经认证成功了 但是没有被信任

 

 

CentOS 7 搭建CA认证中心实现https取证

CentOS 7 搭建CA认证中心实现https取证

因为之前填写Common Name 是www.kojiweb.com的域名 注意 是客户端的CN,不是ca服务器的CN ca服务器的CN是www.kojihub.com,也就是说hosts写使用者而不是颁发者

修改物理机hosts文件

10.10.3.193 www.kojiweb.com

重新用域名访问应该就可以被信任了

https://www.kojiweb.com

 

 

参考:

https://blog.csdn.net/weixin_33721427/article/details/88063129

https://blog.51cto.com/13848248/2177399

https://segmentfault.com/a/1190000014963014

https://docs.pagure.org/koji/server_howto/#etc-httpd-conf-d-kojihub-conf

https://www.cnblogs.com/yjmyzz/p/openssl-tutorial.html

 

 

===============================================

Centos6.x/Centos7.x都可用,tomcat此时已经启动,两个项目端口为8080,8082
yum install openssl nginx -y

#生成一个RSA私钥

openssl genrsa -des3 -out server.key 2048    要求输入密码

或者

openssl genrsa -out private/server.key 2048  无密码

 

#des3 是算法

#2048 位数/强度

#server.key **文件名

#-out:生成文件的路径和名称

openssl req -new -key server.key -out server.csr

#-key:指定ca私钥

#-out: server.csr 生成证书文件

#要求填入以下信息:

Country Name (2 letter code) []:cn                    // 国家

State or Province Name (full name) []:beijng            // 省份

Locality Name (eg, city) []:beijing                              // 城市

Organization Name (eg, company) []:superred             // 组织机构

Organizational Unit Name (eg, section) []:linux      // 机构部门

Common Name (eg, fully qualified host name) []:www.kojihub.com     // 域名

Email Address []:aaa@qq.com                      // 邮箱地址

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:                                    // 证书密码,不设密码回车

#生成两个文件server.key server.csr

#生成CA证书

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

#x509: 指定格式

#-in: 指定请求文件

#-signkey: 自签名

#生成了一个文件为server.crt

[aaa@qq.com nginx]# openssl x509 -req -days 365 -in server.csr -signkey private/server.key -out server.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=superred/OU=linux/CN=www.kojihub.com/aaa@qq.com
Getting Private key

 

 

cp server.key server.csr server.crt /etc/nginx

vim /etc/nginx/conf.d/default.conf

upstream xxxx_upstream {

server 127.0.0.1:8082;

}

upstream yyyy_upstream {

server 127.0.0.1:8080;

}

server {

listen 80 default_server;

listen [::]:80 default_server;

server_name 你的域名;

root /usr/share/nginx/html;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

}

location /xxxx {

proxy_set_header Host $http_host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_pass http://xxxx_upstream/xxxx;

}

location /yyyy {

proxy_set_header Host $http_host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_pass http://yyyy_upstream/yyyy;

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

server{

listen 443;

server_name www.kojihub.com;   域名和server.csr 域名相同

ssl on; 

root /usr/share/nginx/html;

ssl_certificate server.crt;

ssl_certificate_key server.key;

 

location /xxxx {

proxy_set_header Host $http_host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_pass http://xxxx_upstream/xxxx;

}

location /yyyy {

proxy_set_header Host $http_host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_pass http://yyyy_upstream/yyyy;

}

}

注:以上配置文件中的xxxx,yyyy请自行替换自己对应的路径,复制粘贴的时候格式需要自己对齐
nginx -t

systemctl start nginx

 

把server.crt传到windows10 上面 双击安装

或者crtl +R 

certmgr.msc

CentOS 7 搭建CA认证中心实现https取证

CentOS 7 搭建CA认证中心实现https取证

受信任的根证书颁发机构->证书->操作->所有任务->导入->下一步->浏览寻找crt根证书文件->选择第二个将所有证书都放在下列存储(选择受信任的根证书颁发机构)->下一步完成

#可以使用https://www.kojihub.com

1)windows10 浏览器没问题,

2)chrome.83.0.4103.61 浏览器不可,还是不信任

3)firefox.76.0.1 (64 位) 也不可以