SSL网络架设

最新推荐文章于 2019-04-16 15:27:46 发布

最新推荐文章于 2019-04-16 15:27:46 发布 · 157 阅读

文章标签：

#RedHat #Gmail #C# #C #C++

在网上找了很多的相关资料，最后发现这篇文章真正解决了我困扰几天的问题。特收藏备忘

撰写者信息：

Alin Fang (Fang Yunlin)

MSN: cst05001@hotmail.com

G Talk: cst05001@gmail.com

Blog: http://www.alinblog.cn/

修改日期：

10 Nov, 2008

第1次修改

版权：

GNU

声明：

本人实验笔记，非权威文档。如有错误请告知。十分感谢！

特别说明：

本实验全部采用RHEL5所带相关rpm包的脚本进行操作。openssl相关操作均由脚本完成，无须手工干预。

实验环境：

OS: Red Hat Enterprise Linux 5 update 2

hostname: ca.alin

ip: 192.168.8.3

作为HTTPS安全认证服务器

hostname: server.alin

ip: 192.168.8.4

作为https网页服务器

hostname: client.alin

ip: 192.168.8.5

通过浏览器访问server.alin

这个是所有主机的host配置：

127.0.0.1 localhost.localdomain localhost

192.168.8.3 ca.alin

192.168.8.4 server.alin

实验步骤

在ca.alin上操作

[root@localhost ~]# yum install -y httpd mod_ssl

[root@localhost pki]# pwd

/etc/pki

[root@localhost pki]# tree

|-- CA

| `-- private

|-- nssdb

| |-- cert8.db

| |-- key3.db

| `-- secmod.db

|-- rpm-gpg

| |-- RPM-GPG-KEY-fedora

| |-- RPM-GPG-KEY-fedora-test

| |-- RPM-GPG-KEY-redhat-auxiliary

| |-- RPM-GPG-KEY-redhat-beta

| |-- RPM-GPG-KEY-redhat-former

| |-- RPM-GPG-KEY-redhat-release

| `-- RPM-GPG-KEY-redhat-rhx

`-- tls

|-- cert.pem -> certs/ca-bundle.crt

|-- certs

| |-- Makefile

| |-- ca-bundle.crt

| |-- localhost.crt

| `-- make-dummy-cert

|-- misc

| |-- CA

| |-- c_hash

| |-- c_info

| |-- c_issuer

| `-- c_name

|-- openssl.cnf

`-- private

`-- localhost.key

8 directories, 22 files

[root@localhost pki]#

ca以及HTTPS要用的东西都在里面了。

[root@localhost misc]# ./CA -?

建立密钥对并自签证书

[root@localhost misc]# ./CA -?

usage: CA -newcert|-newreq|-newca|-sign|-verify

[root@localhost misc]# ./CA -newca

mkdir: cannot create directory `../../CA': File exists

mkdir: cannot create directory `../../CA/private': File exists

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 1024 bit RSA private key

..............................++++++

...++++++

writing new private key to '../../CA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:BJ

Locality Name (eg, city) [Newbury]:BJ

Organization Name (eg, company) [My Company Ltd]:Red Hat

Organizational Unit Name (eg, section) []:GSS

Common Name (eg, your name or your server's hostname) []:ca.alin

Email Address []:cst05001@gmail.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/./cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Nov 9 21:24:00 2008 GMT

Not After : Nov 9 21:24:00 2011 GMT

Subject:

countryName = CN

stateOrProvinceName = BJ

organizationName = Red Hat

organizationalUnitName = GSS

commonName = ca.alin

emailAddress = cst05001@gmail.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7

X509v3 Authority Key Identifier:

keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7

Certificate is to be certified until Nov 9 21:24:00 2011 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

[root@localhost misc]#

大家可以看到，/etc/pki/CA文件夹下多了一些东西。

[root@localhost misc]# tree /etc/pki/

/etc/pki/

|-- CA

| |-- cacert.pem

| |-- careq.pem

| |-- certs

| |-- crl

| |-- index.txt

| |-- index.txt.attr

| |-- index.txt.old

| |-- newcerts

| | `-- 00.pem

| |-- private

| | `-- cakey.pem

| |-- serial

| `-- serial.old

|-- nssdb

| |-- cert8.db

| |-- key3.db

| `-- secmod.db

|-- rpm-gpg

| |-- RPM-GPG-KEY-fedora

| |-- RPM-GPG-KEY-fedora-test

| |-- RPM-GPG-KEY-redhat-auxiliary

| |-- RPM-GPG-KEY-redhat-beta

| |-- RPM-GPG-KEY-redhat-former

| |-- RPM-GPG-KEY-redhat-release

| `-- RPM-GPG-KEY-redhat-rhx

`-- tls

|-- cert.pem -> certs/ca-bundle.crt

|-- certs

| |-- Makefile

| |-- ca-bundle.crt

| |-- localhost.crt

| `-- make-dummy-cert

|-- misc

| |-- CA

| |-- c_hash

| |-- c_info

| |-- c_issuer

| `-- c_name

|-- openssl.cnf

`-- private

`-- localhost.key

11 directories, 31 files

[root@localhost misc]#

在server.alin操作

[root@localhost ~]# yum install -y httpd mod_ssl

制作https需要的私钥

[root@localhost ~]# cd /etc/pki/tls/

cert.pem certs/ misc/ openssl.cnf private/

[root@localhost ~]# cd /etc/pki/tls/certs

[root@localhost certs]# ls

ca-bundle.crt localhost.crt make-dummy-cert Makefile

[root@localhost certs]# make

This makefile allows you to create:

o public/private key pairs

o SSL certificate signing requests (CSRs)

o self-signed SSL test certificates

To create a key pair, run "make SOMETHING.key".

To create a CSR, run "make SOMETHING.csr".

To create a test certificate, run "make SOMETHING.crt".

To create a key and a test certificate in one file, run "make SOMETHING.pem".

To create a key for use with Apache, run "make genkey".

To create a CSR for use with Apache, run "make certreq".

To create a test certificate for use with Apache, run "make testcert".

To create a test certificate with serial number other than zero, add SERIAL=num

Examples:

make server.key

make server.csr

make server.crt

make stunnel.pem

make genkey