云南网站开发公司介绍,wordpress面板中文,营销网站的建设,国外网站注册软件当使用ssl/tls进行加密通信时#xff0c;必须要有数字证书。若通信只限制在局域网内#xff0c;可以不向第三方机构申请签发证书#xff0c;可以通过openssl模拟CA(Certificate Authority)#xff0c;并通过该CA签发证书。下文讲述在Centos7.3上使用openssl工具签发证书的具… 当使用ssl/tls进行加密通信时必须要有数字证书。若通信只限制在局域网内可以不向第三方机构申请签发证书可以通过openssl模拟CA(Certificate Authority)并通过该CA签发证书。下文讲述在Centos7.3上使用openssl工具签发证书的具体步骤。 1 生成模拟CA
1.1 修改配置文件/etc/pki/tls/openssl.cnf
打开openssl的配置文件/etc/pki/tls/openssl.cnf修改CA机构的默认信息具体修改内容如下
[ req_distinguished_name ]
countryName Country Name (2 letter code)
countryName_default CN
countryName_min 2
countryName_max 2stateOrProvinceName State or Province Name (full name)
stateOrProvinceName_default JangSulocalityName Locality Name (eg, city)
localityName_default NanJing0.organizationName Organization Name (eg, company)
0.organizationName_default ZTE# we can do this but it is not needed normally :-)
#1.organizationName Second Organization Name (eg, company)
#1.organizationName_default World Wide Web Pty LtdorganizationalUnitName Organizational Unit Name (eg, section)
organizationalUnitName_default TechcommonName Common Name (eg, your name or your server\s hostname)
commonName_max 64emailAddress Email Address
emailAddress_max 64123456789101112131415161718192021222324252627
配置项说明
countryName_default 默认的国家名称简写这里配置为CNstateOrProvinceName_default默认的省份名这里配置为JangSlocalityName_default默认的城市名称这里配置为NanJing0.organizationName_default默认的组织名称这里配置为ZTEorganizationalUnitName_default默认的部门名称这里配置为Tech
1.2 生成CA自签证书
生成CA的私钥
(umask 077; openssl genrsa -out private/cakey.pem 2048)1
[rootlocalhost CA]# pwd
/etc/pki/CA[rootlocalhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................
..........
e is 65537 (0x10001)12345678
生成自签证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem 1
[rootlocalhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JangSu]:
Locality Name (eg, city) [NanJing]:
Organization Name (eg, company) [ZTE]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your servers hostname) []:ca.xiaojie.com
Email Address []:xiaojie163.com[rootlocalhost CA]# ls private
cacert.pem cakey.pem123456789101112131415161718
cakey.pem为CA的私钥cacert.pem为CA的自签证书
查看签发证书中的内容
openssl x509 -text -in cacert.pem 1
[rootlocalhost CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:Version: 3 (0x2)Serial Number: 13441978108521887108 (0xba8b7fdefd063584)
Signature Algorithm: sha256WithRSAEncryptionIssuer: CCN, STJS, LNanJing, OZTE, OUTech, CNca.xiaojie.com/emailAddresscaxiaojie163.comValidityNot Before: Jun 2 03:30:22 2018 GMTNot After : Jun 2 03:30:22 2019 GMTSubject: CCN, STJS, LNanJing, OZtesoft, OUTech, CNca.xiaojie.com/emailAddresscaxiaojie163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:d2:ce:94:8e:26:52:bd:6e:7d:54:31:02:20:57:01:81:1b:fc:24:3b:b1:e8:f1:4c:5d:e2:49:d8:5f:5c:5e:02:89:76:29:f5:8d:33:17:98:06:80:06:ee:37:dd:87:47:0d:f1:56:f0:cb:5e:5a:30:dc:31:46:5a:cb:74:4c:76:8c:58:0b:bd:85:ff:15:16:67:64:99:dd:53:3b:d0:6b:23:e3:35:3d:56:4a:ea:5d:89:ab:f3:dc:75:ee:b6:5e:71:c6:f9:f6:ae:53:72:ba:41:b4:06:0d:4f:80:1c:83:ab:5b:68:4f:78:eb:aa:c0:f2:af:c4:b5:ac:f2:e8:f5Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier: 3E:E1:CC:F3:0D:53:2C:E3:DC:42:16:1D:DF:7B:A6:64:0F:E7:85:0BX509v3 Authority Key Identifier: keyid:3E:E1:CC:F3:0D:53:2C:E3:DC:42:16:1D:DF:7B:A6:64:0F:E7:85:0BX509v3 Basic Constraints: CA:TRUE
Signature Algorithm: sha256WithRSAEncryptionbe:5a:44:22:98:bb:cc:8a:15:32:ef:7c:ef:cb:2d:0f:6e:95:42:f4:1f:54:23:40:02:63:7e:52:e3:97:2d:e2:77:fb:20:3b:b3:b4:9f:b5:d7:01:05:5f:c2:9d:a9:2d:e8:93:48:33:ed:4c:8a:3c:e2:a0:f1:d3:9e:b0:37:af:4a:75:aa:4a:42:3c:4e:a6:c7:07:dc:98:75:84:3a:fe:8a:65:ab:4b:39:29:02:57:5b:30:eb:1f:26:13:cc:65:39:65:83:47:cc:e6:da:89:9d:61:3c:57:65:66:1d:c6:06:cb:b5:da:ae:4c:22:d0:f0:4d:ed:4c:4e:f9:ea:d8123456789101112131415161718192021222324252627282930313233343536373839404142
创建公共目录
[rootlocalhost CA]# mkdir certs crl newcerts private
[rootlocalhost CA]# touch index.txt
[rootlocalhost CA]# touch serial
[rootlocalhost CA]# echo 01 serial
[rootlocalhost CA]# ls
certs crl index.txt newcerts private serial123456
privateCA的私钥newcerts 保存CA新签发的证书crl 被吊销的证书列表index.txt保存签发的证书信息serial保存证书签发的序列号
2. 机构A请求CA签发证书
生成机构A的私钥
(umask 077; openssl genrsa -out httpd.key 1024)1
生成证书签发请求
openssl req -new -key httpd.key -out httpd.csr1
[rootlocalhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JangSu]:
Locality Name (eg, city) [NanJing]:
Organization Name (eg, company) [ZTE]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your servers hostname) []:www.xiaojie.com
Email Address []:xiaojie123.comPlease enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[rootlocalhost ssl]# ls
httpd.csr httpd.key12345678910111213141516171819202122
将httpd.csr发送给CACA根据httpd.csr签发证书
openssl ca -in httpd.csr -out httpd.crt -days 3651
-in指定证书签发请求文件-out, 指定生成的证书文件-days, 指定证书的有效期
[rootlocalhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jun 2 04:07:48 2018 GMTNot After : Jun 2 04:07:48 2019 GMTSubject:countryName CNstateOrProvinceName JangSuorganizationName ZtesoftorganizationalUnitName TechcommonName www.xiaojie.comemailAddress xiaojie123.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 3F:8F:5F:80:F1:C4:77:0A:2E:4D:9C:75:16:FC:8B:6E:77:EF:6A:35X509v3 Authority Key Identifier: keyid:75:D5:93:C0:53:3F:B1:DE:90:E0:9A:CC:92:BE:EF:F0:38:F4:20:C8Certificate is to be certified until Jun 2 04:07:48 2019 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated123456789101112131415161718192021222324252627282930313233
httpd.crt 就是签发的证书可以直接使用httpd.crt证书了。
3. 在httpd中使用证书
安装mod_ssl模块
yum install mod_ssl1
配置/etc/httpd/conf.d/ssl.conf
修改DocumentRoot DocumentRoot “/work/www/html”【网站的目录】修改ServerName ServerName www.YOUR_DOMAIN:443【域名443端口】配置SSLCertificateFile 即CA证书文件httpd.crtSSLCertificateFile /etc/ssl/certs/httpd.crt配置SSLCertificateKeyFile, 即私钥文件httpd.key SSLCertificateKeyFile /etc/ssl/private/httpd.key配置 SSLCertificateChainFile,证书信任链也就是根证书 这里配置的就是CA的证书。SSLCertificateChainFile /etc/ssl/certs/cacert.pem
参考
Centos7.3 使httpd支持https对称加密、单向加密和非对称加密 文章转载自: http://www.morning.qnqt.cn.gov.cn.qnqt.cn http://www.morning.wbxbj.cn.gov.cn.wbxbj.cn http://www.morning.tbhf.cn.gov.cn.tbhf.cn http://www.morning.xqmd.cn.gov.cn.xqmd.cn http://www.morning.jrgxx.cn.gov.cn.jrgxx.cn http://www.morning.dbylp.cn.gov.cn.dbylp.cn http://www.morning.tkqzr.cn.gov.cn.tkqzr.cn http://www.morning.trzzm.cn.gov.cn.trzzm.cn http://www.morning.pclgj.cn.gov.cn.pclgj.cn http://www.morning.psgbk.cn.gov.cn.psgbk.cn http://www.morning.ppdr.cn.gov.cn.ppdr.cn http://www.morning.kjksn.cn.gov.cn.kjksn.cn http://www.morning.rszyf.cn.gov.cn.rszyf.cn http://www.morning.cwrpd.cn.gov.cn.cwrpd.cn http://www.morning.xgkxy.cn.gov.cn.xgkxy.cn http://www.morning.byywt.cn.gov.cn.byywt.cn http://www.morning.rdlong.com.gov.cn.rdlong.com http://www.morning.zlgr.cn.gov.cn.zlgr.cn http://www.morning.wrysm.cn.gov.cn.wrysm.cn http://www.morning.pzrnf.cn.gov.cn.pzrnf.cn http://www.morning.gsrh.cn.gov.cn.gsrh.cn http://www.morning.btjyp.cn.gov.cn.btjyp.cn http://www.morning.lfqtp.cn.gov.cn.lfqtp.cn http://www.morning.ltffk.cn.gov.cn.ltffk.cn http://www.morning.cfybl.cn.gov.cn.cfybl.cn http://www.morning.dwwlg.cn.gov.cn.dwwlg.cn http://www.morning.wqfrd.cn.gov.cn.wqfrd.cn http://www.morning.ddfp.cn.gov.cn.ddfp.cn http://www.morning.bxqpl.cn.gov.cn.bxqpl.cn http://www.morning.kdbbm.cn.gov.cn.kdbbm.cn http://www.morning.kaakyy.com.gov.cn.kaakyy.com http://www.morning.kpcxj.cn.gov.cn.kpcxj.cn http://www.morning.lfqtp.cn.gov.cn.lfqtp.cn http://www.morning.bxfy.cn.gov.cn.bxfy.cn http://www.morning.pcngq.cn.gov.cn.pcngq.cn http://www.morning.fjlsfs.com.gov.cn.fjlsfs.com http://www.morning.jkcpl.cn.gov.cn.jkcpl.cn http://www.morning.tongweishi.cn.gov.cn.tongweishi.cn http://www.morning.jiuyungps.com.gov.cn.jiuyungps.com http://www.morning.kdrly.cn.gov.cn.kdrly.cn http://www.morning.hlmkx.cn.gov.cn.hlmkx.cn http://www.morning.mmsf.cn.gov.cn.mmsf.cn http://www.morning.sxlrg.cn.gov.cn.sxlrg.cn http://www.morning.jgmdr.cn.gov.cn.jgmdr.cn http://www.morning.twdkt.cn.gov.cn.twdkt.cn http://www.morning.sbjbs.cn.gov.cn.sbjbs.cn http://www.morning.fwllb.cn.gov.cn.fwllb.cn http://www.morning.ygztf.cn.gov.cn.ygztf.cn http://www.morning.hmqmm.cn.gov.cn.hmqmm.cn http://www.morning.zqfz.cn.gov.cn.zqfz.cn http://www.morning.zqcdl.cn.gov.cn.zqcdl.cn http://www.morning.kgnnc.cn.gov.cn.kgnnc.cn http://www.morning.bytgy.com.gov.cn.bytgy.com http://www.morning.nrrzw.cn.gov.cn.nrrzw.cn http://www.morning.nlygm.cn.gov.cn.nlygm.cn http://www.morning.ntdzjx.com.gov.cn.ntdzjx.com http://www.morning.qzpkr.cn.gov.cn.qzpkr.cn http://www.morning.bntgy.cn.gov.cn.bntgy.cn http://www.morning.cwkcq.cn.gov.cn.cwkcq.cn http://www.morning.fnxzk.cn.gov.cn.fnxzk.cn http://www.morning.wklmj.cn.gov.cn.wklmj.cn http://www.morning.sgbjh.cn.gov.cn.sgbjh.cn http://www.morning.dhnqt.cn.gov.cn.dhnqt.cn http://www.morning.jwskq.cn.gov.cn.jwskq.cn http://www.morning.roymf.cn.gov.cn.roymf.cn http://www.morning.21r000.cn.gov.cn.21r000.cn http://www.morning.ztdlp.cn.gov.cn.ztdlp.cn http://www.morning.gwxwl.cn.gov.cn.gwxwl.cn http://www.morning.ydyjf.cn.gov.cn.ydyjf.cn http://www.morning.jjhng.cn.gov.cn.jjhng.cn http://www.morning.cwnqd.cn.gov.cn.cwnqd.cn http://www.morning.zdbfl.cn.gov.cn.zdbfl.cn http://www.morning.qzsmz.cn.gov.cn.qzsmz.cn http://www.morning.cfpq.cn.gov.cn.cfpq.cn http://www.morning.stxg.cn.gov.cn.stxg.cn http://www.morning.rxfgh.cn.gov.cn.rxfgh.cn http://www.morning.sfsjh.cn.gov.cn.sfsjh.cn http://www.morning.rbknf.cn.gov.cn.rbknf.cn http://www.morning.mnqg.cn.gov.cn.mnqg.cn http://www.morning.wdpt.cn.gov.cn.wdpt.cn
