CA服务器的简单搭建
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CA服务器的简单搭建相关的知识,希望对你有一定的参考价值。
CA服务器的简单搭建
一、简单介绍
CA 也拥有一个证书(内含公钥和私钥)。网上的公众用户通过验证 CA 的签字从而信任 CA ,任何人都可以得到 CA 的证书(含公钥),用以验证它所签发的证书。
如果用户想得到一份属于自己的证书,他应先向 CA 提出申请。在 CA 判明申请者的身份后,便为他分配一个公钥,并且 CA 将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。
二、环境描述
ip:192.168.151.204 # cat /etc/redhat-release CentOS release 6.7 (Final) # uname -i x86_64
三、所需软件
openssl openssl-devel # yum install openssl openssl-devel -y
四、安装过程
1、
cd /etc/pki/CA
#如果没有 certs crl(过期证书) newcerts目录请创建
# mkdir {certs,crl,newcerts}
2、创建两个空文件,索引文件和序列号文件
# touch index.txt # touch serial # vim /etc/hosts 192.168.151.204 ca.10fei3.top
3、创建根证书
# echo 01 > serial (第一次创建根证书需此命令)
生成证书所使用的RSA秘钥,保存到private目录下
# openssl genrsa 1024 > private/hunk-ca.key
利用hunk-ca.key生成自签名的电子证书
# cat private/hunk-ca.key -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDSUxptT8nWMmKunlO+b5dlTPKAEFjevnT3T4w1dScOBCWQ4rv6 sWcLXIgKn8nhn3hW5PuYaOCd7n9zLuqvsK/o5u/gE4njhsDw1xLi1JNvftPm8YKn 9K0qQqz76nl7y0RBgGxfB+a4jgfb27OII2Oj1+B66pYvanIoRU3FWHQtcQIDAQAB AoGAHwliYfUfPLuMsmXsx7Jh7fHv6xP+eUgzrHcRoqXaEIhuHrZGtRTOtu99p8uy l9fXg0MhGXmIg+W46v9mZGy3WGuCVtmEvI/sI39pV0mTLYz+BhayOOX/YkOrW1+D Pu6GJ6yNv+OQS8psUE8b1XYg854iumsHYlvRppn1Ok+bmq0CQQDz235ONq50po2v kx7/IRKf1iqaFMykPrDfWPgxfMnyWNqjGoM3+jfvakL+RL2GZB6OVUoL8G20Vu0W axFblZybAkEA3Mwo6kNL0XgVSfEl1MySfx/13sQ98Fx3j2LB+OykP1VHt0vdUBCF GcFkkuMQIHfWaxK70mWN9JPSShNgPPvw4wJBAIVCv4UycKeilO8LsPavNiROvz0w fJyM/c8wKYGxthJP6DsVs/uVK5gUM8QMAJ4+fEw/45UesHTKxAlqPTQVUF0CQFRF I5SNjMFs2Is5G5xFW+BjHV8hfRZg5Ez4f1n3T5TQgqelr9kgBPzYf/9D5GLP+ikx pDfgBLcFOCyHiqKb8csCQB6+A/SracoSaIcBu5NEikpFpf068y785FM2qbo/nBBP /M8QAgfEbrmOXaBCmMleexmyLmyCNqEBG8Gb6vvLd1I= -----END RSA PRIVATE KEY----- [[email protected] CA]# openssl req -new -x509 -key private/hunk-ca.key -days 365 -out hunk-ca.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:etnet Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server‘s hostname) []:ca.10fei3.top Email Address []:hunkz.gmail.com
4、修改openssl.conf
[[email protected] CA]# cd ../tls/ [[email protected] tls]# vim openssl.cnf [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to ‘no‘ to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. #certificate = $dir/cacert.pem # The CA certificate certificate = $dir/hunk-ca.crt # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/hunk-ca.key# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
5.dovecot 生成证书请求
[[email protected] tmp]# openssl genrsa 1024 > dovecot.key Generating RSA private key, 1024 bit long modulus .............++++++ .......++++++ e is 65537 (0x10001) [[email protected] tmp]# openssl req -key dovecot.key -out dovecot.csr ^C [[email protected] tmp]# openssl req -new -key dovecot.key -out dovecot.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:etnet Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server‘s hostname) []:www.abc.com Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
6.签名证书
[[email protected] tmp]# openssl ca -in dovecot.csr -out dovecot.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 23 03:29:48 2016 GMT Not After : Jun 23 03:29:48 2017 GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = etnet organizationalUnitName = IT commonName = www.abc.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9D:1D:A6:54:5A:A9:55:1A:10:1A:CA:8E:AF:A9:00:82:44:1E:A2:E9 X509v3 Authority Key Identifier: keyid:A6:85:80:4E:AE:B7:E6:DE:EA:35:88:63:2D:8A:AB:4E:FD:09:D8:3F Certificate is to be certified until Jun 23 03:29:48 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
7、有用的文件
dovecot.crt dovecot.key
8、用mutt测试证书
# mutt -f pops://[email protected]@mail.10fei3.top q:退出 ?:帮助 此证书属于: www.abc.com [email protected] etnet IT Shanghai CN 此证书发布自: ca.10fei3.top hunkz.gmail.com etnet IT Shanghai Shanghai CN 此证书有效 来自 Thu, 23 Jun 2016 03:29:48 UTC 发往 Fri, 23 Jun 2017 03:29:48 UTC SHA1 指纹:ACEC 40BC 4101 4E3A 7FB1 D1E0 23C5 7200 5BE9 994E MD5 指纹:FF9F 4BE0 BB97 CEBF 499B CE5D D4D6 F95D 警告:服务器主机名与证书不匹配 -- Mutt: SSL 证书检查 (检查链中有 1 个证书,共 1 个) 拒绝(r),接受一次(o),总是接受(a)
五、文章小结
1. ca.10fei3.top 要能解析到,不然可能有问题。 2. 本文生成ca证书是为了搭建安全的邮件收件服务器。经测试可以访问。
以上是关于CA服务器的简单搭建的主要内容,如果未能解决你的问题,请参考以下文章