https 加密通信實現示例
本實驗需要CA主機以及客戶機,採用自籤的方式對客戶機授權。
在CA主機上生成證書
- 生成CA的私鑰
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
自籤CA證書:
【注意】
生成CA證書==要加 ” -x509 ” 選項==
==除了”Organizational Unit Name”一項可以完全不同,”Common Name”一項的主機名可以不同(一級域和二級域都必須相同)之外,其他所有項目填寫的內容與客戶機的內容要嚴格一致。==
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
# 按要求填寫CA信息
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:achudk.com
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.achudk.com
Email Address []:
==3. 創建索引文件和序列號文件==
- 注意:serial中的格式必須是01,不能爲1
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
在客戶機上向CA發出簽署請求
- 生成客戶機私鑰
(umask 077;openssl genrsa -out nginx.pem 1024)
生成簽署請求文件,等待CA簽署
【注意】
此處填寫的 ” Common Name ” 的內容即爲將來要加密訪問的網址
生成請求==不加 ” -x509 ” 選項==
如果不加 ” –days ” 選項,默認爲365天
openssl req -new -key nginx.pem -out nginx.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:achudk.com
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:nginx.achudk.com
Email Address []:
A challenge password []:
An optional company name []:
在CA主機上籤署客戶機的請求,授權證書並頒發
openssl ca -in nginx.csr -out nginx.crt -days 365
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = achudk.com
organizationalUnitName = devops
commonName = nginx.achudk.com
將簽署好的證書返還給客戶機,查看證書內容
openssl x509 -in /etc/pki/CA/certs/nginx.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=BJ/O=achudk.com/OU=devops/CN=nginx.achudk.com