https 加密通信实现示例
本实验需要CA主机以及客户机,采用自签的方式对客户机授权。
在CA主机上生成证书
- 生成CA的私钥
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
自签CA证书:
【注意】
生成CA证书==要加 ” -x509 ” 选项==
==除了”Organizational Unit Name”一项可以完全不同,”Common Name”一项的主机名可以不同(一级域和二级域都必须相同)之外,其他所有项目填写的内容与客户机的内容要严格一致。==
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
# 按要求填写CA信息
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:achudk.com
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.achudk.com
Email Address []:
==3. 创建索引文件和序列号文件==
- 注意:serial中的格式必须是01,不能为1
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
在客户机上向CA发出签署请求
- 生成客户机私钥
(umask 077;openssl genrsa -out nginx.pem 1024)
生成签署请求文件,等待CA签署
【注意】
此处填写的 ” Common Name ” 的内容即为将来要加密访问的网址
生成请求==不加 ” -x509 ” 选项==
如果不加 ” –days ” 选项,默认为365天
openssl req -new -key nginx.pem -out nginx.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:achudk.com
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:nginx.achudk.com
Email Address []:
A challenge password []:
An optional company name []:
在CA主机上签署客户机的请求,授权证书并颁发
openssl ca -in nginx.csr -out nginx.crt -days 365
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = achudk.com
organizationalUnitName = devops
commonName = nginx.achudk.com
将签署好的证书返还给客户机,查看证书内容
openssl x509 -in /etc/pki/CA/certs/nginx.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=BJ/O=achudk.com/OU=devops/CN=nginx.achudk.com