18.1  CA  认证流程

18.2  实战：搭建CA认证中心

18.3  实战：使用证书搭建https 

注意   CA  就是公安局

认证中心   CA的功能，证书方法，证书更新，证书撤销和证书验证

CA证书作用，身份认证，   数据的不可否认性

https  箭筒端口  443   

数字证书认证过程：

身份证办理过程    带上户口本   当地派出所    》 签发证书   代你领证书

18.1   数字证书认证过程

18.2   实战：搭建CA认证中心

  18.2.1  安装CA认证中心

1 ）[root@xuegod1 ~]# rpm -qf `which openssl`

openssl-1.0.2k-19.el7.x86_64

2  配置一个自己的CA认证中心，生成CA的更证书和私钥，根证书

修改配置文件

[root@xuegod1 ~]# vim /etc/pki/tls/openssl.cnf

18.2.3  生成CA的公钥证书和私钥

[root@xuegod1 ~]# /etc/pki/tls/misc/CA -h

usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

  -newcert   新证书

  - newreq    新请求

  -  newreq-nodes    新请求节点

-   newca    新的CA证书

  -  sign   签证

  -   verify   验证

[root@xuegod1 ~]# /etc/pki/tls/misc/CA -newca

CA certificate filename (or enter to create)

Making CA certificate ...   这里直接回车不用等

Generating a 2048 bit RSA private key

......................................................+++

......+++

writing new private key to '/etc/pki/CA/private/./cakey.pem'     输入密码123456

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN  国家

State or Province Name (full name) []:beijing  城市

Locality Name (eg, city) [Default City]:haidian  地址

Organization Name (eg, company) [Default Company Ltd]:xuegod公司名称

Organizational Unit Name (eg, section) []:IT  行业

Common Name (eg, your name or your server's hostname) []:xuegod1  主机名

Email Address []:1@163.com  邮箱

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:回车

An optional company name []:  回车

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/./cakey.pem:  输入刚才的密码

Check that the request matches the signature

Signature ok

到此CA认证中心就搭建好了

  18.2.4  查看生成的CA根证书，根证书包含CA公钥

[root@xuegod1 ~]# vim /etc/pki/CA/cacert.pem    公钥信息

私钥信息

[root@xuegod1 ~]# vim /etc/pki/CA/private/cakey.pem

18.3   实战  ：使用证书搭建https  

 1 ）  安装：httpd  在xuegod2 上安装配置https  步骤

    2  xuegod2  生成请求文件，发给xuegod2  CA认证中心进行签名，xuegod1  下发证书

给xuegod2 

3   把证书和httpd  想结合，实现https  

4 测试https  认证效果

1  ）  安装httpd  

      yum   install -y   httpd 

  vim   /etc/httpd/conf/httpd.conf  

  ServerName   的名字修改为

  ServerName   192.168.24.62   ：80  

  2  ） 启动   systemctl   start   httpd   

   18.3.2   xuegod2   生成证书请求文件，获得证书

  [root@xuegod2 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key  

Generating RSA private key, 2048 bit long modulus

.......................................................+++

.................................................................................................+++

e is 65537 (0x10001)

Enter pass phrase for /etc/httpd/conf.d/server.key:  123456 输入密码  ，保护私钥时，使用的加密算法是-des3

Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:  再次输入密码   

 注意：  有私钥可以退出来公钥，但是公钥不可以退出私钥来，公钥由私钥生成

18.3.3     

[root@xuegod2 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr  

Enter pass phrase for /etc/httpd/conf.d/server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing   

Locality Name (eg, city) [Default City]:haidian

Organization Name (eg, company) [Default Company Ltd]:xuegod

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:xuegod2

Email Address []:1@163.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:直接回车

An optional company name []:  直接回车

常识  是通过私钥可以推出公钥的，通过公钥不可以退出私钥的

18.3.4    将证书请求文件发给CA  服务器 

[root@xuegod2 ~]# scp /server.csr 192.168.24.68:/tmp/

root@192.168.24.68's password:

server.csr

18.3.5   请求证书签证   在68的服务器上

openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt

[root@xuegod1 ~]# scp /server.crt 192.168.24.62:/

The authenticity of host '192.168.24.62 (192.168.24.62)' can't be established.

ECDSA key fingerprint is SHA256:KCQGkofX/06SKU9fF3O3RyYIiT/kqph9EUuCMg7JeY0.

ECDSA key fingerprint is MD5:d4:92:5b:85:3c:31:dc:69:ae:bb:f2:63:35:13:64:60.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.24.62' (ECDSA) to the list of known hosts.

root@192.168.24.62's password:

server.crt   

yum -y install mod_ssl

复制证书

[root@xuegod2 ~]# cp /server.crt  /etc/httpd/conf.d/

[root@xuegod2 ~]#

[root@xuegod2 ~]# vim /etc/httpd/conf.d/ssl.conf

[root@xuegod2 ~]# systemctl start httpd

Enter SSL pass phrase for 192.168.24.62:443 (RSA) : ******   输入我们要保护的密码

监听的端口为443

  
使用浏览器测试

加入https://192.168.24.62