构建私有CA和证书

一、准备

两台虚拟机

192.168.252.148 CA

192.168.252.149 客户端

二、构建私有CA

192.168.252.148 CA

安装openssl

1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y

查看CA相关配置

/etc/pki/tls/openssl.cnf这个文件是CA的配置文件。

此文件对于是证书签署者的身份会使用到此文件

此文件对于证书的申请者的身份是无用的。

根证书服务器目录：

根CA服务器：/etc/pki/CA 192.168.252.148

网站服务器：/etc/pki/tls 192.168.252.149

查看文件
cat  /etc/pki/tls/openssl.cnf

创建所需文件

cd /etc/pki/CA/
ls
certs  crl  newcerts  private

1.创建生成证书索引数据库文件
touch index.txt
2.指定第一个颁发证书的序列号
echo 01 > serial

ls
certs  crl  index.txt  newcerts  private  serial

创建秘钥

1.使用openssl创建秘钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus
.....................+++
...............................+++
e is 65537 (0x10001)

2.在private中查看
ls private/
cakey.pem

生成自签名的证书

根CA自签名证书，根CA是最顶级的认证机构，没有人能够认证他，所以只能自己认证自己生成自签名证书。

1.生成自签名证书通过秘钥
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                         //签发国家  
State or Province Name (full name) []:BEIJING                //签发省份
Locality Name (eg, city) [Default City]:BEIJING              //签发城市
Organization Name (eg, company) [Default Company Ltd]:CA     //签发公司
Organizational Unit Name (eg, section) []:OPT                //签发部门
Common Name (eg, your name or your server's hostname) []:www.syh.com   //签发域名
Email Address []:[email protected]                           //签发邮件                         

2.查看文件
ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

参数解释：

-new 			生成新证书签署请求
-x509 		专用于CA生成自签证书
-key 			生成请求时用到的私钥文件
-days 		证书的有效期限
-out 		 	证书的保存路径

下载安装证书

yum install -y lrzsz
sz /etc/pki/CA/cacert.pem

以谷歌浏览器为例：

点击设置

点击安全和隐私

向下滑

找到证书管理会出现一个弹窗

导入刚才上传电脑的证书

根据向导导入证书

导入刚才上传的证书

完成

三、服务器端进行CA证书申请和签名

192.168.252.149 客户端

安装openssl

1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y

生成私钥文件

1.生成私钥
(umask 066; openssl genrsa -out /etc/pki/tls/private/www.syh.com.key 2048)

Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
.....+++
e is 65537 (0x10001)

2.查看私钥
ls /etc/pki/tls/private/
localhost.key  www.syh.com.key

私钥加密生成证书

1.私钥加密生成证书
openssl req -new -key /etc/pki/tls/private/www.syh.com.key -days 365 -out /etc/pki/tls/www.syh.com.csr

ww.syh.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.syh.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//此处的信息要一定与在生成自签名的证书的信息一致

2.查看证书的生成
ls  /etc/pki/tls/
cert.pem  certs  misc  openssl.cnf  private  www.syh.com.csr

四、证书签署

客户端的证书传输到CA端上

传输这个证书/etc/pki/tls/www.qf.com.csr到CA端

192.168.252.149:
cd  /etc/pki/tls/
scp  www.syh.com.csr  192.168.252.148:/etc/pki/CA/private

192.168.252.148:
cd /etc/pki/CA/private
ls
cakey.pem  www.syh.com.csr

证书签署

1.修改配置文件/etc/pki/tls/openssl.cnf，修改organizationName=supplied

192.168.252.148：
1.编辑配置文件
vim /etc/pki/tls/openssl.cnf
/organizationName搜索这个
找到这个模块修改：
# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

2.CA签署

192.168.252.148：
1.签署证书
openssl ca -in /etc/pki/CA/private/www.syh.com.csr -out /etc/pki/CA/certs/www.syh.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf


Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  3 12:09:17 2024 GMT
            Not After : Sep  3 12:09:17 2025 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = CA
            organizationalUnitName    = OPT
            commonName                = www.syh.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                FA:A5:D7:6B:7D:8A:C2:BA:06:BA:7B:DF:71:35:40:5E:A1:AF:3A:F1
            X509v3 Authority Key Identifier: 
                keyid:AF:0C:F8:02:B7:C0:51:E3:B7:AB:3A:A0:15:EE:0A:39:8A:03:AB:6A

Certificate is to be certified until Sep  3 12:09:17 2025 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

2.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt

发送签署后的证书

192.168.252.148：
1.发送证书
cd /etc/pki/CA/certs/
scp www.syh.com.crt 192.168.252.149:/etc/pki/CA/certs/

192.168.252.149：
1.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt

五、测试

证书文件和密钥文件

证书文件路径：
/etc/pki/CA/certs/www.syh.com.crt
密钥文件路径：
/etc/pki/tls/private/www.syh.com.key

配置Nginx配置文件

1.编辑配置文件：
vim /etc/nginx/conf.d/nginx_ca.conf

server {
        listen       443 ssl;
        server_name  www.syh.com;

        ssl_certificate      /etc/pki/CA/certs/www.syh.com.crt;                 #指定证书路径
        ssl_certificate_key  /etc/pki/tls/private/www.syh.com.key;              #指定私钥路径
        ssl_session_timeout  5m;                                                #配置用于SSL会话的缓存
        ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;  							#如果出现无法访问的连接就将此注释注释掉
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #密码指定为OpenSSL支持的格式
        ssl_prefer_server_ciphers   on;                                         #设置协商加密算法时，优先使用服务端的
加密，而不是客户端浏览器的。

        location / {
                root /jump/html;
                index index.html index.htm;
        }
}

2.创建发布目录
mkdir -p  /jump/html
发布一个跳一跳

3.重启
nginx -t
systemctl restart nginx

配置windows解析

访问

https://www.syh.com

因为私有证书不受此浏览器信任所以会出现不安全的https连接