三、客户端验证CA服务
主机端(192.168.1.130)上:
[root@test1 CA]#yum -y install httpd
[root@test1 CA]#service httpd start
[root@test1 CA]#mkdir -p /var/www/html/yum
[root@test1 CA]#cp my-ca.crt /var/www/html/yum 将my-ca.crt,即公钥放到http服务器,供其他人下载
另外客户端(192.168.1.117)上:
[root@test2 Desktop]#openssl genrsa 1024 > test2.key
Generating RSA private key, 1024 bit long modulus
.....................++++++
.......++++++
e is 65537 (0x10001)
[root@test2 Desktop]#openssl req -new -key test2.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hebei
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test2
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@test2 Desktop]# scp dovecot.csr root@192.168.1.130:/root/
root@192.168.1.130's password:
dovecot.csr 100% 668 0.7KB/s 00:00
四、服务端签发CA证书
在CA认证服务器上
[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 22 10:44:36 2013 GMT
Not After : Jan 22 10:44:36 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Hebei
organizationName = Tianli Company
commonName = test2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:69:58:12:67:C7:FC:9E:AC:70:1D:2A:2C:56:A4:E1:61:97:B2:23
X509v3 Authority Key Identifier:
keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62
Certificate is to be certified until Jan 22 10:44:36 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
最后签发成功。