1.三台主机分别为A,B,C。
2.A主机设置为CA和DNS服务器,ip为192.168.213.129
3.B主机为client,ip为192.168.213.253
4.C主机为httpd server,ip为192.168.213.128
5.已经在三台主机上启动了httpd服务,并且可以正常访问自己的网页。
1.在A主机上创建CA和DNS
服务器
1)创建所需要的文件
生成证书索引数据库文件:
touch /etc/pki/CA/
index.txt
系统会自动生成个
index.txt.attr文件。用来决定是否使证书为唯一性,也就是是否可以重复申请证书。
指定第一个颁发证书的序列号:
echo
01 > /etc/pki/CA/serial
2)CA自签证书
生成私钥:
cd /etc/pki/CA/
openssl genrsa -
out /etc/pki/CA/
private/cakey.pem
2048
chmod
600 cakey.pem
生成自签名证书:
openssl req -new -x509 –key /etc/pki/CA/
private/cakey.pem -days
7300 -
out /etc/pki/CA/cacert.pem
3)创建DNS服务器
1》vim /etc/
named.conf
options {
listen-on port
53 {
any ; };
// listen-on-v6 port
53 { ::
1; };
directory
"/var/named";
dump-
file "/var/named/data/cache_dump.db";
statistics-
file "/var/named/data/named_stats.txt";
memstatistics-
file "/var/named/data/named_mem_stats.txt";
allow-query
{
any ; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
2》关闭防火墙和设置selinux为permissive
iptables -F
setenforce
0
3》创建解析
1>vim /etc/
named.rfc1912.zones
zone
"ab.com" IN {
type master;
file "ab.com.zone";
};
2>
named-checkconf
3>cd /var/
named/
4>cp -a
named.localhost ab.com.zone
5>vim ab.com.zone
$TTL D
@
IN SOA dns admin.ab.com. (
3 ; serial
D ; refresh
H ; retry
W ; expire
H ) ; minimum
NS dns
dns A
192.168.213.128
websrv A
192.168.213.128
mail A
192.168.213.128
www CNAME websrv
6>
named-checkzone ab.com /var/
named/ab.com.zone
7>重新加载
rndc reload
service
named reload or systemctl reload
named
不行的话清除服务缓存,再来一遍
rndc
flush
最有效的方式是重启服务(正常工作中尽量别这么用,怕影响其他的同步)
service
named restart or systemctl restart
named
8>rndc
status
2.在C主机
1)指向DNS服务器
vim
/etc/resolv.conf
nameserver
192.168.213.129
测试:
dig -t A
2)向CA申请证书
1》生成证书请求
生成私钥:
(umask
066; openssl genrsa -out
/etc/pki
/tls/private/http.key
2048)
生成证书申请文件:
openssl req -
new -key
/etc/pki
/tls/private/http.key -days 365 -out /etc
/pki/tls/http.csr
2》将证书请求文件传输给CA
scp
/etc/pki
/tls/http.csr root@
192.168.213.129:
3.在A主机
1)CA签署证书:
openssl ca -
in /tmp/http.csr –out
/etc/pki
/CA/certs/http.crt -days
365
注意:
默认国家,省,公司名称三项必须和CA一致,但可以修改
/etc/pki
/tls/openssl.cnf
common name要使用此主机在通信真实使用的名字
2)CA证书和CA签署的证书发送给C主机,然后在C主机上进行配置。
scp
/etc/pki
/CA/certs/http.crt root@
192.168.213.128:
scp
/etc/pki
/CA/private/cakey.pem root@
192.168.213.128:
4.在C主机
1)od_ssl模块
yum -y install mod_ssl
2)d_ssl进行配置,配置文集为ssl.conf
vim
/etc/httpd
/conf.d/ssl.conf
DocumentRoot
"/var/www/html"
SSLCertificateFile
/etc/pki
/tls/certs/httpd.crt
SSLCertificateKeyFile
/etc/pki
/tls/private/httpd.key
SSLCACertificateFile
/etc/pki
/CA/cacert.pem
注:
注意文件的路径,你放在那里就写成什么路径。
3)重启服务,并进行测试
service httpd restart or systemctl restart httpd
curl --cacert
/path to/cacert.pem
https://www.ab.com
5.在B主机
1》vim /etc/resolv.conf
nameserver
192.168.
213.128
(尽量就填写一个)
2》测试
curl
3)CA证书导入
1》A证书从A主机上拷贝过来
scp root@192.
168.213.
129:/etc/pki/CA/cacert.pem /root/
2》测试
curl --cacert /root/cacert.pem
https:/
/www.ab.com