CA认证过程及https实现方法 (2)

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ca:7e:0b:7a:b3:65:5a:f3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=sichuan, O=kezibky, OU=IT, CN=kezibky.com/emailAddress=keizibky@163.com
Validity
Not Before: Sep 12 06:40:28 2019 GMT
Not After : Sep 11 06:40:28 2022 GMT
Subject: C=CN, ST=sichuan, O=kezibky, OU=IT, CN=kezibky.com/emailAddress=keizibky@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:ee:c5:e0:5e:8a:4c:8a:7e:2d:e2:d4:53:a9:
6c:b3:36:f6:f3:1f:00:cb:b6:a2:88:67:af:8c:03:
4e:56:a5:3d:79:eb:d8:0e:f1:d0:8c:d6:b8:a8:8f:
11:ae:ec:c6:fd:6a:a9:cf:bf:fc:bd:c9:6b:55:fb:
ea:88:20:e7:ca:58:e3:22:6d:4d:f5:ae:d2:6e:e9:
81:fd:16:38:d4:0b:7b:85:60:5c:0c:c9:9b:6d:2a:
8c:26:01:42:24:18:1c:46:73:4b:9d:98:58:f0:37:
cc:29:ae:db:e5:40:dc:26:d6:4c:fc:c8:ff:d4:6e:
aa:f4:21:c7:54:45:ae:5a:15:96:c8:b6:b4:b7:66:
25:f4:35:b7:5a:88:39:95:16:5d:77:ac:86:7d:f2:
1d:b4:ec:97:1b:21:a2:7a:35:fd:b1:23:11:b2:80:
80:49:9b:66:73:45:94:7a:bf:bb:9c:9b:bd:9f:e7:
e4:3d:77:8e:91:9b:ec:81:c2:90:98:f9:7d:e5:75:
77:51:9d:7d:96:58:52:4c:84:88:a3:92:b5:b3:4b:
dc:06:96:c1:64:12:ad:6d:df:f8:5d:71:46:14:96:
"/etc/pki/CA/cacert.pem" 81L, 4465C

5、查看根证书的私钥       

[root@k7 ~]# vim /etc/pki/CA/private/cakey.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQITCjptF6WslUCAggA
MBQGCCqGSIb3DQMHBAhl/0pgVa0ZGASCBMilfCLbo7qiXVpZKj6levYLA611Pa4a
Wl5DlOdZ/AdIjROvYS7Va5lYdj5jWfky0Tyz6+XNA08xNugPTmLPcmvR0GeSJPwe
NIgpzSqFPaT+d1K1FJ7abKZgPvfcIOhejX+sST9h75KTgkN8XruJHeDrFclg1z0C
804g9Nb7SElDmIfwpxDf1glngwW+hqkTcZUInI92pslIGQ8uuXbXYa+l5ZCKpfbL
A4b0avxA6D5ktEa+WPcuzn10ShQH4oPSYwteq8+l7ODXheqgrLSJJov4HyB+tk+G

三、在apache上搭建https

基于apache搭建https的整体流程如下:

(1)、在k6上安装httpd

(2)、k6生成证书请求文件,发给k7 CA认证中心进行签名,k3下发证书     给k6

(3)、把证书和httpd相结合,实现https

(4)、测试https认证效果

2、安装:httpd web服务器

[root@k6 ~]# yum install httpd -y

[root@k6 ~]# vim /etc/httpd/conf/httpd.conf

改:95 #ServerName :80   #指定ServerName

为:95  ServerName 10.27.17.36:80

[root@k6 ~]# systemctl start httpd

[root@k6 ~]# iptables -F

3、k6生成证书请求文件,获得证书

[root@k6 ~]# openssl genrsa -h  #查看帮助

生一个私钥密钥(此时还没有生成公钥):

[root@k6 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key

参数:-des3   encrypt the generated key with DES in ede cbc mode (168 bit key) #加密  一下私钥

Generating RSA private key, 512 bit long modulus

.....++++++++++++

..............................++++++++++++

e is 65537 (0x10001)

Enter pass phrase for /etc/httpd/conf.d/server.key:123456  #输入保护私钥的密码,保护私 钥时,使用的加密算法是 -des3

Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456

注: 有私钥可以推出来公钥,但是公钥不可以推出私钥。公钥由私钥生成

4、使用私钥生成证书请求文件

[root@k6 ~]# openssl req -new -key /etc/httpd/conf.d/server.key        -out       /server.csr    #注意后期添加的国家,省,组织等信息要和CA保持一致

Enter pass phrase for /etc/httpd/conf.d/server.key:123456  #输入私钥的密码

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter \'.\', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:sichuan

Locality Name (eg, city) [Default City]:chengdu

Organization Name (eg, company) [Default Company Ltd]:kezibky

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server\'s hostname) []:kezibky.cn

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zzyfjy.html