https://blog.51cto.com/13157015/1966084 PXE自动化安装
https://www.cnblogs.com/ance/p/10265962.html#i4 自制u盘镜像并安装
证书签名过程:1、网页服务器生成证书请求文件;2、认证中心确认申请者的身份真实性;3、认证中心使用根证书的私钥加密证书请求文件,生成证书;4、把证书传给申请者。
一、实验环境
node1 192.168.40.132 CA认证中心(也要给自己颁发根证书)
node2 192.168.40.211 网页服务器
由于没有真实域名,所以自己搭建一个CA认证中心,实际只要去申请一个就好了。
[root@node1 ~]# rpm -qf `which openssl`
openssl-1.0.2k-8.el7.x86_64 //openssl一般默认安装的
[root@node1 ~]# vim /etc/pki/tls/openssl.cnf
basicConstraints=CA:TRUE //第172行,让当前服务器成为CA认证中心[root@node1 ~]# /etc/pki/tls/misc/CA -newca
//新的CAche证书CA certificate filename (or enter to create) //证书文件名,可以直接回车
Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
.+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
//保护私钥的密码,123456Verifying - Enter PEM pass phrase: //重复密码,123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
//地区Locality Name (eg, city) [Default City]:haidian //城市
Organization Name (eg, company) [Default Company Ltd]:test //组织名称,公司
Organizational Unit Name (eg, section) []:IT
//部门Common Name (eg, your name or your server's hostname) []:test.cn //通用名,名字或服务器主机名等
Email Address []:
//邮箱Please enter the following 'extra' attributes
to be sent with your certificate request //添加一个额外属性,让客户端发送CA证书请求文件时,要输入的密码
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
fe:b3:47:2e:3c:0e:ce:d2
Validity
Not Before: Oct 14 12:25:18 2019 GMT
Not After : Oct 13 12:25:18 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = IT
commonName = test.cn
X509v3 extensions:
X509v3 Subject Key Identifier:
69:E7:F4:D2:AD:56:53:E0:37:FB:37:8E:3F:8B:23:23:3B:FE:CB:45
X509v3 Authority Key Identifier:
keyid:69:E7:F4:D2:AD:56:53:E0:37:FB:37:8E:3F:8B:23:23:3B:FE:CB:45
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Oct 13 12:25:18 2022 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
//搭建完成[root@node1 ~]# cat /etc/pki/CA/cacert.pem
。。。。。省略
说明:/etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
-newcert 新证书
-newreq 新请求
-newreq-nodes 新请求节点
-newca 新的CA证书
-sign 签证
-verify 验证
二.Apache实现https
备一个httpd,需要包含ssl模块
[root@node2 ~]# yum -y install httpd mod_ssl
[root@node2 ~]# vim /etc/httpd/conf/httpd.conf
ServerName 192.168.5.102:80 //第95行[root@node2 ~]# systemctl start httpd.service
[root@node2 ~]firewall-cmd --permanent --zone=public --add-port=80/tcp[root@node2 ~]firewall-cmd --reload
生成证书请求文件,并发给CA认证中心node1
//-des3使用des3加密算法;-out输出到指定地址
[root@node2 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 2048 bit long modulus
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
Generating RSA private key, 2048 bit long modulus
Enter pass phrase for /etc/httpd/conf.d/server.key:
//输入保护私钥的密码,123456 Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
//重复密码[root@node2 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................+++
....................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
[root@node2 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................+++
....................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
[root@node2 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:
//输入保护私钥的密码(/etc/httpd/conf.d/server.key的),123456You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
//通用名不能和CA一样,一般写域名
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node2 ~]# scp /server.csr 192.168.40.132:/
root@192.168.40.132's password:
server.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node2 ~]# scp /server.csr 192.168.40.132:/
root@192.168.40.132's password:
server.csr
CAche认证中心进行签名,再回传
[root@node1 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
fe:b3:47:2e:3c:0e:ce:d3
Validity
Not Before: Oct 14 12:52:55 2019 GMT
Not After : Oct 13 12:52:55 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = IT
commonName = test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2E:AA:92:E4:F1:05:74:55:E6:3A:B9:83:FC:4B:64:05:D4:A8:24:DC
X509v3 Authority Key Identifier:
keyid:69:E7:F4:D2:AD:56:53:E0:37:FB:37:8E:3F:8B:23:23:3B:FE:CB:45
Certificate is to be certified until Oct 13 12:52:55 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
fe:b3:47:2e:3c:0e:ce:d3
Validity
Not Before: Oct 14 12:52:55 2019 GMT
Not After : Oct 13 12:52:55 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = IT
commonName = test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2E:AA:92:E4:F1:05:74:55:E6:3A:B9:83:FC:4B:64:05:D4:A8:24:DC
X509v3 Authority Key Identifier:
keyid:69:E7:F4:D2:AD:56:53:E0:37:FB:37:8E:3F:8B:23:23:3B:FE:CB:45
Certificate is to be certified until Oct 13 12:52:55 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node1 ~]# scp /server.crt 192.168.40.211:/
The authenticity of host '192.168.40.211 (192.168.40.211)' can't be established.
ECDSA key fingerprint is SHA256:pNJw/K2ipf4PO9OZtkTmisNZ+ctpN02yRIMxTvNGlrA.
ECDSA key fingerprint is MD5:42:0a:fb:3f:74:1f:12:fc:f1:6a:20:00:43:0a:0f:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.40.211' (ECDSA) to the list of known hosts.
root@192.168.40.211's password:
server.crt 100% 4424 3.4MB/s 00:00
//回传给服务器The authenticity of host '192.168.40.211 (192.168.40.211)' can't be established.
ECDSA key fingerprint is SHA256:pNJw/K2ipf4PO9OZtkTmisNZ+ctpN02yRIMxTvNGlrA.
ECDSA key fingerprint is MD5:42:0a:fb:3f:74:1f:12:fc:f1:6a:20:00:43:0a:0f:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.40.211' (ECDSA) to the list of known hosts.
root@192.168.40.211's password:
server.crt 100% 4424 3.4MB/s 00:00
配置Apache加载证书文件
[root@node2 ~]# cp /server.crt /etc/httpd/conf.d/
[root@node2 ~]# vim /etc/httpd/conf.d/ssl.conf
[root@node2 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/server.crt //第100行,签名证书SSLCertificateKeyFile /etc/httpd/conf.d/server.key /第107行,私钥[root@node2 ~]#systemctl restart httpdEnter SSL pass phrase for 192.168.40.211:443 (RSA) : ****** //123456
[root@node2 ~]# yum -y install net-tools.x86_64
[root@node2 ~]# netstat -antup | grep 443
tcp6 0 0 :::443 :::* LISTEN 1279/httpd [root@node2 ~]firewall-cmd --permanent --zone=public --add-port=443/tcp[root@node2 ~]firewall-cmd --reload三.nginx实现https
[root@node2 ~]# yum -y install nginx
Enter PEM pass phrase:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@node2 ~]# nginx
Enter PEM pass phrase:
[root@node2 ~]# netstat -antup | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1461/nginx: master
[root@node2 ~]# vim /etc/nginx/conf.d/default.confserver { listen 443 ssl; keepalive_timeout 70; location / { root /usr/share/nginx/html; index index.html index.htm; } ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL支持的版本 ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /etc/httpd/conf.d/server.crt; ssl_certificate_key /etc/httpd/conf.d/server.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;} 注意:粘贴会有空格。
[root@node2 ~]# nginx -t Enter PEM pass phrase:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@node2 ~]# nginx
Enter PEM pass phrase:
[root@node2 ~]# netstat -antup | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1461/nginx: master