title: 01-CA认证实现http取证
order: 1
icon: lightbulb
CA认证中心简述
CA :CertificateAuthority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数 字证书
功能:证书发放、证书更新、证书撤销和证书验证。
作用:身份认证,数据的不可否认性
端口: 443
证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者 在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把 CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁 发给用户的证书
环境准备
两台linux ,一台做CA认证中心,另一台做httpd服务器,如图:
三、配置CA认证证中心实现http取证
(一)、配置CA认证中心服务器
1、将本机服务器配置为CA认证服务器,即本机为CA认证中心
[root@ca-server ~]# vim /etc/pki/tls/openssl.cnf
将第172行 basicConstraints=CA:FALSE # 把FALSE改成TRUE 把本机变成CA认证中心
2、配置认证中心,生产私钥与根证书
[root@ca-server ~]# /etc/pki/tls/misc/CA -newca
修改认证中心配置文件信息
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
........................................................+++
...........+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: //输入密码:123456 #保护密钥
Verifying - Enter PEM pass phrase: //再次输入密码:123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate
request.
What you are about to
enter is what is called a Distinguished Name or a DN.
There are quite a few
fields but you can leave some blank
For some fields there
will be a default value,
If you enter '.', the
field will be left blank.
Country Name (2 letter code) [XX]:CN //国家地区名称
State or Province Name (full name) []:HB //省份名称
Locality Name (eg, city) [Default City]:WH //城市名称
Organization Name (eg, company) [Default Company Ltd]:IT //组织名称
Organizational Unit Name (eg, section) []:IT //组织单位名称
Common Name (eg, your name or your server's hostname) []:test.cn //通用域名
Email Address []:www.cn@test.cn //邮箱名称
Please enter the following 'extra' attributes
to be sent with your certificate request //添加一个“额外”的属性,让客户端发送CA证
书,请求文件时要输入密码,默认不管会自动跳过
A challenge password []: //默认回车
An optional company name []: //默认回车
Using configuration from /etc/pki/tls/openssl.cnf //CA服务器的配置文件上面的内容
添加到这个配置文件里面去
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: //输入密码:123456 #保护
CA密钥的密钥
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
f5:9a:34:29:2a:f8:ad:bf
Validity
Not Before: Nov 17 23:16:33 2019 GMT
Not After : Nov 16 23:16:33 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = IT
organizationalUnitName = IT
commonName = test.cn
emailAddress = www.cn@test.cn
X509v3 extensions:
X509v3 Subject Key Identifier:
C3:CA:66:53:74:20:2F:ED:13:FE:27:6D:7C:7E:96:B3:2E:41:93:1D X509v3 Authority Key dentifier:
keyid:C3:CA:66:53:74:20:2F:ED:13:FE:27:6D:7C:7E:96:B3:2E:41:93:1D
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 16 23:16:33 2022 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
说明:这里配置了CA认证中心 ,在里面就生成了CA认证根证书的私钥 ,在配置完结束之后 ,就会生成 一个根证书,这个根证书中有这证书的公钥到此CA认证中心就搭建好了
3、查看生成的CA根证书
[root@ca-server ~]# cat /etc/pki/CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f5:9a:34:29:2a:f8:ad:bf
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HB, O=IT, OU=IT,CN=test.cn/emailAddress=www.cn@test.cn #上面是CA认证中心息
Validity
Not Before: Nov 17 23:16:33 2019 GMT
Not After : Nov 16 23:16:33 2022 GMT
Subject: C=CN, ST=HB, O=IT, OU=IT,
CN=test.cn/emailAddress=www.cn@test.cn
Subject Public Key Info: #CA认证中心公钥信息
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:07:5c:b3:1f:7b:27:2e:9e:0f:8a:31:14:f8: 9:b2:bb:fa:6a:12:9b:55:3f:ca:ef:13:74:c9:61: 4:0d:aa:b1:e3:d1:a1:df:4e:4b:24:d2:0d:e0:ea: d:d9:98:1d:df:db:41:f1:2b:60:0e:46:bd:ee:77: 4:62:77:9f:7a:95:80:15:80:cb:51:3f:fa:2a:ce: e:64:d4:44:1f:5d:41:1b:53:92:cb:5a:38:79:0d: 7:be:f1:c5:b6:d6:3c:e0:b0:74:9e:52:2b:e9:da: 3:be:6b:a7:51:90:83:3a:88:26:2b:ab:97:e1:61: b:82:7b:6c:0a:62:0c:f7:84:94:5c:97:2a:17:f4: 9:4c:42:8b:dc:69:89:a6:9c:de:fd:fe:e1:63:43: 0:fd:f8:4c:49:b9:11:08:fc:07:b0:05:ef:bb:d4: 8:f5:73:14:95:98:91:d6:82:28:d3:8a:4a:69:dd: a:93:65:f8:45:ec:fe:51:6b:2d:e8:54:ff:26:53: d:b8:87:8c:29:51:82:2d:61:17:4c:dd:c0:aa:1c: 8:c8:a4:bd:13:0e:ee:77:9a:cb:3f:4c:0c:8c:23: f:ea:d9:a4:5e:6c:a9:da:c1:d9:9a:5f:5c:07:0f:
a5:aa:29:68:4f:b9:9f:73:c7:f7:02:2d:58: f5:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C3:CA:66:53:74:20:2F:ED:13:FE:27:6D:7C:7E:96:B3:2E:41:93:1D X509v3 Authority Key dentifier:
keyid:C3:CA:66:53:74:20:2F:ED:13:FE:27:6D:7C:7E:96:B3:2E:41:93:1D
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
29:b8:5e:31:93:11:12:ce:44:25:d4:4a:6c:f8:87:ac:00:90:
e9:d8:cf:84:89:53:85:fa:77:78:e6:d8:3d:a6:7b:e5:d4:53:
ac:7e:1e:b2:71:89:65:3b:1c:cd:ea:ad:52:ca:83:3c:05:8b:
6c:b4:7c:ff:a1:b1:dd:cc:ab:90:ac:14:f6:dd:07:b3:56:1a:
82:5a:ed:04:4b:5f:8c:ee:3f:74:57:9a:72:1d:ee:fa:dd:9a:
f7:c6:74:9f:14:cd:d3:e5:ed:38:ef:c7:62:7d:c6:b4:e5:5e:
87:85:b2:f0:82:0e:da:16:12:55:22:6c:ea:b4:48:00:d2:15:
c7:70:1e:7c:aa:2c:e1:71:7a:ac:71:23:55:4f:4b:0c:b6:30:
95:e8:20:fa:c9:d5:21:52:a6:9a:a2:d1:fb:81:0f:7d:0b:c2:
e7:f8:67:70:1d:a4:20:04:22:67:f9:69:92:29:cc:dc:90:ee:
a5:0a:bb:54:3a:06:3c:ec:c3:75:21:bc:b4:3c:95:64:3e:02:
80:91:6c:ad:8f:7c:35:c2:4f:b4:3f:1a:47:e6:6c:6b:73:a8:
8b:3e:5f:3a:f6:b2:2e:97:04:1b:1f:e9:2b:60:ef:cb:8d:e4:
42:92:a2:e5:3c:52:a7:c6:3e:76:cf:a0:10:7f:ae:73:40:58:
e6:32:a5:c6
-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIJAPWaNCkq+K2/MA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJIQjELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRAw
DgYDVQQDDAd0ZXN0LmNuMR0wGwYJKoZIhvcNAQkBFg53d3cuY25AdGVzdC5jbjAe
Fw0xOTExMTcyMzE2MzNaFw0yMjExMTYyMzE2MzNaMGUxCzAJBgNVBAYTAkNOMQsw
CQYDVQQIDAJIQjELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRAwDgYDVQQDDAd0
ZXN0LmNuMR0wGwYJKoZIhvcNAQkBFg53d3cuY25AdGVzdC5jbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKIHXLMfeycung+KMRT4ObK7+moSm1U/yu8T
dMlhpA2qsePRod9OSyTSDeDqTdmYHd/bQfErYA5Gve53ZGJ3n3qVgBWAy1E/+irO
TmTURB9dQRtTkstaOHkNB77xxbbWPOCwdJ5SK+nac75rp1GQgzqIJiurl+Fh24J7
bApiDPeElFyXKhf0KUxCi9xpiaac3v3+4WND0P34TEm5EQj8B7AF77vUmPVzFJWY
kdaCKNOKSmndapNl+EXs/lFrLehU/yZTjbiHjClRgi1hF0zdwKocuMikvRMO7nea
yz9MDIwjP+rZpF5sqdrB2ZpfXAcPobWlqiloT7mfc8f3Ai1Y9fcCAwEAAaNQME4w
HQYDVR0OBBYEFMPKZlN0IC/tE/4nbXx+lrMuQZMdMB8GA1UdIwQYMBaAFMPKZlN0
IC/tE/4nbXx+lrMuQZMdMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ACm4XjGTERLORCXUSmz4h6wAkOnYz4SJU4X6d3jm2D2me+XUU6x+HrJxiWU7HM3q
rVLKgzwFi2y0fP+hsd3Mq5CsFPbdB7NWGoJa7QRLX4zuP3RXmnId7vrdmvfGdJ8U
zdPl7Tjvx2J9xrTlXoeFsvCCDtoWElUibOq0SADSFcdwHnyqLOFxeqxxI1VPSwy2
MJXoIPrJ1SFSppqi0fuBD30Lwuf4Z3AdpCAEImf5aZIpzNyQ7qUKu1Q6Bjzsw3Uh
vLQ8lWQ+AoCRbK2PfDXCT7Q/GkfmbGtzqIs+Xzr2si6XBBsf6Stg78uN5EKSouU8
UqfGPnbPoBB/rnNAWOYypcY=
-----END CERTIFICATE-----
4、查看根证书的私钥
[root@ca-server ~]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIzxYLFQ5iHBECAggA
MBQGCCqGSIb3DQMHBAhsA8pOWMi3wgSCBMg6VwygTC+lAaQg0104sICbcXDdUI8M
SVTAhjIMi3hfgSCZDLwa0YLmEOcM4qv+Ih7CU7hCvMTePbXTUXaKHuuTEigfavNV
IAz04LLUPleJe/l8n1Nsosekx7nQZahtsdOOsNB4ODMH4cadkwfbMZtu77I25YXE
CNPvSsb/AlWPzDusOGRGUjJss6X+DJmPoSC1ykUe8Nbb7wijiuHPL2mKsD06NU7r
Lmr4FlsC7MIDxCQ1Olpa4V3iCGxH6ZZIMi7M2Cl62chYhzpfzJp7UWcDwaYAJdEF
APEu+JHK6AczaePOWxsckuiXX9H5TXxCyIhzt+tL7E+H/L4kpGBuwBLwH0mvsTSe
Ejm8Ds2F6VYC2/5FPS78SuzgwUWaRlFfYH0l+RgoxwLiOASZffMqFYAJtJ8DQpYw
hLKXngTSxUlYKW+w1xOcdZuLT+3n7g7x3kkeD+iIAtHIrrh2satL5wbf24h32+Hk
15FJUbgXbgYA/tdgMI9ycRAZeo4/lcJZTnJBfS+o7YV+rWy38FvyvQ+je0ieEetd
QvIUKIbcCfLIpdGpQoY4MIgnUnqgVnSMl5CT7niThomPR+lO7igL6+XwFSX6gs3O
aAL8Lhz7Va9a8YPozR675SQlV/OLVCwSQni/mvOmyA4uISK7k3MNPKEF/RcPhLlG
KnJriGBLaKY/eHWToZ6STckrQNSb8vONZew5rntZ5A9u4/RW3Mio1ZW/R1fmZ9sW
V6eTiKi4H23TgdA1EHCKGojprsGRlTwYXJmnmbnQA0/vqz+uINDg+4sdA5au96Y/
2nZooCaJ56KcwlBksZnwEgMNOHWRtsl/88bQVGgWOXHtGfHItfx/+CP13Mb7ipc8
O2/HPPfadx94XgbLIP4oFI83Kj+pcRNadZJYbzte/Yt/F71kn1gLAE2eZ5HMz1T+
Zl8F8iAzxdfCgLwGHXgghTB0I+IHL/jA04e+m1CvM5U4BYfUElYOGqlcVtaYcbV8
hEtD7TxHtW8NJs1VQcNqaCWChdLrXbSe8fAzi/x+F5PDkjLhVd39pJ8L5v6pj7Wk
QiVNMAYm7KW1Q8VLa+wUu1wcbmuGlVofx526jVsnaCVPA89kL+gRkSqP0FOCZz9
Evh9tHVCQtf3dtOwnQl7QCkyD3FswSxbRJ5bW3Oi13sT7JICRprWXSyd6oN50wrT
Sdm9y1o+2VxBIJsI22DjZpF8DKtFTTrNfRUMKpts+IYllyIqM0xwIIenqTdkr2X+
nKejhFG6BsqxY9CcDh6c5LbuqiDcmh7bVeMWns+aojwDjn6XDIwmMY6FPPE90bsl
zYboXzdxngYUTXv2QH6aDPCFz0Ep68gX5TAmLhCZjZ0IphhaqU6qG/rdR0exj5nR
VMJzPaXgSDsDGL8gQ8WEeApSrCyZmDuboJLLPYOqU0CF+w1AnNfppuZa/FkASJv8
m5sh3JSl18duOtiAJcCsLnvzwzULQuyC6JkH0vAYff+t6UFm7d8q1MOzz+R4ta4w
jx5tN+b6F77nWfzVTvtnpuHTASaBOhRaE3SJ2wenFaAdAFx5q55UL+Vg8ZviVSMu
OxfD7hpHdrGga4NiIITeau55H/rmtQCCMaDp8AVq79GVQ+jgE1d7SgVgwKEmmx6M
1Ns=
-----END ENCRYPTED PRIVATE KEY-----
(二)、配置httpd服务器
1、安装httpd
[root@httpd-server ~]# yum -y install httpd
2、编辑主配置文件
[root@httpd-server ~]# vi /etc/httpd/conf/httpd.conf
将把第95行的 #ServerName www.example.com:80 改成 ServerName <172.16.0.9>:80
3、重启httpd服务
[root@httpd-server ~]# systemctl restart httpd
4、配置httpd服务器生成证书请求文件,生产一个私钥密钥
[root@httpd-server ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 2048 bit long modulus
............+++
..+++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: //输入密码:123456 #保护私
钥的密码
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: //再次输入
5、查看私钥
[root@httpd-server ~]# cat /etc/httpd/conf.d/server.key
6、生成请求文件
[root@httpd-server ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key: //输入密码:123456 #私钥
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to There are quite a few For some fields there If you enter '.', the
enter is what is called a Distinguished Name or a DN. fields but you can leave some blank
will be a default value,
field will be left blank.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:IT
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.test.cn Email Address ]:www.cn@test.cn
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++//与CA认证中心保持一致
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //默认回车
An optional company name []: //默认回车
7、将证书请求文件发送给CA服务器
[root@httpd-server ~]# scp /server.csr 172.16.0.8:/tmp/
8、CA认证中心进行CA签名,返回到CA认证中心服务器上配置
[root@ca-server ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
9、CA认证中心进行办法证书,在颁发之前认证中心会使用自己的公钥进行加密
[root@ca-server ~]# scp /server.crt 172.16.0.9:/
(三)、配置httpsweb服务器
1、安装ssl模块
[root@httpd-server ~]# yum install -y mod\_ssl
2、复制证书
[root@httpd-server ~]# cp /server.crt /etc/httpd/conf.d/
3、编辑ssl主配置文件,修改证书存放路径
[root@httpd-server ~]# vi /etc/httpd/conf.d/ssl.conf
将第100行和107行证书存放路径分别更改为:
……# SSLCertificateFile /etc/pki/tls/certs/localhost.crt 把路径改成/etc/httpd/conf.d/server.crt ……# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 把路径改
成/etc/httpd/conf.d/server.key
4、重启httpd服务
[root@httpd-server ~]# systemctl restart httpd
5、查看https服务
[root@httpd-server ~]# netstat -antup | grep 443
(四)、客户端访问
1、在客户端浏览器中输入: https://192.168.5.9进行访问测试
2、安装证书,点击浏览器中的不安全提示,在弹出的证书提示中选择安装证书,结果如图所示
3、查看证书办法中信息
4、使用域名进行访问,修改本地hosts解析文件,或者安装域名服务,本例安装域名服务器部分略
评论区