基于Red-Hat-Enterprise-Linux-5-update-2-搭建SSL安全网站认证服务器CA

5星 · 超过95%的资源需积分: 10 132 浏览量 2011-07-06 09:55:09 上传评论收藏 509KB PDF 举报

### 基于Red Hat Enterprise Linux 5 Update 2 搭建SSL安全网站认证服务器（CA） #### 实验背景与目的随着互联网技术的发展，数据传输的安全性变得尤为重要。SSL（Secure Sockets Layer）证书作为保障网络安全通信的重要手段之一，在实际应用中扮演着关键角色。本文将详细介绍如何在Red Hat Enterprise Linux 5 Update 2操作系统上搭建一个SSL安全网站认证服务器（CA），并通过实验的方式演示整个过程。 #### 实验环境与工具 - **操作系统**: Red Hat Enterprise Linux 5 Update 2 - **主机配置**: - **CA服务器**: hostname为`ca.alin`, IP地址为`192.168.8.3` - **HTTPS网页服务器**: hostname为`server.alin`, IP地址为`192.168.8.5` - **客户端**: hostname为`client.alin`, IP地址为`192.168.8.5` #### 实验步骤详解 ##### 步骤1：安装所需软件在CA服务器(`ca.alin`)上执行以下命令来安装HTTP服务器和SSL模块: ```bash [root@localhost ~]# yum install -y httpd mod_ssl ``` ##### 步骤2：配置CA服务器 1. **创建必要的目录结构**: ```bash [root@localhost pki]# tree . |-- CA | `-- private |-- nssdb | |-- cert8.db | |-- key3.db | `-- secmod.db |-- rpm-gpg | |-- RPM-GPG-KEY-fedora | |-- RPM-GPG-KEY-fedora-test | |-- RPM-GPG-KEY-redhat-auxiliary | |-- RPM-GPG-KEY-redhat-beta | |-- RPM-GPG-KEY-redhat-former | |-- RPM-GPG-KEY-redhat-release | `-- RPM-GPG-KEY-redhat-rhx `-- tls |-- cert.pem -> certs/ca-bundle.crt |-- certs | |-- Makefile | |-- ca-bundle.crt | |-- localhost.crt | `-- make-dummy-cert |-- misc | |-- CA | |-- c_hash | |-- c_info | |-- c_issuer | `-- c_name |-- openssl.cnf `-- private `-- localhost.key ``` 2. **使用脚本建立密钥对并自签证书**: ```bash [root@localhost misc]# ./CA-newca mkdir: cannot create directory `../../CA': File exists mkdir: cannot create directory `../../CA/private': File exists CA certificate filename (or enter to create) Making CA certificate Generating a 1024 bit RSA private key ++++++ ++++++ writing new private key to '../../CA/private/./cakey.pem' Enter PEM passphrase: Verifying - Enter PEM passphrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ``` 3. **填写证书请求中的信息**: - **Country Name (2 letter code)**: 国家代码（如CN） - **State or Province Name (full name)**: 省份或州名 - **Locality Name (eg, city)**: 城市名 - **Organization Name (eg, company)**: 组织名称 - **Organizational Unit Name (eg, section)**: 部门名称 - **Common Name (e.g. server FQDN or YOUR name)**: 通用名称（如服务器的FQDN或您的名字） - **Email Address**: 电子邮件地址 4. **创建证书签名请求（CSR）**: ```bash [root@localhost misc]# ./CA-newreq ``` 5. **签署证书请求**: ```bash [root@localhost misc]# ./CA-sign ``` 6. **验证证书**: ```bash [root@localhost misc]# ./CA-verify ``` ##### 步骤3：配置HTTPS网页服务器 1. **安装所需的软件**: ```bash [root@localhost ~]# yum install -y httpd mod_ssl ``` 2. **配置SSL证书**: - 将CA服务器上生成的证书文件复制到HTTPS网页服务器上。 - 修改`/etc/httpd/conf.d/ssl.conf`文件，设置相应的SSL证书路径。 3. **启动服务**: ```bash [root@localhost ~]# service httpd start ``` 4. **检查服务状态**: ```bash [root@localhost ~]# service httpd status ``` 5. **设置开机自动启动**: ```bash [root@localhost ~]# chkconfig httpd on ``` ##### 步骤4：客户端访问测试 1. **配置客户端的host文件**: ```plaintext 127.0.0.1 localhost.localdomain localhost 192.168.8.3 ca.alin 192.168.8.4 server.alin ``` 2. **通过浏览器访问HTTPS网页服务器**: - 在客户端打开浏览器，输入HTTPS网页服务器的地址（例如`https://server.alin`）。 - 浏览器可能会提示证书不受信任，这是因为当前的CA证书不是由公共的信任机构签发的。可以将自签名证书添加到浏览器的信任列表中。 #### 结论通过上述步骤，我们成功地在Red Hat Enterprise Linux 5 Update 2上搭建了一个SSL安全网站认证服务器，并且配置了一个HTTPS网页服务器。此过程不仅加深了我们对于SSL证书和CA的理解，还帮助我们在实际场景中实现安全的网络通信。此外，这种基于脚本的自动化方式极大地简化了整个部署流程，提高了效率。

资源推荐

资源详情

资源评论

基于 Red Hat Enterprise Linux 5 update 2 搭建 SSL 安全网站认证服务器(CA)以

及 SSL 安全网站实验笔记

(全工具有疑问不保险无理论内部最新版)

撰写者信息：

Alin Fang (Fang Yunlin)

MSN: [email protected]

G Talk: [email protected]

Blog: http://www.alinblog.cn/

修改日期：

10 Nov, 2008

第 1 次修改

版权：

GNU

声明：

本人实验笔记，非权威文档。如有错误请告知。十分感谢！

特别说明：

本实验全部采用 RHEL5 所带相关 rpm 包的脚本进行操作。openssl 相关操作均由脚本完成，无

须手工干预。

实验环境：

OS: Red Hat Enterprise Linux 5 update 2

hostname: ca.alin

ip: 192.168.8.3

作为 HTTPS 安全认证服务器

hostname: server.alin

ip: 192.168.8.4

usage: CA -newcert|-newreq|-newca|-sign|-verify

[root@localhost misc]# ./CA -newca

mkdir: cannot create directory `../../CA': File exists

mkdir: cannot create directory `../../CA/private': File exists

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 1024 bit RSA private key

..............................++++++

...++++++

writing new private key to '../../CA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:BJ

Locality Name (eg, city) [Newbury]:BJ

Organization Name (eg, company) [My Company Ltd]:Red Hat

Organizational Unit Name (eg, section) []:GSS

Common Name (eg, your name or your server's hostname) []:ca.alin

Email Address []:cs[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/./cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Nov 9 21:24:00 2008 GMT

Not After : Nov 9 21:24:00 2011 GMT

Subject:

countryName = CN

stateOrProvinceName = BJ

organizationName = Red Hat

organizationalUnitName = GSS

commonName = ca.alin

emailAddress = [email protected]

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7

X509v3 Authority Key Identifier:

keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7

Certificate is to be certified until Nov 9 21:24:00 2011 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

[root@localhost misc]#

大家可以看到，/etc/pki/CA 文件夹下多了一些东西。

[root@localhost misc]# tree /etc/pki/

/etc/pki/

|-- CA

| |-- cacert.pem

剩余14页未读，继续阅读

评论收藏

内容反馈

mingheren

2013-09-04

不错，有参考价值
商轶

2013-02-19

不错的东西

iXiaXianBing

粉丝: 7

基于Red-Hat-Enterprise-Linux-5-update-2-搭建SSL安全网站认证服务器CA

SSL安全web搭建

linux下搭建CA认证服务器并认证服务.docx

linux下搭建CA认证服务器并认证服务.doc

搭建CA服务器SSL实现网站数据加密传输

搭建网站服务器

Red-Hat-Enterprise-Linux-7-Kernel-Administration-Guide-en-US

Red-Hat-Enterprise-Linux-5-Administration-Unleashed.pdf

Red-Hat-Enterprise-Linux-5-安装文件服务器(samba服务).doc

Red-Hat-Enterprise-Linux-7-Storage-Administration-Guide-en-US

Red-Hat-Enterprise-Linux-6-Enterprise-Identity-Management-Guide

网络安全课程设计（CA证书服务器的建立与使用）

CA证书，web搭建

linux 网站搭建

Linux网站网页搭建

Linux+SSL安装与配置

Red Hat Enterprise Linux 4 (版本介绍及安装)

定制基于kickstart的Red-Hat-Enterprise-Linux自动安装光盘/定制linuxISO文件

Red_Hat_Enterprise_Linux-5-Installation_Guide-en-US.pdf

Red-Hat-Enterprise-Linux-6-Security-Enhanced-Linux-en-US

Red-Hat-Enterprise-Linux-5-5.6-Release-Notes-en-US.pdf

Red-Hat-Enterprise-Linux-6-Release-Notes-en-US

Red-Hat-Enterprise-Linux系统管理ppt课件汇总(完整版).ppt

Red-Hat-Enterprise-Linux-7-Package-Manifest-en-US

Red-Hat-Enterprise-Linux-6-Deployment-Guide-en-US

Red-Hat-Enterprise-Linux-6-DM-Multipath-zh-CN

Red-Hat-Enterprise-Linux-6-Release-Notes-zh-CN

Red-Hat-Enterprise-Linux-7-Anaconda-Customization-Guide-en-US

Red_Hat_Enterprise_Linux-7-Networking_Guide-zh-CN.rar

Red-Hat-Enterprise-Linux-7-RPM-Packaging-Guide-en-US

Red-Hat-Enterprise-Linux-7-Using-Containerized-Identity-Manageme

203.移除链表元素

《ZB 2003：形式化规范与开发》深度解读

最新资源