CA 인증에 대한 구체적인 실험 단계
박문 목록
CA 인증 프로필은/etc/pki/tls/opensl입니다.cnf
서버 작업
1./etc/pki/CA 아래 진입
index.txt,serial,crlnumber
[root@centos6 ~]# cd /etc/pki/CA
[root@centos6 CA]# touch index.txt
[root@centos6 CA]# touch serial
[root@centos6 CA]# touch crlnumber
[root@centos6 CA]# echo 01 > serial
[root@centos6 CA]# echo 01 > crlnumber
2. 개인 키 파일 만들기
[root@centos6 CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096 )
Generating RSA private key, 4096 bit long modulus
..................................................++
.....................................................................................................................................................................................++
e is 65537 (0x10001)
#() shell,umask 077 shell
#openssl genrsa -out 4096
[root@centos6 CA]# tree # CA
.
├── cacert.pem
├── certs
├── crl
├── crlnumber
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 5 files
3. 자신에게 CA 인증
[root@centos6 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #
State or Province Name (full name) []:beijing # /
Locality Name (eg, city) [Default City]:beijing #
Organization Name (eg, company) [Default Company Ltd]:bta #
Organizational Unit Name (eg, section) []:yunwei #
Common Name (eg, your name or your server's hostname) []:bta.com #
Email Address []:[email protected] # Email
클라이언트
클라이언트는/etc/pki/tls/에서 조작해야 합니다
1./etc/pki/tls에 들어가서 개인 키 파일 만들기
[root@go ~]$cd /etc/pki/tls/
[root@go tls]$(umask 077; openssl genrsa -out /etc/pki/tls/private/TianRandai.key 2048)
Generating RSA private key, 2048 bit long modulus
....+++
..+++
e is 65537 (0x10001
[root@go tls]$tree private/ # TianRandai.key
private/
└── TianRandai.key
0 directories, 1 file
2. 인증서 내보내기
root@go tls]$openssl req -new -key private/TianRandai.key -out TianRandai.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:bta
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:www.bta.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# match
3. 인증서를 서버에 복사
[root@go tls]$scp TianRandai.csr 172.18.17.21:/etc/pki/CA
[email protected]'s password:
TianRandai.csr 100% 1041 1.0KB/s 00:00
서버
1. 클라이언트 파일 보기
[root@centos6 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── crlnumber
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
├── serial
└── TianRandai.csr
# 클라이언트 파일이 복사되었습니다.
4 directories, 6 files
2. 인증 클라이언트 파일에서 CA 인증서 생성
[root@centos6 CA]# openssl ca -in TianRandai.csr -out TianRandai.crt -days 365
#-days ,
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 21 01:57:04 2017 GMT
Not After : Feb 21 01:57:04 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = bta
organizationalUnitName = yunwei
commonName = www.bta.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:2E:03:82:0A:2C:95:11:7E:0F:71:DC:41:B8:B6:F8:F3:32:3B:1F
X509v3 Authority Key Identifier:
keyid:98:9B:95:79:0B:0A:25:93:17:06:D1:02:92:1A:EF:A0:6F:6B:95:D8
Certificate is to be certified until Feb 21 01:57:04 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
3. 윈도우즈에 복사해서 열어보니 문제가 있었다
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
집 서버 설계 (하드웨어 편)자신의 Redmine이나 ownCloud를 운용하기 위해 사쿠라 VPS, DigitalOcean, OpenShift 등을 놀랐습니다만, 침착 해 왔으므로 현상을 정리하고 싶습니다. 먼저 하드웨어 구성을 정리합니다. ...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.