私有CA 签发证书

1.centos7 CA基础配置

#修改主机名
[root@c7-ca-200 ~]# hostnamectl set-hostname c7-ca-200

#修改固定IP
[root@c7-ca-200 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE="Ethernet"
BOOTPROTO="none"
IPADDR=172.29.7.200
PERFIX=24
GATEWAY=172.29.7.254
DNS1=114.114.114.114
NAME="ens33"
DEVICE="ens33"
ONBOOT="yes"

#重启网卡
[root@c7-ca-200 ~]# nmcli connection reload ;nmcli connection up ens33 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)

#修改selinux为警告状态
[root@c7-ca-200 ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
#Disabled ：不启用控制系统。
#permissive：开启控制系统，但是处于警告模式。即使你违反了策略的话它让你继续操作，但是把你的违反的内容记录下来。
#Enforcing：开启控制系统，处于强制状态。一旦违反了策略，就无法继续操作下去。
SELINUX=permissive
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

#动态修改selinux为警告状态
[root@c7-ca-200 ~]# setenforce 0

#永久停止防火墙
[root@c7-ca-200 ~]# systemctl disable --now firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

#修改时区
[root@c7-ca-200 ~]# timedatectl set-timezone Asia/Shanghai

#时间同步
[root@c7-ca-200 ~]# cat /etc/chrony.conf 
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#修改为阿里云时间服务器
server ntp1.aliyun.com iburst
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst

....

#重启、开机自启、查看是否生效
[root@c7-ca-200 ~]# systemctl restart chronyd
[root@c7-ca-200 ~]# systemctl enable --now chronyd
[root@c7-ca-200 ~]# chronyc -n sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^? 173.255.248.194               0   7     0     -     +0ns[   +0ns] +/-    0ns

2.CA服务器搭建

#创建CA环境
[root@c7-ca-200 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}

#生成私钥
[root@c7-ca-200 ~]# cd /etc/pki/CA/
[root@c7-ca-200 CA]# openssl genrsa -out private/cakey.pem 2058
Generating RSA private key, 2058 bit long modulus
............+++
......................................................+++
e is 65537 (0x10001)

#通过私钥生成根证书
[root@c7-ca-200 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn            #国家
State or Province Name (full name) []:bj        #省
Locality Name (eg, city) [Default City]:bj      #城市
Organization Name (eg, company) [Default Company Ltd]:jiutingqiu    #公司
Organizational Unit Name (eg, section) []:web       #部门
Common Name (eg, your name or your server's hostname) []:jiutingqiu.com        #域名
Email Address []:       #邮箱

#创造索引文件
[root@c7-ca-200 CA]# touch /etc/pki/CA/index.txt

#创造序号文件
[root@c7-ca-200 CA]# echo 0F > /etc/pki/CA/serial

3.web节点生成证书申请文件

[root@c7-nginx-master-31 ~]# mkdir /data

#生成私钥
[root@c7-nginx-master-31 ~]# openssl genrsa -out /data/www.jiutingqiu.com.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................+++
............................................+++
e is 65537 (0x10001)

#生成证书申请文件
[root@c7-nginx-master-31 ~]# openssl req -new -key /data/www.jiutingqiu.com.key -out /data/www.jiutingqiu.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:jiutingqiu
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:www.jiutingqiu.com
Email Address []:

#密码加密，一般不需要
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#传给服务端签发
[root@c7-nginx-master-31 ~]# scp /data/www.jiutingqiu.com.csr root@172.29.7.200:/tmp/

4.CA服务器签发证书

#签发证书
[root@c7-ca-200 CA]# openssl ca -in /tmp/www.jiutingqiu.com.csr -out /etc/pki/CA/certs/www.jiutingqiu.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15 (0xf)
        Validity
            Not Before: Feb 13 02:34:38 2024 GMT
            Not After : Feb 12 02:34:38 2025 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = bj
            organizationName          = jiutingqiu
            organizationalUnitName    = web
            commonName                = www.jiutingqiu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                66:45:FC:B6:C2:24:31:68:38:F6:BF:16:59:13:D5:54:CD:F5:E8:0E
            X509v3 Authority Key Identifier: 
                keyid:A7:6C:2F:FE:08:A8:6D:CB:59:2D:EA:28:38:14:E0:07:35:39:60:54

Certificate is to be certified until Feb 12 02:34:38 2025 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#合并CA证书
#合并CA和服务器证书成一个文件,注意服务器证书必须在前,ca证书在后,否则会出错
[root@c7-ca-200 CA]# cat certs/www.jiutingqiu.com.crt cacert.pem > www.jiutingqiu.com.pem

[root@c7-ca-200 CA]# scp www.jiutingqiu.com.pem root@172.29.7.31:/data

5.web节点使用证书

#目前的文件
[root@c7-nginx-master-31 ~]# ls /data/
www.jiutingqiu.com.csr  www.jiutingqiu.com.key  www.jiutingqiu.com.pem

#这里使用nginx
[root@c7-nginx-master-31 ~]# tail -n 20 /apps/nginx/conf/nginx.conf
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /data/www.jiutingqiu.com.pem;
        ssl_certificate_key  /data/www.jiutingqiu.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

}

6.浏览器测试

windows 10 hosts文件路径 C:\Windows\System32\drivers\etc

#添加一行
172.29.7.31 www.jiutingqiu.com