如何搭建一个企业CA证书服务器?
定义系统环境:centos7.4
ca.com 192.168.80.181 openssl*
mail.com 192.168.80.182 dovecot*
client.com 192.168.80.183 mutt*
修改三台主机名:
①hostnamectl set-hostname xx.com
exit 登出
重新连接
②vi /etc/hosts (根据实际情况修改)
192.168.80.181 ca.com
192.168.80.182 mail.com
192.168.80.183 client.com
----以下在CA服务器端配置---IP:192.168.80.181
systemctl stop firewalld && setenforce 0 //关闭防火墙及selinux
确认安装了openssl软件
rpm -qa | grep openssl
vi /etc/pki/tls/openssl.cnf openssl服务的配置文件
[ CA_default ] 帮别的服务器颁发的值dir = /etc/pki/CA 工作目录 # Where everything is kept(保存)
certs = $dir/certs 颁发了的证书 # Where the issued(发行者)certs are kept
crl_dir = $dir/crl 吊销了的证书 # Where the issued crl are kept
database = $dir/index.txt 索引文件 # database index file.
new_certs_dir = $dir/newcerts 新证书 # default place for new certs.certificate = $dir/cacert.pem 根证书 # The CA certificate
serial = $dir/serial 序列号 # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert
---修改以下配置----
[ req_distinguished_name ] //L128countryName //国家名 = Country Name (2 letter code)
countryName_default //默认那个国家 = CNstateOrProvinceName //详细地址 = State or Province Name (full name)
stateOrProvinceName_default = AnHuilocalityName = Locality Name (eg, city)
localityName_default = HeFeicommonName = Czm Certificate Authority
commonName_max = 64emailAddress = [email protected]
emailAddress_max = 64
(保存退出)
cd /etc/pki/CA/
(定义证书版本)
echo 01 > serial //证书文件
touch index.txt //新建一个索引文件 放在网上供别人下载
openssl genrsa -out private/cakey.pem -des3 2048 //生成私钥必须输入密码
openssl req -new -x509 -key private/cakey.pem -days 365 > cacert.pem //生成根证书需要输以上密码 确认信息
yum install httpd //通过WWW服务器共享出去
vi /etc/httpd/conf/httpd.conf
cp /etc/pki/CA/cacert.pem /var/www/html/ //把根证书发布出去
cd /var/www/html/
mv cacert.pem ROOTCA.pem
systemctl start httpd
------以下在邮件服务器上配置----------IP:192.168.80.182
openssl genrsa -out imaps-ser.key 1024 //生成私钥文件
openssl req -new -key imaps-ser.key -out imaps-svr.csr //生成签名请求文件要和CA相同
scp imaps-svr.csr [email protected]:/root/ //把签名请求文件传送给CA服务器
--------以下在CA上操作---------
openssl req -in imaps-svr.csr -noout -text //以text文本方式查看一imaps-svr.csr的内容
openssl ca -in imaps-svr.csr -out imaps-svr.crt //为客户端生成证书,全部回答Y
scp imaps-svr.crt [email protected]:/root //把证书传送给客户端
-------以下在邮件服务器上操作------
yum install dovecot -y
vi /etc/dovecot/dovecot.conf
//L24
//L30
ssl = yes //最后一行,新增
cp imaps-svr.crt /etc/ssl/certs/dovecot.pem //把数字证书放到指定位置
mkdir /etc/ssl/private
cp imaps-ser.key /etc/ssl/private/dovecot.pem //把私钥放到指定位置service dovecot restart
netstat -anpt | grep dovecot //993 和 995 在监听
-----------以下在用户侧进行测试---------IP:192.168.80.183
yum install mutt
mkdir .mutt
cd .mutt
vi muttrc
set folder=imaps://mail.com
set spoolfile=imaps://mail.com
set certificate_file=/root/.mutt/testca.CRT
-------以下在邮件服务器上操作------
yum install httpd -y
yum install mod_ssl -y
cp /etc/ssl/certs/dovecot.pem /etc/httpd/conf.d/server.key
cp /etc/ssl/private/dovecot.pem /etc/httpd/conf.d/server.crt
vi /etc/httpd/conf.d/ssl.conf
启动httpd服务
在浏览器测试:https://192.168.80.182
