关键词:
很多时候,我们希望在使用互联网的时候,我们的通信是受到保护的,而在互联网上活动时使用最多的莫过于使用网站了,所以我们就需要考虑如何加密使用网站的过程中所传送的消息,htts加密协议的出现解决了我们的困扰,而htts协议是基于证书的方式实现的,那如何用证书来保护我们在网站上所传送的消息了,要想使用证书,要么向互联上的专业证书机构去申请证书,要么自己搭建证书服务器(CA)来给自己的网络设备颁发证书,以保证相互之间的通信是通过加密协议传输的。当然如果去向专业的证书机构申请证书是需要花费较大代价的,所以很多企业想使用证书加密通信,但又不想花太大的代价去申请证书,所以就在自己公司的服务器上的搭建属于自己的证书管理服务器(CA),所以做为一名运维人员,就很有必要来探讨一下这个话题了。
一、CA的搭建和管理的相关知识
openssl的配置文件:/etc/pki/tls/openssl.cnf
(1) 创建所需要的文件
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
(2) CA自签证书
生成私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
生成自签名证书
openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300
-out /etc/pki/CA/cacert.pem
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
(3) 颁发证书
(a) 在需要使用证书的主机生成证书请求;
给web服务器生成私钥
(umask 066; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
生成证书申请文件
openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
(b) 将证书请求文件传输给CA
(c) CA签署证书,并将证书颁发给请求者;
openssl ca -in /tmp/httpd.csr –out /etc/pki/CA/certs/httpd.crt -days 365
注意:默认国家,省 ,公司名称必须和CA一致
(d) 查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|subject|serial|dates
(4) 吊销证书
(a) 在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
(b) 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致
吊销证书:openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
(c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行)
echo 01 > /etc/pki/CA/crlnumber
(d) 更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
查看crl文件:
openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
二、搭建CA
1、CA环境展示:
[[email protected] ~]# hostname
Centos630G
[[email protected] ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:e1:ee:04 brd ff:ff:ff:ff:ff:ff
inet 10.1.42.61/16 brd 10.1.255.255 scope global eth0
inet6 fe80::20c:29ff:fee1:ee04/64 scope link
valid_lft forever preferred_lft forever
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[[email protected] CA]#
2、创建CA需要的文件:
[[email protected] CA]# touch index.txt
[[email protected] CA]# echo 01 > serial
[[email protected] CA]# ll
total 20
drwxr-xr-x. 2 root root 4096 May 9 10:56 certs
drwxr-xr-x. 2 root root 4096 May 9 10:56 crl
-rw-r--r--. 1 root root 0 Sep 22 12:27 index.txt
drwxr-xr-x. 2 root root 4096 May 9 10:56 newcerts
drwx------. 2 root root 4096 May 9 10:56 private
-rw-r--r--. 1 root root 3 Sep 22 12:27 serial
[[email protected] CA]#
3、给CA创建私钥:
[[email protected] CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
.............+++
e is 65537 (0x10001)
[[email protected] CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[[email protected] CA]#
4、给CA生成自签名证书:
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:companyA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:centos630g
Email Address []:[email protected]
[[email protected] CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[[email protected] CA]#
三、使用CA给客户颁发证书
1、申请证书的客户机环境展示:
[[email protected] ~]# hostname
centos730g
[[email protected] ~]# ip addr show eno16777736
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4c:4a:32 brd ff:ff:ff:ff:ff:ff
inet 10.1.42.71/16 brd 10.1.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4c:4a32/64 scope link
valid_lft forever preferred_lft forever
[[email protected] ~]#
2、给客户机生成私钥:
[[email protected] ~]# (umask 066;openssl genrsa -out centos730g.prikey 2048)
Generating RSA private key, 2048 bit long modulus
...............................+++
.............................................................................+++
e is 65537 (0x10001)
[[email protected] ~]# ls
centos730g.prikey
[[email protected] ~]#
3、给客户机生成证书申请文件:
[[email protected] ~]# openssl req -new -key centos730g.prikey -days 365 -out centos730g.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:companyA
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server‘s hostname) []:centos730g
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ~]# ls
centos730g.csr centos730g.prikey
[[email protected] ~]#
4、在客户机上将证书申请文件传输到CA上:
[[email protected] ~]# scp centos730g.csr 10.1.42.61:/etc/pki/CA/crl
The authenticity of host ‘10.1.42.61 (10.1.42.61)‘ can‘t be established.
RSA key fingerprint is 91:e8:0f:0d:56:3c:38:b4:bf:b0:dd:b5:ee:0c:cb:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.1.42.61‘ (RSA) to the list of known hosts.
[email protected]‘s password:
centos730g.csr 100% 1050 1.0KB/s 00:00
[[email protected] ~]#
5、在CA上给申请签证的客户签署证书:
[[email protected] CA]# ls crl
centos730g.csr
[[email protected] CA]# openssl ca -in crl/centos730g.csr -out certs/centos730g.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 22 17:15:37 2016 GMT
Not After : Sep 22 17:15:37 2017 GMT
Subject:
countryName = cn
stateOrProvinceName = beijing
organizationName = companyA
organizationalUnitName = web
commonName = centos730g
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC
X509v3 Authority Key Identifier:
keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12
Certificate is to be certified until Sep 22 17:15:37 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] CA]# ls certs
centos730g.crt
[[email protected] CA]#
6、在CA上将签署好的证书传输给申请的客户:
[[email protected] CA]# scp certs/centos730g.crt 10.1.42.71:/rootThe authenticity of host ‘10.1.42.71 (10.1.42.71)‘ can‘t be established.
RSA key fingerprint is f2:c8:a3:77:da:65:42:3a:bf:53:24:e2:0b:0f:23:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.1.42.71‘ (RSA) to the list of known hosts.
[email protected]‘s password:
centos730g.crt 100% 4596 4.5KB/s 00:00
[[email protected] CA]#
7、客户收到颁发的证书之后,就可以配置相应的网络服务开始使用了
[[email protected] ~]# ll
total 16
-rw-r--r--. 1 root root 4596 Sep 22 17:17 centos730g.crt
-rw-r--r--. 1 root root 1050 Sep 22 17:10 centos730g.csr
-rw-------. 1 root root 1675 Sep 22 16:41 centos730g.prikey
[[email protected] ~]#
查看颁发的证书
[[email protected] ~]# openssl x509 -in centos730g.crt -noout -te
xt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=beijing, L=haidian, O=companyA, OU=IT, CN=centos630g/[email protected]
Validity
Not Before: Sep 22 17:15:37 2016 GMT
Not After : Sep 22 17:15:37 2017 GMT
Subject: C=cn, ST=beijing, O=companyA, OU=web, CN=centos730g/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ca:a2:3c:e5:04:7a:5c:88:fd:2a:64:5d:41:18:
95:4f:4e:b4:ae:06:07:5b:e0:ac:d1:74:99:f4:3d:
2a:0a:35:4c:90:49:cf:51:84:69:44:de:e2:c1:9b:
9f:8d:29:9c:b7:5a:c2:b0:fd:a6:29:84:91:73:7f:
1a:f9:ba:00:f0:8f:2d:28:18:a5:bd:24:8b:cc:a0:
31:45:d8:c7:fe:51:da:5f:f5:27:39:02:fb:7e:07:
b7:6c:63:0f:b1:ec:7c:f5:57:c7:8c:1a:9f:23:04:
e0:2e:d6:c6:3a:ad:b3:5c:42:13:54:62:a1:83:ed:
d2:61:48:eb:98:06:a5:32:d3:b2:5b:00:05:0a:6b:
fb:97:90:1f:10:d9:8c:e6:00:af:c2:72:cc:ba:08:
fd:98:87:99:80:ec:40:41:a2:a6:df:ae:1b:29:bc:
22:25:f0:3f:59:6a:10:31:65:c8:44:7a:2b:2f:0b:
00:ce:d7:a6:3c:ab:83:47:10:20:75:76:46:51:9d:
ca:a8:65:b0:7f:28:d9:4c:24:90:47:4f:40:6c:ba:
b5:cf:cd:bb:a3:07:f3:35:f0:08:cc:61:52:90:ea:
57:c2:3b:9f:cc:c1:b0:4a:e5:8b:21:8c:c8:74:b2:
da:8d:aa:94:de:d3:bb:c3:9e:10:6c:d9:93:7a:b9:
5b:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC
X509v3 Authority Key Identifier:
keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12
Signature Algorithm: sha1WithRSAEncryption
10:23:27:f2:3c:ad:3c:ca:6a:d3:ae:db:1d:fb:51:95:2f:91:
ef:ba:f4:b3:b2:91:dc:0a:e0:7a:3f:45:e5:97:16:24:a0:52:
a4:3e:51:d1:86:c1:d0:de:d7:3c:7f:62:3c:f1:9e:88:93:03:
15:c4:38:29:ba:cc:ba:0c:78:d0:7e:76:e5:dd:70:a4:6e:17:
e7:19:ae:47:f3:39:32:d7:97:67:73:bb:bb:4a:28:ed:a1:f5:
ec:d6:46:4d:8c:80:27:e2:48:f7:1b:54:58:1e:cc:cb:52:0b:
91:24:b5:04:28:5c:70:1f:22:aa:3b:7f:4b:7d:f3:8a:f8:35:
07:38:47:68:8c:57:b8:77:64:7a:bd:95:d5:5e:c8:82:32:a8:
5b:ac:2b:c2:72:fa:08:ea:ee:30:1b:a9:39:eb:77:6e:65:32:
90:ee:11:cc:38:05:84:a2:ed:14:d8:cc:73:ac:01:8c:8d:ae:
27:38:c3:de:cd:75:4d:d3:09:9d:6e:b8:c3:e6:b1:c5:79:12:
46:da:f4:c8:fe:97:1c:4b:66:c6:98:d6:b9:7c:fe:4a:a1:30:
97:32:2e:01:cf:3c:eb:b8:bd:e1:da:6f:bc:98:8c:b8:99:b6:
dc:42:51:b7:d1:ad:92:ff:95:91:ab:0f:3d:1e:db:e4:9e:1d:
b0:b0:99:04
[[email protected] ~]#
四、CA上吊销证书
1、在申请吊销证书的客户机上查看需要吊销的证书的serial以及subject信息,并提交给CA
[[email protected] ~]# openssl x509 -in centos730g.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]
[[email protected] ~]#
2、在CA上根据客户提交的serial以及subject信息,比对服务器上index.txt文件中的信息一致后,执行吊销证书操作
[[email protected] CA]# openssl x509 -in certs/centos730g.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]
[[email protected] CA]# cat index.txt
V 170922171537Z 01 unknown /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]
[[email protected] CA]#
3、信息确认一致,正式执行吊销操作
[[email protected] CA]# tree
.
├── cacert.pem
├── certs
│ └── centos730g.crt
├── crl
│ └── centos730g.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[[email protected] CA]# openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[[email protected] CA]# tree
.
├── cacert.pem
├── certs
│ └── centos730g.crt
├── crl
│ └── centos730g.csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 11 files
[[email protected] CA]#
此时多出了一个新文件:index.txt.attr.old
4、生成吊销证书的编号(第一次吊销证书时才需要执行本操作)
[[email protected] CA]# echo 01 > crlnumber
[[email protected] CA]# openssl ca -gencrl -out crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
[[email protected] CA]# tree
.
├── cacert.pem
├── certs
│ └── centos730g.crt
├── crl
│ ├── ca.crl
│ └── centos730g.csr
├── crlnumber
├── crlnumber.old
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
[[email protected] CA]#
第一次吊销操作完成后会在CA上多出4个新文件
index.txt.attr.old
ca.crl
crlnumber.old
index.txt.attr.old
查看证书吊销列表文件
[[email protected] CA]# openssl crl -in crl/ca.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=cn/ST=beijing/L=haidian/O=companyA/OU=IT/CN=centos630g/[email protected]
Last Update: Sep 22 17:44:35 2016 GMT
Next Update: Oct 22 17:44:35 2016 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 22 17:29:54 2016 GMT
Signature Algorithm: sha1WithRSAEncryption
11:5a:02:a8:9f:a0:9c:85:c0:cd:e8:65:06:98:90:f0:31:83:
cc:c6:f5:7d:4b:4b:d7:1a:57:63:c5:ac:ac:51:d4:46:d8:80:
f7:0c:94:42:5f:24:f1:87:97:f6:05:23:de:b4:3e:3b:3f:4f:
d2:55:ef:13:c0:78:80:d1:eb:fa:47:eb:1c:58:cb:d4:f2:9b:
bd:eb:88:2a:d5:be:05:ee:26:f8:ba:ba:cf:a3:7f:8c:73:db:
84:a3:de:74:9c:4d:eb:64:69:be:78:d1:ec:f9:82:10:46:72:
5f:5a:e3:99:c4:f9:1c:36:18:f4:b7:5e:f4:72:6b:20:b0:98:
7a:3c:c1:a4:e6:c3:d5:af:3f:68:44:7b:ae:34:69:0e:49:fd:
fc:1f:70:9c:f6:b9:d4:a2:c1:25:d8:d1:e1:75:82:53:c4:63:
c2:ce:1a:47:81:4a:73:18:81:35:ba:24:95:ff:8e:b3:61:6f:
ce:ae:49:2f:73:d4:14:e3:5a:04:a6:c4:15:71:3b:e2:4c:fa:
7f:05:42:1a:41:02:98:cb:82:70:ee:de:b2:5f:90:a9:cb:18:
93:28:dd:ff:62:e1:90:7e:88:cd:19:41:40:5f:17:47:65:2f:
ab:95:0f:27:8f:95:44:05:b7:d9:90:3e:e3:8c:ff:e9:d0:55:
49:05:97:a9
[[email protected] CA]#
掌握了上述这些操作的同时,搭建及管理私有CA是没什么问题了,所以大家可以自行实践,有什么问题,欢迎留言指正。
本文出自 “爱情防火墙” 博客,请务必保留此出处http://183530300.blog.51cto.com/894387/1856773
自己搭建ca颁发证书做https加密网站
如果网站是针对内网的访问的,自己搭建CA服务器颁发证书就可以,如果是针对互联网来访问的,还是买ssl证书比较好,今天就来介绍一下自己搭建CA服务器颁发证书做加密网站。192.168.10.187CA服务器192.168.10.190web服务器(1)搭建C... 查看详情
如何申请https证书,搭建https网站
1、部署HTTPS证书,首先确保自己网站使用的是独立服务器或云服务器。2、淘宝搜索Gworg获取证书,并且按照机构要求验证。3、拿到信任证书后,让机构检测服务器环境或者说明,然后拿到环境安装教程安装。4、当然在搭建之前... 查看详情
安全-攻防-学习!
...钥加密和数字签名服务的系统或平台,目的是为了密钥和证书。PKI主要包括四个部分:X.509格式的证书(X.509V3)和证书废止列表CRL(X.509V2);CA操作协议;CA管理协议;CA政策制定。权威认证机构(CA),数字证书库,密钥备份及恢复... 查看详情
搭建ca颁发证书做https加密网站
92.168.10.187CA服务器192.168.10.190web服务器(1)搭建CAcd/etc/pki/CA在这个目录下创建serial和index.txt两个文件echo00>serial(00是颁发证书最初的版本号)touchindex.txt(umask006;opensslgenrsa-outprivate/cakey.pem4096)生成私钥opensslreq-new-x 查看详情
如何申请https证书,搭建https网站
...,一个是公钥就是这个CSR文件,另外一个是私钥,存放在服务器上。要制作CSR文件,申请人可以参考WEBSERVER的文档,一般APACHE等,使用OPENssl命令行来生成KEY+CSR2个文件,Tomcat,JBoss,Resin等使用KEYTOOL来生成JKS和CSR文件,IIS通过向... 查看详情
建立私有ca
建立私有CA CA:CerieificateAuthority证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能... 查看详情
搭建ca认证中心
...sp; CA英文全称CertificationAuthority,即数字证书认机构。A是负责发放和管理数字证书的权威机构,并作为用户数字认证中受信任的第三方,承担公钥体系(PKI)中公钥的合法性检验的责任,在互联网上,实现用户... 查看详情
ca证书是啥?
参考技术ACA也拥有一个证书(内含公钥和私钥)。网上的公众用户通过验证CA的签字从而信任CA,任何人都可以得到CA的证书(含公钥),用以验证它所签发的证书。数字证书为实现双方安全通信提供了电子认证。在因特网、公司... 查看详情
使用openssl实现ca证书的搭建过程
...公司信息,序列号,签名信息等等组成)来加强客户端与服务器端访问信息的安全性,同时提供证书的发放等相关工作。国内的大部分互联网公司都在国际CA机构申请了CA证书,并且在用户进行访问的时候,对用户的信息加密,... 查看详情
https搭建(自签名证书)(代码片段)
...所以一切从简,我们使用openssl工具生自签名的CA证书以及服务器证书,来搭建https。具体步骤如下:(1)安装apache2、openssl(ubuntu16.04)安装过程此处不做赘述,很简单。Apache2安装完成并启动后,通过http://ipaddress来测试,如下图所... 查看详情
docker私有镜像仓库搭建和镜像删除
...像的管理,包括一些自己遇到的问题。首先要保证自己的服务器已经安装了docker。具体的安装教程可以看官网,这里就不在赘述了。首先我们需要创建一个自己的CA证书,比如下图是我自己创建时输入的相关内容:做好镜像存储... 查看详情
ca证书和ssl证书的区别
...对点原理,实现数据的传输加密和身份核实功能。CA服务器证书,是必须安装在服务器中,由服务器的软硬件信息生成的CSR文件,通过在微软和全球广东金网证书联盟的备份和核实后,生成的CA证书。网站能在I... 查看详情
政府采购ca证书怎么办理
...CSR(证书签署请求)文件CSR文件一般都可以通过在线生成(或服务器上生成),申请人在制作的同时系统会产生两个秘钥,公钥CSR和密钥KEY。选择了SSL证书申请之后,提交订单并将制作生成的CSR文件一起提交到证书所在的CA颁发机构。... 查看详情
如何使用ca证书进行https连接
...证书签署请求)文件CSR文件一般都可以通过在线生成(或服务器上生成),申请人在制作的同时系统会产生两个秘钥,公钥CSR和密钥KEY。选择了SSL证书申请之后,提交订单并将制作生成的CSR文件一起提交到证书所在的CA颁发机构... 查看详情
如何申请https证书,搭建https网站
第一步、提交CSR文件首先需要生成SSL证书申请文件CSR(CertificateSigningRequest)。选择要申请的SSL证书,提交订单,并将制生成的CSR文件提一起交到所在的SSLCA颁发机构。第二步、提交订单到证书服务机构CA在收到SSL证书订单和证书请... 查看详情
Azure 中的客户端证书身份验证和 CA 证书
】Azure中的客户端证书身份验证和CA证书【英文标题】:ClientcertificateauthenticationandCAcertificateinAzure【发布时间】:2013-01-2612:53:27【问题描述】:我需要使用客户端证书对Azure云服务Web角色的请求进行身份验证。如何将证书颁发机构... 查看详情
ca搭建与证书申请(代码片段)
...据此配置文件创建CAdir:CA相关文件存放路径/etc/pki/CAcerts:证书存放目录/etc/pki/CA/certsdatabase:数据库文件/etc/pki/CA/index.txtnew_certs_dir:新颁发证书存放路径/etc/pki/CA/newcertscertificate:自颁发证书/etc/pki/CA/cacert.pemserial:下一个证书的序列... 查看详情
安全与加密-ssl交互与握手过程创建ca和证书管理
...有没有想过,你得到的这个公钥是不是真正要跟你通讯的服务器公钥呢?万一被伪造了?那将会如下图,黑客能打开加密的文件,而真正的ServerB却无法解开密文。所以,就如现实生活中,大家都要确认某样东西的真实性的时候... 查看详情