如何搭建一個企業CA證書服務器?

定義系統環境：centos7.4

ca.com 192.168.80.181 openssl*

mail.com 192.168.80.182 dovecot*

client.com 192.168.80.183 mutt*

修改三臺主機名：

①hostnamectl set-hostname xx.com

exit 登出

重新連接

②vi /etc/hosts (根據實際情況修改)

192.168.80.181 ca.com

192.168.80.182 mail.com

192.168.80.183 client.com

—-以下在CA服務器端配置—IP：192.168.80.181

systemctl stop firewalld && setenforce 0 //關閉防火墻及selinux

確認安裝了openssl軟件

rpm -qa | grep openssl

vi /etc/pki/tls/openssl.cnf openssl服務的配置文件

[ CA_default ] 幫別的服務器頒發的值

dir = /etc/pki/CA 工作目錄 # Where everything is kept(保存)

certs = $dir/certs 頒發了的證書 # Where the issued(發行者)certs are kept

crl_dir = $dir/crl 吊銷了的證書 # Where the issued crl are kept

database = $dir/index.txt 索引文件 # database index file.

new_certs_dir = $dir/newcerts 新證書 # default place for new certs.

certificate = $dir/cacert.pem 根證書 # The CA certificate

serial = $dir/serial 序列號 # The current serial number

crlnumber = $dir/crlnumber # the current crl number

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

—修改以下配置—-

[ req_distinguished_name ] //L128

countryName //國家名 = Country Name (2 letter code)

countryName_default //默認那個國家 = CN

stateOrProvinceName //詳細地址 = State or Province Name (full name)

stateOrProvinceName_default = AnHui

localityName = Locality Name (eg, city)

localityName_default = HeFei

commonName = Czm Certificate Authority

commonName_max = 64

emailAddress = test@126.com

emailAddress_max = 64

(保存退出)

cd /etc/pki/CA/

(定義證書版本)

echo 01 > serial //證書文件

touch index.txt //新建一個索引文件 放在網上供別人下載

openssl genrsa -out private/cakey.pem -des3 2048 //生成私鑰必須輸入密碼

openssl req -new -x509 -key private/cakey.pem -days 365 > cacert.pem //生成根證書需要輸以上密碼 確認信息

yum install httpd //通過WWW服務器共享出去

vi /etc/httpd/conf/httpd.conf

cp /etc/pki/CA/cacert.pem /var/www/html/ //把根證書發布出去

cd /var/www/html/

mv cacert.pem ROOTCA.pem

systemctl start httpd

——以下在郵件服務器上配置———-IP:192.168.80.182

openssl genrsa -out imaps-ser.key 1024 //生成私鑰文件

openssl req -new -key imaps-ser.key -out imaps-svr.csr //生成簽名請求文件要和CA相同

scp imaps-svr.csr root@192.168.80.181:/root/ //把簽名請求文件傳送給CA服務器

——–以下在CA上操作———

openssl req -in imaps-svr.csr -noout -text //以text文本方式查看一imaps-svr.csr的內容

openssl ca -in imaps-svr.csr -out imaps-svr.crt //為客戶端生成證書，全部回答Y

scp imaps-svr.crt root@192.168.80.182:/root //把證書傳送給客戶端

——-以下在郵件服務器上操作——

yum install dovecot -y

vi /etc/dovecot/dovecot.conf

//L24 //L30 ssl = yes //最后一行，新增

cp imaps-svr.crt /etc/ssl/certs/dovecot.pem //把數字證書放到指定位置

mkdir /etc/ssl/private

cp imaps-ser.key /etc/ssl/private/dovecot.pem //把私鑰放到指定位置

service dovecot restart

netstat -anpt | grep dovecot //993 和 995 在監聽

———–以下在用戶側進行測試———IP：192.168.80.183

yum install mutt

mkdir .mutt

cd .mutt

vi muttrc

set folder=imaps://mail.com

set spoolfile=imaps://mail.com

set certificate_file=/root/.mutt/testca.CRT

——-以下在郵件服務器上操作——

yum install httpd -y

yum install mod_ssl -y

cp /etc/ssl/certs/dovecot.pem /etc/httpd/conf.d/server.key

cp /etc/ssl/private/dovecot.pem /etc/httpd/conf.d/server.crt

vi /etc/httpd/conf.d/ssl.conf

啟動httpd服務

在瀏覽器測試：https://192.168.80.182

添加例外

確認安全例外

ok