(可选)配置数字证书认证机构
- 本部分内容中CA(Certificate Authority)均代表数字证书认证机构,如果已经有搭建的CA,请跳过此步骤。
- CA服务器为TLS安全性保证的关键节点,请自行构建CA服务器,本流程仅供测试使用,对其安全性不做承诺。
- 选择一台服务器做为CA,创建如下目录及文件。
mkdir -p /opt/gcache/secure/CACerts mkdir -p /opt/gcache/secure/CACerts/certs mkdir -p /opt/gcache/secure/CACerts/crl mkdir -p /opt/gcache/secure/CACerts/csr mkdir -p /opt/gcache/secure/CACerts/newcerts mkdir -p /opt/gcache/secure/CACerts/private mkdir -p /opt/gcache/secure/CACerts/public touch /opt/gcache/secure/CACerts/index.txt echo 01 > /opt/gcache/secure/CACerts/serial
- 修改“openssl.conf”文件中的配置信息。
- 拷贝位于系统目录的“openssl.conf”文件并打开。
cp /etc/pki/tls/openssl.cnf /opt/gcache/secure/CACerts/openssl.cnf chmod 600 /opt/gcache/secure/CACerts/openssl.cnf vi /opt/gcache/secure/CACerts/openssl.cnf
- 按“i”键进入编辑模式,参照如下内容进行修改。若无该标签,则新增该部分内容。
[ CA_default ] dir = /opt/gcache/secure/CACerts certs = $dir/certs crl_dir = $dir/crl unique_subject = no certificate = $certs/ca.crt crl = $crl_dir/crl.pem private_key = $dir/private/ca.self default_md = default [ req ] default_md = sm3 [ v3_req ] keyUsage = nonRepudiation, digitalSignature [ v3enc_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = keyAgreement, keyEncipherment, dataEncipherment [ v3_ca ] keyUsage = cRLSign, keyCertSign
- 按“Esc”键退出编辑模式,输入:wq!并按“Enter”键保存退出文件。
- 拷贝位于系统目录的“openssl.conf”文件并打开。
- CA节点生成公
私钥 ,生成公私钥时请输入CA密码,保证密码复杂度。因为后续执行证书签发需要此密码,请妥善保存。cd /opt/gcache/secure/CACerts openssl genrsa -aes256 -out private/ca.self 4096
openssl rsa -in private/ca.self -pubout -out public/ca.common
- CA节点为自己签发证书。
openssl req -new -x509 -key private/ca.self -days 3650 -out certs/ca.crt -subj "/C=CN/ST=HZ/L=Binjiang/O=Huawei/CN=GCACHED"
父主题: 配置TLS