前言:
OpenCA是OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件,主要由四部分组成:CA、RA、PUB和NODE。简而言之,PUB是对外提供服务的接口,用户可以通过PUB界面提交自己的注册、查询请求等;RA主要负责处理经由PUB提交过来的用户请求,判决是否批准这些请求;CA则是根据RA批准的请求来签发证书;NODE负责RA和CA间的数据传输。
一、准备工作
搭建平台:CentOS7(mini install)
前期软件安装:gcc gcc-c++ openssl-devel perl perl-devel perl-DBI perl-DBD-MySQL perl-Net-SSLeay expat-devel
安装包:openssl(1.0.2k) httpd(编译安装时,需要依赖apr、apr-util、pcre) mysql(使用的是mysql-cluster版) openca-tools openca-base
二、安装
1、安装openssl(1.0.2k)
./config shared --prefix=/usr/local/openssl
make && make install
2、安装httpd
(1)安装apr(1.5.2)
./configure --prefix=/usr/local/apr
make && make install
(2)安装apr-util(1.5.4)
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/bin/apr-1-config
make && make install
(3)安装pcre(8.4.2)
./configure --prefix=/usr/local/pcre
make && make install
(4)安装httpd(2.4.34)
./configure --prefix=/usr/local/apache2 --enable-ssl --enable-cgid --enable-so --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/local/pcre --with-ssl=/usr/local/openssl
make && make install
3、安装mysql
这里采用的是mysql-cluster,可以离线安装,不过需要修改/etc/my.cnf,如下图:
将文件解压到/usr/local/mysql,并cd /usr/lcoal/mysql
./bin/mysqld --initialize(记住给出的临时密码) --> support-files/mysql.server start(启动MySQL) --> ./bin/mysql -uroot -p(输入临时密码登录)
登录MySQL后:SET password=PASSWORD('openca');-->CREATE DATABASE openca;-->GRANT all ON openca.* TO 'root'@"%" IDENTIFIED BY 'openca';-->FLUSH PRIVILEGES;-->exit
4、安装openca-tools
./configure --prefix=/usr/local/openca-tools
make && make install
5、安装openca-base
创建openca组:groupadd openca;添加openca用户:useradd -g openca openca
./configure --prefix=/usr/local/openca-base --with-openssl-prefix=/usr/local/openssl/ --with-db-type=mysql --with-db-host=localhost --with-db-port=3306 --with-httpd-fs-prefix=/usr/local/apache2 --with-htdocs-fs-prefix=/usr/local/apache2/htdocs/pki --with-httpd-user=daemon --with-httpd-group=daemon --with-openca-user=openca --with-openca-group=openca --with-openca-tools-prefix=/usr/local/openca-tools
make
make install-offline(安装CA)
make install-online(安装RA)
cd /usr/local/openca-base/etc/openca && ./configure_etc.sh
chown -R daemon:daemon /usr/local/openca-base/etc
chown -R daemon:daemon /usr/local/openca-base/var
修改目录下的config.xml,将db_user改为“root”
三、测试
启动MySQL:/usr/local/mysql/support-files/mysql.server start
启动httpd:/usr/local/apache2/bin/apachectl start
启动openca:/usr/local/openca-base/etc/init.d/openca start
浏览器中输入:http://IP:PROT/pki,如果出现下图(在安装openca-base时只执行了make install-offline),恭喜恭喜