verisign pki

Small black daily tossing-quick creation of shell scripts for private CA Tom started to make new things again. He just learned how to build a private CA through openssl last week and spent some time writing this script on Saturday. After that, he went to renew DNS, if you have any bugs, please forgive me. This script is purely an exercise for practicing openssl, awk, sed, and other knowledge points. First, we will introduce the simple steps for building a private CA (the default installation pat

support for our servers. In this case, you need to edit the/etc/proftpd. conf configuration file. Before that, we need to back up the current configuration file to ensure that the file can be restored after the problem is rectified. $ sudo cp /etc/proftpd.conf /etc/proftpd.conf.bak Then, we can use our favorite text editor to modify the configuration file. $ sudo vi /etc/proftpd.conf Then, append the following lines to the content we added in step 1. TLSEngine on TLSRequired on TLSPro

This time research operation and maintenance automation, the study to the SALT-API part encountered a lot of pits, here record, the front of the successive replenishment.1, the process of the topic, the beginning of steps:cd/etc/yum.repos.d/wgethttp://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpmrpm-ivhepel-release-6-8.noarch.rpmyum-yinstallkernel-firmwarekernel-headersperfe2fsprogsrpm-ivhlibyaml-0.1.3-1.4.el6.x86_64.rpmrpm-ivhPyYAML-3.10-3.1.el6.x86_64.rpmyum-yinstallsalt-m

simplified process for SSL sessions(1) 客户端发送可供选择的加密方式，并向服务器请求证书；(2) 服务器端发送证书以及选定的加密方式给客户端；(3) 客户端取得证书并进行证书验正： 如果信任给其发证书的CA： (a) 验正证书来源的合法性；用CA的公钥解密证书上数字签名； (b) 验正证书的内容的合法性：完整性验正 (c) 检查证书的有效期限； (d) 检查证书是否被吊销； (e) 证书中拥有者的名字，与访问的目标主机要一致；(4) 客户端生成临时会话密钥（对称密钥），并使用服务器端的公钥加密此数据发送给服务器，完成密钥交换；(5) 服务用此密钥加密用户请求的资源，响应给客户端；注意：SSL会话是基于IP地址创建；所以单IP的主机上，仅可以使用一个https虚拟主机；Configuring HTTPD to support HTTPS(1) 为服务器申请数字证书； 测试：通过私建CA发证书 (a) 创建私有CA (b) 在服务器创建证书签署请求 (c) CA签证(2) 配置httpd支持使用ss

To create a private CA:OpenSSL configuration file:/etc/pki/tls/openssl.cnf(1) Create the required files# Touch Index.txt# echo > Serial#(2) CA self-signed certificate# (Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)# OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.epm-days 7300-out/etc/pki/ca/cacert

://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever arch= $basearchEnabled=1metadata_expire=7dGpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/rpm-gpg-key-fedora-$basearch[Fedora-debuginfo-mirrors.sohu.com]Name=fedora $releasever-$basearch-debug-sohu.comFailovermethod=prioritybaseurl=http://mirrors.sohu.com/fedora/releases/$releasever/everything/$basearch/debug/mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever arch=

OpenSSL commandConfiguration file:/etc/pki/tls/openssl.cnfCommand format:OpenSSL command [command_opts] [Command_args]A number of sub-commands, commonly used in the following:　　　　1. Symmetric encryptionOpenSSL enc-[e/d] [-a] [-salt]-cipher-in/path/to/somefile-out/path/to/somefile-E: Encryption-D: Decryption-A: Turning data into base64 encoding-salt: Adding random numbers-cipher: An algorithm for encryptionExample:// Encryption Test.txtOpenSSL enc-d-a-

enabled, you can not use it ). $ sudo setsebool -P allow_ftpd_full_access=1 $ sudo setsebool -P ftp_home_dir=1 Then, we will set that other users are not allowed to move or rename this directory and its contents. $ sudo chmod -R 1777/ftp-dir/ 4. Enable TLS support Currently, the encryption method used by FTP is not secure. Anyone can monitor the network card to read data transmitted by FTP. Therefore, we will enable TLS encryption support for our servers. In this case, you need to edit t

.i386.rpm-R -- 220 root 686650 wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm[Root @ mail Server] # yum install wireshark-1.0.8-1.el5_3.1.i386.rpm[Root @ mail Server] # tshark-ni eth0-R "tcp. dstport eq 21" (traffic used to capture packets through this port)[Root @ mail ftproot] # cd/etc/pki/CA/[Root @ mail pki] # vim./tls/openssl. cnf[Root @ mail CA] # touch index.txt serial[Root @ mail CA] # mkdir certs newcert

://s1.51cto.com/wyfs02/M02/89/9B/wKiom1gYEqzTgn6wAAA1oXjtRX0285.png-wh_500x0-wm_3 -wmp_4-s_2966530150.png "title=" SSL bidirectional authentication. PNG "alt=" wkiom1gyeqztgn6waaa1oxjtrx0285.png-wh_50 "/>2. Describes the process of creating a private CA, and a method certificate for the certificate request sent to the client.Establishing a CA server1. Initializing the Environment[[email protected] ~]# cd/etc/pki/ca/[[email protected] ca]# Touch/etc/

-built ca. Before that, let's take a look at the configuration file/etc/pki/tls/OpenSSL. CNF of OpenSSL: The [ca_default] section defines some file paths and file names required by the self-built ca. Some key items are as follows: [Ca_default] Dir =/etc/pki/CA # where everything is kept Private_key = $ DIR/private/cakey. pem # the Private Key # The private key file of the self-built CA is/etc/

"cnnic ssl" | certutil-D.-A-I ~ /CNNIC/cnnicssl. CRT-n "cnnic ssl"-T ""Certutil-D.-M-T ""-n "CNNIC root" | certutil-D.-A-I ~ /CNNIC/cnnicroot. CRT-n "CNNIC root"-T ""Certutil-D.-M-T ""-n "entrust.net secure server ca" | certutil-D.-A-I ~ /CNNIC/entrust. netsecureservercertificationauthority. CRT-n "entrust.netSecure Server ca "-T "" How to view results Certutil-D.-l 3.2 chrome cleanup Chrome users may have noticed linuxcertmanagement. # Errors are normal. No errors occur because you ha

download Gpgkey = file: // etc/pki/rpm-GPG-key-RedHat-release Gpgkey Storage address The following update points are added to the copy operation by default.Rhel-debuginfo.repo Behind the text [Base] Name = Red Hat Enterprise Linux $ releasever-basebaseurl = Alibaba Hat Enterprise Linux $ releasever-updatesbaseurl = Alibaba Hat Enterprise Linux $ releasever-extrasbaseurl = Alibaba hat Enterprise Linux $ releasever-addonsbaseurl = http://ftp.twa

/[Root @ localhost yum. Repos. d] # lsFedora-core.repoFedora-extras-development.repo fedora-legacy.repoFedora-updates-testing.repoFedora-development.repo fedora-extras.repoFedora-updates.repoThe preparation for adding a software library is to clarify the exact location of the software library you want to add GPG key, (GNU private guardIs a key method that implements opengpg standards and Free Software Defined in rfc2440. GPG provides command line applications that can be easily integrated into o

From: http://www.linux-wiki.cn/index.php/%E6%95%99%E8%82%B2%E7%BD%91%E5%86%85Fedora%E6%BA%90%E9%85%8D%E7%BD% AE Education Network cannot access foreign countries, so the default source in the fedora system cannot be used. This article takes the source of Shanghai Jiao Tong University as an example to introduce how to configure the yum source in fedora. First, back up the current source configuration file. # Mkdir ~ /Repo. Bak# Mv/etc/yum. Repos. d /*~ /Repo. Bak Note: Note that the pat

able to authenticate its identity, therefore, it is impossible for users to issue public keys themselves. At this time, a credible intermediary organization is required to do the job, namely Ca, which raises two concepts: CA: Certificate Authority PKI: public key infrastructure and public key infrastructure Certificate: It stores all kinds of user information. The core part is the public key. But there is another problem: who will issue the pu

private key. The file here is to be the same as the private key file in/etc/pki/tls/openssl.cnfNumbits is the length of the key.Extract the public key from the private key (the public key is extracted from the private key)OpenSSL genrsa-in/path/to/cakey.pem-puboutThe public key is used to generate the certificate, and the private key is to encrypt the data2. Generate self-visa bookOpenSSL Req-new-x509-key/path/to/keyfile.pem-out/path/to/certifcate.cr

Script content: The code is as follows Copy Code #!/bin/bash# Author:mos# Script Name:mos_ca.sh# Date time:2013-01-06/23:05:35# version:1.0.2# Description:#[-f/etc/sysconfig/mos_ca.conf] . /etc/sysconfig/mos_ca.confConfig () {CNF=${CNF:-/ETC/PKI/TLS/OPENSSL.CNF}CP $Cnf $CNF. ' Date +%f-%t '. bakdir=${dir:-/etc/pki/ca/}CNY=${CNY:-CN}Pve=${pve:-henan}Cty=${cty:-zhengzhou}Bis=${bi

= $basearch Enabled=1 Gpgcheck=1 Gpgkey=file:///etc/pki/rpm-gpg/rpm-gpg-key-fedora File:///etc/pki/rpm-gpg/RPM-GPG-KEY [Fedora-debuginfo] Name=fedora $releasever-$basearch-debug Failovermethod=priority #baseurl =http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/$releasever/everything/$basearch/debug/ baseurl=http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/9/everything/

files. Filter_factory checks if the token in the request is correct. Authenticated tokens are cached locally, filter_factory also checks if the authenticated token has expired or expires (revoked or expired) authentication and generation of Keystone tokensThere are two ways to generate tokens for Keystone: UUID and PKI. Token authentication also has two ways of doing this. Token generation is implemented in Keystone. Token authentication at Keyston