1. Installing the OpenSSL software
[Email protected] ~]# yum-y install OpenSSL
2. configuration Files
172 Basicconstraints=ca:true
3. generate the public key certificate and private key
[Email protected] ~]#/etc/pki/tls/misc/ca-h
Usage:/etc/pki/tls/misc/ca-newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
[[Email protected]~]#/etc/pki/tls/misc/ca-newca
Usingconfiguration from/etc/pki/tls/openssl.cnf
Enterpass phrase For/etc/pki/ca/private/./cakey.pem:
Checkthat the request matches the signature
Signatureok
Certificatedetails:
Serial number:17413805404962385785 (0xf1aa43c0e68f6f79)
Validity
Not Before:jan 08:36:04 2016GMT
Not After:jan 08:36:04 2019GMT
Subject:
CountryName = CN
Stateorprovincename = Beijing
OrganizationName =xuegod
Organizationalunitname = IT
CommonName = xuegod61.cn
EmailAddress [email protected]
X509v3 Extensions:
X509v3 Subject Key Identifier:
da:bd:34:5b:08:8a:90:30:75:7b:59:e3:f6:61:98:94:b6:7c:18:83
X509v3 Authority Key Identifier:
keyid:da:bd:34:5b:08:8a:90:30:75:7b:59:e3:f6:61:98:94:b6:7c:18:83
X509v3 Basic Constraints:
Ca:true
Certificateis to is certified until Jan 08:36:04 2019 GMT (1095 days)
Writeout database with 1 new entries
DataBase Updated
4. view certificates and private keys
[[Email protected]~]# Vim/etc/pki/ca/cacert.pem
View Private key
[[Email protected]~]# Vim/etc/pki/ca/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
Miifdjbabgkqhkig9w0bbq0wmzabbgkqhkig9w0bbqwwdgqi7zwuluc9vtycagga
Mbqgccqgsib3dqmhbagyhrohdvajawscbmhpufuqdd3i/o+zl+ektx83pe2lhhbl
8pqd6fh+dyzminj1hmycy/nrzbqt/+1blnkismk2ln5yc4lljbxzaodurauovgps
/nbao+70fg5xvosvj1tfyi2h5inf3sbxvapf7bcazcw3uf8w0khwfioflyjuhefv
Xtyvbdrkyrw3bchjy9u8caebkzvhndml7qfjeuary2suovnc49accfiuybnfgvdf
Cohwp1r7/2iem3dhayfdx0h0rsgr60tcko/woihsrljibllsschbl6pwvztzgbpf
Wb54rlx3p3zprtumzxea+1pcxbukznwyziulx31bzpk+u4vumvdund4+o6newkng
Nd2bqgolltpqvq/vdzay94vkxofyryva30zvxem+iauf61tabaex78pnel6yldaz
Nfsrk67pvjtan414y/sknwugxru9mb68hjol1mcdtbka8/mygrbrnq69bmvaumzf
Sh4ymxbuoz9ag/7jicras01asm68fcqangekcxa0nbkoqrwpmkjx5ftjgzblpkhj
rr1u3rr8b9srozrvt8qj0sjpfbyjd+elnazmeinhgfj0r3cg7trvviswibosakk+
38zf4e2hakv1nsrh2uht2sbmwfw74phj3ewuypxs+mhdamcykn2ctj9po+lk6hfp
oj62iapcwzmolr/otqlnid3cgby8frnvl16kmthdhidtnyell3wwdfvsb9b1yv8n
Rlni0v7vyv2zpmu1la7sbyuec7fkpoqleehhueu232h1ut/bneucoykwr0f+ufur
/b2mspqbagu0fx5tsm2d+bpuf2m88qymgynqim5hu4zohhamxjsdnmfmntppuyhq
Xr9equ/l+3plw1khaxvy4npy8swasdgqvx10giev6vauzdgwg5uawvk38qspifag
1hgorkaudv/o+dpempjbemz6ipdzpolqxsjw1ku8bcbghfy5pxoq2yraysobipmw
Kqquf0xcfzhjknpui2gyg+am2fntnwnd0wckf5nr7qq5tsd9llhfckx3oibdwfqb
C12pzgywa3jymqtoegdp3ovkw1tczrhnoqzegahxahekr2t5qbtuiy9xtnoisyel
Mffnf6s6cf3wsfswwuwidirf3kbrhv2/2vzapobfxgfbsyhyadfrjjno2zykqrwu
Zqm5iunltckikmmz9efscwlaiuzgzzgp/nptsd0dpzv5ywvmffn+1ehck8jdwmxq
Fweh3rygn9mwm8pwjajkhfhbogmdr3iilq8u0ppw7saocaj29c/jrxwwajr11t6o
Umi2cdtmrzdpd9qsrle5xplmw6yplbv+wrgm+mos4dfrpnmjrejuud+f4ulsceey
Re2txyhwqoczqd8d6masmgw4dl9silpdttwjfxjmqjujmisilf0ckdiiwbi9lri8
Lu4xe0a6cl3wbvdjfefhun8as6ozq4qsfmqfnx4xvv4bsdwo9hex4dk8hof/aoih
Jwyleebvujdo8fugkfulzcwltzdffsfktvzaornbth1qflfg2rhzmhu4befuy+v7
ofiwqe55l+9zweerjjmpy1bfm7ac5+9+ngpxdsa8ua43b+eafcsf/wsxcg4pmlp/
wpw=
-----END ENCRYPTED PRIVATE KEY-----
5. Client Installation httpd
[email protected] ~]# Yum install httpd-y
6. The client generates the certificate request file, obtains the certificate
[email protected] ~]# Yum install openssl-y
Generate private key
[email protected] ~]# OpenSSL Genrsa-des3-out/etc/httpd/conf.d/server.key
Generate a certificate request file with the private key
[Email protected]~]# OpenSSL REQ-NEW-KEY/ETC/HTTPD/CONF.D/SERVER.KEY-OUT/SERVER.CSR
[Email protected]~]# scp/server.csr [email protected]:/tmp
7. generate a certificate
[Roo[email protected] ~]# OpenSSL Ca-keyfile/etc/pki/ca/private/cakey.pem-cert
/etc/pki/ca/cacert.pem-in/tmp/server.csr-out/server.crt
8. Copy the certificate to the client
[Email protected]]# scp/server.crt 192.168.1.64:/
9. Client install SSL
[Email protected]~]# yum Install mod_ssl-y
client-side configuration SSL
[Email protected]~] #vim/etc/httpd/conf.d/ssl.conf
Change code:sslcertificatefile/etc/httpd/conf.d/server.crt
Sslcertificatekeyfile/etc/httpd/conf.d/server.key
One . Restart service
[Email protected]~] #service httpd restart
Client Access
Browser View Certificate
This article from "Enet-chen" blog, declined reprint!
Car Certification Center Configuration