Httpd self-built CA authentication for HTTPS service
Required Software: httpd mod_ssl OpenSSL
[[Email protected] CA] # httpd-V # httpd version: Apache/2.2.15 (UNIX) server built: jul 23 2014 14:15:00 [[email protected] CA] # uname-R # kernel version 2.6.32-431. el6.i686 [[email protected] CA] # uname-A # hairstyle version Linux jinyongri.com 2.6.32-431. el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux ######################## ########################### ################### [email PR Otected] ~] # Cd/etc/pki/CA/# Switch to [[email protected] CA] # (umask 077; OpenSSL genrsa-out private/cakey. PEM 2048) # generate self-built ca generating RSA private key with the private key, 2048 bit long modulus ...... ++ ..... ++ e is 65537 (0x10001) [[email protected] CA] # OpenSSL req-New-X509-key private/cakey. PEM-days 3655-out cacert. PEM # submit your self-signed application you are about to be asked to enter information that will be inmo-atedinto your certifica Te request. what you are about to enter is what is called a distinguished name or a DN. there are quite a few fields but you can leave some blankfor some fields there will be a default value, if you enter '. ', the field will be left blank. ----- country name (2 letter code) [XX]: CN # country state or province name (full name) []: Shanghai # province locality name (eg, city) [Default City]: Shanghai # city organization name (Eg, company) [Default Company Ltd]: jinyongri Ltd # company name organizational unit name (eg, section) []: SA # Department name common name (eg, your name or your server's hostname) []: ca.jinyongri.com # host name Email Address []: [email protected] # administrator email [[email protected] CA] # mkdir/etc/httpd/CONF/SSL-P # create a directory for storing the httpd server private key and certificate [[email protected] CA] # (umask 077; openSSL genrsa 1024>/etc/httpd/CONF/SSL/httpd. key) # create an httpd Private Key gen Erating RSA private key, 1024 bit long modulus ........ ++ ............ ++ e is 65537 (0x10001) [[email protected] CA] # cd/etc/httpd/CONF/SSL/# Switch to the directory where the httpd private key is stored [[email protected] SSL] # OpenSSL req-New-Key. /httpd. key-out. /httpd. CSR # submit the httpd certificate application you are about to be asked to enter information that will be inemediatedinto your certificate request. what you are about to enter is what is called Distinguished name or a DN. there are quite a few fields but you can leave some blankfor some fields there will be a default value, if you enter '. ', the field will be left blank. ----- country name (2 letter code) [XX]: CN state or province name (full name) []: shanghailocality name (eg, city) [Default City]: shanghaiorganization name (eg, company) [Default Company Ltd]: jinyongri ltdorganizational Unit Name (eg, section) []: sacommon name (eg, your name or your server's hostname) []: www. jinyongri. comemail Address []: Please enter the following 'extra 'attributesto be sent with your certificate requesta challenge password []: an optional company name []: jinyongri Ltd [[email protected] SSL] # Touch/etc/pki/CA/protected index.txt, crlnumber} [[email protected] SSL] # echo 01>/etc/pki/CA/serial [[email protected] SSL] # OpenSSL ca-in httpd. CSR-out httpd. CRT-days 3655 # generate the httpd certificate using configuration from/etc/pki/tls/OpenSSL. cnfcheck that the request matches the signaturesignature okcertificate details: serial number: 1 (0x1) validity Not before: Sep 29 12:16:18 2014 GMT not after: Oct 1 12:16:18 2024 GMT subject: countryname = cn stateorprovincename = Shanghai organizationname = jinyongri Ltd organizatio Nalunitname = sa CommonName = export x509v3 extensions: x509v3 basic constraints: CA: false Netscape comment: OpenSSL generated certificate x509v3 Subject Key Identifier: BB: A2: 68: 13: FB: Ea: BB: A8: 52: D9: 6a: AB: 02: 43: 94: 40: 28: 74: 72: 2a x509v3 Authority Key Identifier: keyid: 5A: 68: 9C: f6: D1: 5D: 51: 36: A5: 95: 3C: 28: B1: 7f: 76: F9: 9e: 69: 48: 56 certificate is to be certified until Oct 1 12:16:18 2024 GMT (3655 days) sign the certificate? [Y/n]: Y1 out of 1 certificate requests certified, commit? [Y/n] ywrite out database with 1 new entriesdata base updated [[email protected] SSL] # Yum install-y mod_ssl # Install httpd's mod_ssl module [[email protected] SSL] # rpm-QL mod_ssl # Check which files are generated/etc/httpd/CONF. d/SSL. conf/usr/lib/httpd/modules/mod_ssl.so/var/Cache/mod_ssl/scache. DIR/var/Cache/mod_ssl/scache. PAG/var/Cache/mod_ssl/scache. SEM [[email protected] SSL] # Vim/etc/httpd/CONF. d/SSL. conf # configure a virtual host for using SSL # servername # DocumentRoot # configure the certificate and Private Key # sslcertificatfile Certificate file # sslcertificatkeyfile key file <virtualhost _ default _: 443> DocumentRoot "/var/www/html" # servername [[email protected] SSL] # httpd-T # Check the Configuration File Syntax Error syntax OK [[email protected] SSL] # service httpd restart # restart HTTPd service stopping httpd: [OK] Starting httpd: [OK] [[email protected] CA] # cp/etc/pki/CA/cacert. PEM/etc/pki/CA/cacert. CRT # copy a CA server certificate for Windows Installation
Use the window7 client to detect
Modify c: \ windows \ system32 \ drivers \ etc \ hosts to add the following content: Your Web Server IP address and test Domain Name
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample hosts file used by Microsoft TCP/IP for Windows.
#
# This file contains the Mappings of IP addresses to host names. Each
# Entry shoshould be kept on an individual line. The IP address shold
# Be placed in the first column followed by the corresponding host name.
# The IP address and the host name shocould be separated by at least one
# Space.
#
# Additionally, comments (such as these) may be inserted on individual
# Lines or following the machine name denoted by a' # 'symbol.
#
# For example:
#
#102.54.94.97 rhino.acme.com # source server
#38.25.63.10 x.acme.com # X client host
# Localhost name resolution is handled within DNS itself.
#127.0.0.1 localhost
#: 1 localhost
192.168.1.100www.jinyongri.com # Add this line and configure it based on your own IP address and domain name.
Note: This domain name must be consistent with the domain name used to register the CA certificate. Otherwise, an error may occur,
If the file cannot be modified, configure the write permission of the current user for the file.
Download the copied/etc/pki/CA/cacert. crt ca server certificate to the Windows client.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4B/4C/wKiom1QpWM7jInfdAAlttD0UHek609.jpg "style =" float: none; "Title =" 1.jpg" alt = "wkiom1qpwm7jinfdaalttd0u1_609.jpg"/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4B/4F/wKioL1QpWP3ig5-PAAPMT3ot2kg686.jpg "style =" float: none; "Title =" 2.jpg" alt = "wKioL1QpWP3ig5-PAAPMT3ot2kg686.jpg"/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4B/4C/wKiom1QpWNfR0PRcAAE4u39G8lU883.jpg "style =" float: none; "Title =" 3.jpg" alt = "wkiom1qpwnfr0prcaae4u39g8lu883.jpg"/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4B/4F/wKioL1QpWQSA8uWoAAFv4Zx6wgA215.jpg "style =" float: none; "Title =" 4.jpg" alt = "wkiol1qpwqsa8uwoaafv4zx6wga215.jpg"/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4B/4C/wKiom1QpWNyhxQGUAAFA48l_WqQ365.jpg "style =" float: none; "Title =" 5.jpg" alt = "wkiom1qpwnyhxqguaafa48l_wqq365.jpg"/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4B/4F/wKioL1QpWQiS4VClAARf_pnF-EM917.jpg "style =" float: none; "Title =" 10.jpg" alt = "wKioL1QpWQiS4VClAARf_pnF-EM917.jpg"/>
This article is from the "imperial garden" blog, please be sure to keep this source http://diguojin.blog.51cto.com/5034509/1559549
Centos 6.5 httpd self-built CA authentication for HTTPS service