The first part: overview
。。
Part II: System Preparation
1 Operating system
CentOS 6.x
Ip:
2 Installing OpenSSL
Yum Install-y OpenSSL
3 Installing the JDK
Download JDK http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html from official website
Download here is jdk1.8 upload to CentOS6, extract to/opt/jtools/java/directory
Configuring Environment variables
Vim ~/.bash_profileexport java_home=/opt/jtools/java/jdk1.8export classpath=.: $JAVA _home/lib/dt.jar: $JAVA _home/ Lib/tools.jarexport path= $JAVA _home/bin: $PATHsource ~/.bash_profile
Part III: Certificate Services Design and deployment one, Certificate Services directory structure design
When you deploy Certificate Services, you specify the OpenSSL working directory, and the initial script automatically creates the relevant folders and files and generates the root certificate.
Second, upload the relevant scripts and configuration files to the server/opt/shdir directory
initcahome.sh
addserver.sh
generateservercert.sh/generateservercertforiis.sh
addclientcert.sh
Openssl.cnf
Configure execute permissions for a script
chmod +x/opt/shdir
Iii. Executing initialization commands
/opt/shdir/initcahome.sh/opt/ca_ws
$ $ for the specified certificate working directory
Part IV: IIS Service Application One, generate IIS server certificate request
Here, a Windows Server R2 machine is used as a test machine, and after the Web server role is added,
Go to Server Manager, locate Internet Information Services (IIS) Manager, click the node under the Start page on the right
Right click Enter server certificate, right action Bar click Create certificate request
To request a certificate, enter the following:
Generic name: www.spads.cn
Organization: Spads
Organizational unit: Spads
City/Location: Beijing
State/Province: Beijing
Country/region: CN
Click Next
Cryptographic service Provider Properties, default, click Next
To request a file name for the certificate, select a path to the local disk (E:\server_req.txt), click Finish.
At this point, you get an IIS certificate request file E:\server_req.txt.
Second, issue the service-side certificate and client certificate.
1 Certificate Server, execute script, initial application certificate directory.
/opt/shdir/addserver.sh/opt/ca_ws Testiis
$ $ for the specified certificate working directory
$ Apply Name
2 Uploading an IIS certificate request file
Upload the IIS certificate request file (Server_req.txt) to the/opt/ca_ws/apps/testiis/server/cert_req directory
3 Execute command, issue server-side certificate
/opt/shdir/generateservercertforiis.sh/opt/ca_ws Testiis
$ $ for the specified certificate working directory
$ Apply Name
At this point, you can get the IIS server-side certificate that you signed to/OPT/CA_WS/APPS/TESTIIS/SERVER/CERT/SERVER.PEM
4 Execute command, issue client certificate
/opt/shdir/addclientcert.sh/opt/ca_ws/testiis 3
$ $ for the specified certificate working directory
$ Apply Name
$ $ for client number
Note: A client certificate with a private key is exported here, prompting you to define the output password.
Third, IIS application certificate to turn on HTTPS bidirectional authentication
1 Download the root certificate, the issued service-side certificate, and the client certificate from the Certificate Server
/opt/ca_ws/rootca/cert/ca.crt
/opt/ca_ws/apps/testiis/server/cert/server.pem
/opt/ca_ws/apps/testiis/client/cert/client3.p12
2 Install root certificate import to IIS Server
Double-click Root certificate (CA.CRT), import into the Trusted root certificate/local Machine directory
3 Importing a server certificate
Open Internet Information Services (IIS) Manager, click the node under the Start page on the right
Right click Enter server certificate, right action bar click Finish certificate request, specify SERVER.PEM. Complete the server certificate import.
Note: After importing, you can double-click the certificate in the list and select Copy to file to export the server certificate with the private key.
Note: Manually record the certificate serial number, if the list is refreshed, the installed certificate disappears and needs to go to the command line repair certificate (certutil-repairstore my certificate serial number).
4 Web Site configuration enable SSL
Check if the Web site is already bound to HTTPS, if present, delete.
To increase the binding HTTPS, select the server certificate that you just imported.
From the function window, click enter SSL configuration, tick must, turn on bidirectional authentication (client provides certificate).
5 Client Authentication
Client certificates are not installed, access is restricted
The client certificate is installed and can be accessed.
Note: Windows Server R2 native has special restrictions on certificates (requires domain name access), so it needs to be tested on an external machine (WINDOW7/10)
Part V, Tomcat Service Application One, issuing service-side certificates and client certificates
1 Certificate Server, execute script, initial application certificate directory.
/opt/shdir/addserver.sh/opt/ca_ws Testtomcat
$ $ for the specified certificate working directory
$ Apply Name
2 issuing a server certificate
/opt/shdir/addclientcert.sh/opt/ca_ws/testiis 3
$ $ for the specified certificate working directory
$ Apply Name
$ $ for client number
Note: A client certificate with a private key is exported here, prompting you to define the output password.
Now get
Service-side certificate is/OPT/CA_WS/APPS/TESTTOMCAT/SERVER/CERT/SERVER.CRT
Certificate private key is/opt/ca_ws/apps/testtomcat/server/private/server.key
3 Issuing a client certificate
/opt/shdir/addclientcert.sh/opt/ca_ws/testtomcat 3
$ $ for the specified certificate working directory
$ Apply Name
$ $ for client number
Note: A client certificate with a private key is exported here, prompting you to define the output password.
4 Exporting the Tomcat configuration required items
Get Trust KeyStore
Keytool-Import -file $1-alias Firstca-keystore
Root Certificate path/OPT/CA_WS/ROOTCA/CERT/CA.CRT
$ Output Path/opt/ca_ws/apps/testtomcat/server/cert/mytruststore
Get a server-side certificate
OpenSSL pkcs12-export-in $1-inkey $2-certfile $3-out $4
Server-side certificate path/OPT/CA_WS/APPS/TESTTOMCAT/SERVER/CERT/SERVER.CRT
$ $ Server Private key path/opt/ca_ws/apps/testtomcat/server/private/server.key
$ $ root Certificate path/OPT/CA_WS/ROOTCA/CERT/CA.CRT
$4 Output Path/OPT/CA_WS/APPS/TESTTOMCAT/SERVER/CERT/SERVER.P12
Ii. TOMCAT Application certificate turn on HTTPS bidirectional authentication
1 Copy files
Download Mytruststore, SERVER.P12, and copy to tomcat/conf directory
2 One-way SSL configuration (Tomcat/conf/server.xml)
<connector port= "8443" protocol= "org.apache.coyote.http11.Http11Protocol" maxthreads= " "sslenabled="true"scheme=" "https" secure= "true" clientauth= "false "sslprotocol="TLS" keystorefile="conf/server.p12" keystoretype="PKCS12 "keystorepass="zzzzzz"/>
3 Bidirectional SSL Configuration
<connector port= "8443" protocol= "org.apache.coyote.http11.Http11Protocol" maxthreads= " "sslenabled="true"scheme=" "https" secure= "true" clientauth= "true "sslprotocol="TLS" keystorefile="conf/server.p12" keystoretype="PKCS12 "keystorepass="zzzzzz" truststorefile="conf/mytruststore"Truststoretype=" JKS"truststorepass="zzzzzz"/>
Third, client authentication
Client certificates are not installed, access is restricted
The client certificate is installed and can be accessed.
[Certificate Server II] based on OpenSSL on the CentOS6 system to build a self-visa book Service, and apply to the Web container