[Certificate Server II] based on OpenSSL on the CentOS6 system to build a self-visa book Service, and apply to the Web container

The first part: overview

。。

Part II: System Preparation

1 Operating system

CentOS 6.x

Ip:

2 Installing OpenSSL

Yum Install-y OpenSSL

3 Installing the JDK

Download JDK http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html from official website

Download here is jdk1.8 upload to CentOS6, extract to/opt/jtools/java/directory

Configuring Environment variables

Vim ~/.bash_profileexport java_home=/opt/jtools/java/jdk1.8export classpath=.: $JAVA _home/lib/dt.jar: $JAVA _home/ Lib/tools.jarexport path= $JAVA _home/bin: $PATHsource ~/.bash_profile

Part III: Certificate Services Design and deployment one, Certificate Services directory structure design

When you deploy Certificate Services, you specify the OpenSSL working directory, and the initial script automatically creates the relevant folders and files and generates the root certificate.

Second, upload the relevant scripts and configuration files to the server/opt/shdir directory

initcahome.sh

addserver.sh

generateservercert.sh/generateservercertforiis.sh

addclientcert.sh

Openssl.cnf

Configure execute permissions for a script

chmod +x/opt/shdir

Iii. Executing initialization commands

/opt/shdir/initcahome.sh/opt/ca_ws

$ $ for the specified certificate working directory

Part IV: IIS Service Application One, generate IIS server certificate request

Here, a Windows Server R2 machine is used as a test machine, and after the Web server role is added,

Go to Server Manager, locate Internet Information Services (IIS) Manager, click the node under the Start page on the right

Right click Enter server certificate, right action Bar click Create certificate request

To request a certificate, enter the following:

Generic name: www.spads.cn

Organization: Spads

Organizational unit: Spads

City/Location: Beijing

State/Province: Beijing

Country/region: CN

Click Next

Cryptographic service Provider Properties, default, click Next

To request a file name for the certificate, select a path to the local disk (E:\server_req.txt), click Finish.

At this point, you get an IIS certificate request file E:\server_req.txt.

Second, issue the service-side certificate and client certificate.

1 Certificate Server, execute script, initial application certificate directory.

/opt/shdir/addserver.sh/opt/ca_ws Testiis

$ $ for the specified certificate working directory

$ Apply Name

2 Uploading an IIS certificate request file

Upload the IIS certificate request file (Server_req.txt) to the/opt/ca_ws/apps/testiis/server/cert_req directory

3 Execute command, issue server-side certificate

/opt/shdir/generateservercertforiis.sh/opt/ca_ws Testiis

$ $ for the specified certificate working directory

$ Apply Name

At this point, you can get the IIS server-side certificate that you signed to/OPT/CA_WS/APPS/TESTIIS/SERVER/CERT/SERVER.PEM

4 Execute command, issue client certificate

/opt/shdir/addclientcert.sh/opt/ca_ws/testiis 3

$ $ for the specified certificate working directory

$ Apply Name

$ $ for client number

Note: A client certificate with a private key is exported here, prompting you to define the output password.

Third, IIS application certificate to turn on HTTPS bidirectional authentication

1 Download the root certificate, the issued service-side certificate, and the client certificate from the Certificate Server

/opt/ca_ws/rootca/cert/ca.crt

/opt/ca_ws/apps/testiis/server/cert/server.pem

/opt/ca_ws/apps/testiis/client/cert/client3.p12

2 Install root certificate import to IIS Server

Double-click Root certificate (CA.CRT), import into the Trusted root certificate/local Machine directory

3 Importing a server certificate

Open Internet Information Services (IIS) Manager, click the node under the Start page on the right

Right click Enter server certificate, right action bar click Finish certificate request, specify SERVER.PEM. Complete the server certificate import.

Note: After importing, you can double-click the certificate in the list and select Copy to file to export the server certificate with the private key.

Note: Manually record the certificate serial number, if the list is refreshed, the installed certificate disappears and needs to go to the command line repair certificate (certutil-repairstore my certificate serial number).

4 Web Site configuration enable SSL

Check if the Web site is already bound to HTTPS, if present, delete.

To increase the binding HTTPS, select the server certificate that you just imported.

From the function window, click enter SSL configuration, tick must, turn on bidirectional authentication (client provides certificate).

5 Client Authentication

Client certificates are not installed, access is restricted

The client certificate is installed and can be accessed.

Note: Windows Server R2 native has special restrictions on certificates (requires domain name access), so it needs to be tested on an external machine (WINDOW7/10)

Part V, Tomcat Service Application One, issuing service-side certificates and client certificates

1 Certificate Server, execute script, initial application certificate directory.

/opt/shdir/addserver.sh/opt/ca_ws Testtomcat

$ $ for the specified certificate working directory

$ Apply Name

2 issuing a server certificate

/opt/shdir/addclientcert.sh/opt/ca_ws/testiis 3

$ $ for the specified certificate working directory

$ Apply Name

$ $ for client number

Note: A client certificate with a private key is exported here, prompting you to define the output password.

Now get

Service-side certificate is/OPT/CA_WS/APPS/TESTTOMCAT/SERVER/CERT/SERVER.CRT

Certificate private key is/opt/ca_ws/apps/testtomcat/server/private/server.key

3 Issuing a client certificate

/opt/shdir/addclientcert.sh/opt/ca_ws/testtomcat 3

$ $ for the specified certificate working directory

$ Apply Name

$ $ for client number

Note: A client certificate with a private key is exported here, prompting you to define the output password.

4 Exporting the Tomcat configuration required items

Get Trust KeyStore

Keytool-Import -file $1-alias Firstca-keystore

Root Certificate path/OPT/CA_WS/ROOTCA/CERT/CA.CRT

$ Output Path/opt/ca_ws/apps/testtomcat/server/cert/mytruststore

Get a server-side certificate

OpenSSL pkcs12-export-in $1-inkey $2-certfile $3-out $4

Server-side certificate path/OPT/CA_WS/APPS/TESTTOMCAT/SERVER/CERT/SERVER.CRT

$ $ Server Private key path/opt/ca_ws/apps/testtomcat/server/private/server.key

$ $ root Certificate path/OPT/CA_WS/ROOTCA/CERT/CA.CRT

$4 Output Path/OPT/CA_WS/APPS/TESTTOMCAT/SERVER/CERT/SERVER.P12

Ii. TOMCAT Application certificate turn on HTTPS bidirectional authentication

1 Copy files

Download Mytruststore, SERVER.P12, and copy to tomcat/conf directory

2 One-way SSL configuration (Tomcat/conf/server.xml)

<connector port= "8443" protocol= "org.apache.coyote.http11.Http11Protocol"               maxthreads= " "sslenabled="true"scheme=" "https" secure= "true"               clientauth= "false "sslprotocol="TLS"               keystorefile="conf/server.p12"  keystoretype="PKCS12 "keystorepass="zzzzzz"/>

3 Bidirectional SSL Configuration

<connector port= "8443" protocol= "org.apache.coyote.http11.Http11Protocol"               maxthreads= " "sslenabled="true"scheme=" "https" secure= "true"               clientauth= "true "sslprotocol="TLS"               keystorefile="conf/server.p12"  keystoretype="PKCS12 "keystorepass="zzzzzz"               truststorefile="conf/mytruststore"Truststoretype=" JKS"truststorepass="zzzzzz"/>

Third, client authentication

Client certificates are not installed, access is restricted

The client certificate is installed and can be accessed.

[Certificate Server II] based on OpenSSL on the CentOS6 system to build a self-visa book Service, and apply to the Web container