Configuration of the HTTPS service based on OpenSSL

OpenSSL implements a private CA and configures the configuration of the OpenSSL-based HTTPS service, such as

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/85/80/wKioL1el3maAW4bIAAJpK-ic6ig019.png-wh_500x0-wm_3 -wmp_4-s_45706155.png "title=" 234520160806144911.png "alt=" Wkiol1el3maaw4biaajpk-ic6ig019.png-wh_50 "/>

The steps to implement the private CA on the CA server are as follows;

1. Generate a pair of keys

2. Generate a self-signed certificate

The basic configuration is the following code;

[[email protected] ca]# pwd/etc/pki/ca[[email protected] ca]#  (Umask 077;o penssl genrsa -out private/cakey.pem 2048) [[Email protected] ca]# openssl  req -new -x509 -key private/cakey.pem -out cacert.pemYou are  about to be asked to enter information that will be  Incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [cn]:state or Province Name  (Full name)  [NEIMENGGU]:Locality Name  (eg, city)  [ huhhot]:organization name  (Eg, company)  [EDU]:Organizational Unit Name  (eg,  section)  [Tech]:Common Name  (Eg, your name or your server ' s  hostname)  []:ca.edu.cnemail address []:[email protected][[email protected]  CA]# touch index.txt[[email protected] CA]# touch serial[[email  protected] ca]# echo 01 > serial [[email protected] ca]#  lscacert.pem  certs  crl  index.txt  newcerts  private   serial

The certificate generation steps on the webserver server;

[[email protected] ~]# cd/etc/httpd/[[email protected] httpd]# mkdir ssl[[email protected] httpd]# CD Ssl/[[email Protect ED] ssl]# Pwd/etc/httpd/ssl[[email protected] ssl]# (umask 077; OpenSSL genrsa-out httpd.key 1024x768) generating RSA private Key, 1024x768 bit long modulus..........................++++++.......++++++e is 65537 (0x10001) [[email protected] ssl]# Lltotal 4-RW-------. 1 root root 887 6 23:46 Httpd.key

Webserver generate certificate signing request;

[[email protected] ssl]# openssl req -new -key httpd.key -out  Httpd.csryou are about to be asked to enter information that  will be incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [XX]:CNState or Province Name  (full name)  []: neimenggulocality name  (eg, city)  [Default City]:HuhhotOrganization Name  ( Eg, company)  [default company ltd]:eduorganizational unit name  (eg, section)  []: techcommon name  (Eg, your name or your server ' S hostname)  []: www.edu.cnemail address []:P lease enter the following  ' Extra '  attributesto  be sent with your certificate requesta challenge password []:an  optional company name []:

Send the request certificate to the CA server to have the CA server complete the signing of the certificate

[Email protected] ca]# SCP [email PROTECTED]:/ETC/HTTPD/SSL/HTTPD.CSR./certs/[email protected] ' s PASSWORD:HTTPD.CSR 100% 647 0.6kb/s 00:00 [[email protected] ca]# LL./certs/total 4-rw-r--r--1 root Root 647 5 21:39 HTTPD.CSR

CA server to complete signing of certificates

[[email protected] ca]# openssl ca -in ./certs/httpd.csr -out ./certs/ Httpd.crt -days 365using configuration from /etc/pki/tls/openssl.cnfcheck that  the request matches the signatureSignature okCertificate Details:         Serial Number: 1  (0x1)          Validity            Not  before: aug  5 13:45:06 2016 gmt             Not After : Aug  5 13:45:06 2017 GMT         Subject:             countryName                = cn            stateorprovincename        = NEIMENGGU             organizationname          = edu             organizationalunitname    = tech             commonName                 = www.edu.cn         X509v3 extensions:             X509v3 Basic Constraints:                  CA:FALSE             netscape comment:                  openssl generated certificate             X509v3 Subject Key Identifier:                  12:2c:ed:3f:f1:fa:54:fb:71:03:79:03:81:77:2d:a6:33:ef:8e:8f             X509v3 Authority Key  identifier:                  keyid:1b:1e:92:d1:dd:79:a6:68:19:91:5f:08:04:ff:7c:25:73:e4:bc:82certificate is to be  certified until Aug  5 13:45:06 2017 GMT  (365 days) sign  the certificate? [y/n]:y1 out of 1 certificate requests  certified, commit? [y/n]ywrite out&Nbsp;database with 1 new entriesdata base updated[[email protected] ca ]# ll ./certs/total 4-rw-r--r-- 1 root root   0 aug   5 21:43 httpd.crt-rw-r--r-- 1 root root 647 Aug  5  21:39 httpd.csr

Send the certificate file to the requesting side;

[Email protected] ca]# SCP./CERTS/HTTPD.CRT [email protected]:/etc/httpd/ssl/[email protected] ' s PASSWORD:HTTPD.CRT 100% 3754 3.7kb/s 00:00

Install the SSL-enabled module on the webserver server;

# yum Install-y mod_ssl

Configure the ssl.conf configuration file, modify the following line;

[Email protected] ssl]# vim/etc/httpd/conf.d/ssl.conf 107 sslcertificatefile/etc/httpd/ssl/httpd.crt114 Sslcertificatekeyfile/etc/httpd/ssl/httpd.key

Launch Apache Service

[[email protected] SSL]

The Windows client installs the trusted CA certification authority in the following manner;

Download the Cakey.pem file on the CA server to the Windows client, modify the filename suffix to CRT (CAKEY.CRT), double-click the file, install trust the certification authority, and then specify the steps;

Install the certificate--and next--choose to put the certificate in the following storage--Browse to select Trusted Root Certification Authorities--complete;

Through the Web page access, the effect is as follows;

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/85/80/wKioL1el5YninLG4AABL8ufuhuc346.png-wh_500x0-wm_3 -wmp_4-s_249253018.png "title=" 234520160806203152.png "alt=" Wkiol1el5yninlg4aabl8ufuhuc346.png-wh_50 "/>

Deployment is complete.

Configuration of the HTTPS service based on OpenSSL