Dual authentication of SSL virtual host in CENTOS6 system

Source: Internet
Author: User
Tags bz2 install openssl openssl openssl version pack iptables ssl certificate ssl connection
For a long time did not update lamp related documents, just the most recent unit to do projects need to use Apache SSL virtual host two-way authentication, just before doing lamp in passing SSL module loading, so reference to Google a large number of documents, spent a half a day to fix, Here is a summary to share with you.
This scheme is to realize the two-way authentication of SSL virtual host under Apache, so as to realize trusted users can access the specific virtual site, and realize the data encryption and two-way reliable authentication.
Linux operating system: centOS6.3 64bit (Installation system default development package)
apache:httpd-2.4.4
ssl:ssl.ca-0.1

Solution:

I. Closing iptables and SELinux
# Service Iptables Stop
# Setenforce 0
# Vi/etc/sysconfig/selinux
---------------
Selinux=disabled
---------------
Two. Compile and install Apache
1. Install Pcre Dependency Pack
# wget Http://sourceforge.net/projects/pcre/files/pcre/8.32/pcre-8.32.tar.gz/download
# TAR-XZVF Pcre-8.32.tar.gz
# CD pcre-8.32
#./configure--prefix=/usr/local/pcre
# Make && make install
2.apache configuration:
1). Download Apache and Apr compilation package
# wget HTTP://ARCHIVE.APACHE.ORG/DIST/HTTPD/HTTPD-2.4.3-DEPS.TAR.BZ2
# wget HTTP://ARCHIVE.APACHE.ORG/DIST/HTTPD/HTTPD-2.4.4.TAR.BZ2
2). Integrate Apache and APR compilation package
Note: HTTPD-2.4.3-DEPS.TAR.BZ2 has integrated APR to check pcre for successful installation before installing Apache.
# tar JXVF httpd-2.4.4.tar.bz2
# tar JXVF httpd-2.4.3-deps.tar.bz2
# CP-RF httpd-2.4.3/* httpd-2.4.4
3. Compile installation (load Mod_ssl module)
# CD httpd-2.4.4
#./configure--prefix=/usr/local/apache2--enable-so--enable-rewrite-enable-ssl=static-with-ssl=/usr/local/ssl- Enable-mods-shared=all--with-pcre=/usr/local/pcre/bin/pcre-config
# Make && make install
Note: If the error is in the compilation process:
----------------------------------
Checking for OpenSSL version >= 0.9.7 ... FAILED
Configure:WARNING:OpenSSL version is too old
No
Checking whether to enable Mod_ssl ... Configure:error:mod_ssl has been requested but can not is built due to prerequisit E Failures
-----------------------------------
Solutions
# yum Install Openssl-devel-y
# Yum Update openssl-y
Three. SSL One-way authentication Configuration
1. Load SSL configuration file:
# vi/usr/local/apache2/conf/httpd.conf
Search for "Include conf/extra/httpd-ssl.conf" and remove "#" in front of this line
2. Configure SSL:
# vi/usr/local/apache2/conf/extra/httpd-ssl.conf
Search for "Shmcb:/usr/local/apache2/logs/ssl_scache (512000)" and comment out the line with "#"
Verify that the following lines are configured correctly:
----------------------------
Listen 443
Sslengine on
Sslcertificatefile "/USR/LOCAL/APACHE2/CONF/SERVER.CRT"
Sslcertificatekeyfile "/usr/local/apache2/conf/server.key"
Sslcacertificatefile "/USR/LOCAL/APACHE2/CONF/CA.CRT"
----------------------------
3. Certificate configuration:
1). Download and decompress SSL Certificate generation Compression Pack:
# cd/usr/local/apache2/conf
# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
# tar ZXVF ssl.ca-0.1.tar.gz
# CD ssl.ca-0.1
2. Generate a root certificate using an SSL script:
#./new-root-ca.sh
---------------------------------------------------
No Root CA key round. Generating One
Generating RSA private key, 1024 bit long modulus
... ++++++ ..................
... ++++++
E is 65537 (0x10001)
Enter pass phrase for Ca.key: (Enter a password)
Verifying–enter Pass phrase for Ca.key: (again enter password)
......
Self-sign the root CA ... (Signed root certificate)
Enter pass phrase for Ca.key: (Enter the password you just set)
........
........ (sign now)
Country Name (2 letter code) [MY]:CN
State or province Name (full name) [Perak]:jiangsu
Locality Name (eg, city) [sitiawan]:nanjing
Organization Name (eg, company) [My Directory Sdn bhd]:example co.,ltd
Organizational unit Name (eg, section) [Certification Services Division]:example
Common Name (eg, MD Root CA) []:example
Email Address []:info@111cn.net
--------------------------------------------------
This generates the Ca.key and ca.crt two files
3. Generate service-side certificates:
#./new-server-cert.sh Server
Note: certificate name is server
----------------------------------------------------
......
......
Country Name (2 letter code) [MY]:CN
State or province Name (full name) [Perak]:jiangsu
Locality Name (eg, city) [sitiawan]:nanjing
Organization Name (eg, company) [My Directory Sdn bhd]:example co.,ltd
Organizational unit Name (eg, section) [Secure Web Server]:example
Common Name (eg, http://www.domain.com) []:http://www.111cn.net
Email Address []:info@111cn.net
-----------------------------------------------------
This generates the two files SERVER.CSR and Server.key.
4). Sign the service-side certificate:
#./sign-server-cert.sh Server
-------------------------------------------------
CA SIGNING:SERVER.CSR-> SERVER.CRT:
Using Configuration from Ca.config
Enter pass phrase for./ca.key: (Enter the root certificate password set above)
Check that the request matches the signature
Signature OK
The Subject ' s distinguished Name is as follows
CountryName rintable: ' CN '
Stateorprovincename rintable: ' Jiangsu '
Localityname rintable: ' Nanjing '
OrganizationName rintable: ' Example Co.,ltd '
Organizationalunitname:printable: ' Example '
CommonName rintable: ' Http://www.111cn.net '
Emailaddress:ia5string: ' Info@111cn.net '
Certificate is to being certified until 12:55:34 (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
CA VERIFYING:SERVER.CRT <-> CA cert
Server.crt:OK
-------------------------------------------
Note: If there is an error here, it's best to start over, delete the ssl.ca-0.1 directory, and restart from the decompression point.
Follow the httpd-ssl.conf setting to place the certificate in the appropriate place.
5). Configure certificate-related permissions and paths:
# cd/usr/local/apache2/conf/ssl.ca-0.1
# chmod 644 Server.key SERVER.CRT CA.CRT
# MV Server.key.
# MV Server.crt.
# MV Ca.crt.
4. Configure HTTPS to achieve SSL virtual host one-way encryption
1). Load the virtual host configuration file:
# vi/usr/local/apache2/conf/httpd.conf
Search for "Include conf/extra/httpd-vhosts.conf" and remove "#" in front of this line
2. Allow Www.111cn.net virtual host to achieve HTTPS access
# vi/usr/local/apache2/conf/extra/httpd-vhosts.conf
Add the following:
---------------------------
<virtualhost *:443>
DocumentRoot "/usr/local/apache2/htdocs/www.111cn.net/"
Serveralias http://www.111cn.net
Sslengine on
Sslcertificatefile "/USR/LOCAL/APACHE2/CONF/SERVER.CRT"
Sslcertificatekeyfile "/usr/local/apache2/conf/server.key"
Sslcacertificatefile "/USR/LOCAL/APACHE2/CONF/CA.CRT"
</VirtualHost>
----------------------------
# Cd/usr/local/apache2/htdocs
# mkdir Http://www.111cn.net
# CD http://www.111cn.net/
# echo ' This is a test SSL Web page ' > index.html
3). Start Service:
#/usr/local/apache2/bin/apachectl Start
4). See if the SSL port is open:
# lsof-i:443
---------------------------------
COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
httpd 125366 root 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125885 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125886 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125887 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125946 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
---------------------------------
5). Browser Input Https://www.111cn.net
Note: The native host file needs to be configured
As shown in figure:
Four. SSL Two-way authentication configuration:
1. Generate a certificate for the client:
#/usr/local/apache2/conf/ssl.ca-0.1
#./new-user-cert.sh Client1
-----------------------------------------
No Client1.key round. Generating One
Generating RSA private key, 1024 bit long modulus
...........++++++
...++++++
E is 65537 (0x10001)
Fill in certificate data
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Common Name (eg, John Doe) []:client1
Email Address []:info@111cn.net
You could now run./sign-user-cert.sh the IT signed
-------------------------------------------
2. Sign the certificate:
#./sign-user-cert.sh Client1
--------------------------------------
CA SIGNING:CLIENT1.CSR-> CLIENT1.CRT:
Using Configuration from Ca.config
Enter pass phrase for./ca.key: (Enter CA root authentication password)
Check that the request matches the signature
Signature OK
The Subject ' s distinguished Name is as follows
CommonName:P rintable: ' Client1 '
Emailaddress:ia5string: ' Info@111cn.net '
Certificate is to was certified until Aug 8 08:41:51 2014 GMT (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
CA VERIFYING:CLIENT1.CRT <-> CA cert
Client1.crt:OK
------------------------------------
3. Convert the client certificate to a browser-aware. p12 format
#./p12.sh Client1
-------------------------------------
Enter Export Password: (Enter CA root authentication password)
Verifying-enter Export Password: (confirm)
The certificate for CLIENT1 has been collected to a PKCS12 file.
Can download to your browser and import it.
--------------------------------------
# ll CLIENT1.P12
--------------------------------------
-rw-r--r--1 root 2601 August 8 16:44 CLIENT1.P12
--------------------------------------
4. Distribute the P12 file to a trusted client to enable bidirectional certificate encryption
Note: This file is transferred to the local computer as an example, the actual online can use the program to achieve certification certification download
# sz CLIENT1.P12
5. Configure HTTPS to achieve SSL virtual host bidirectional encryption
# vi/usr/local/apache2/conf/extra/httpd-vhosts.conf
Add the following:
----------------------------
<virtualhost *:443>
DocumentRoot "/usr/local/apache2/htdocs/www.111cn.net/"
Serveralias http://www.111cn.net
Sslengine on
Sslcertificatefile "/USR/LOCAL/APACHE2/CONF/SERVER.CRT"
Sslcertificatekeyfile "/usr/local/apache2/conf/server.key"
Sslcacertificatefile "/USR/LOCAL/APACHE2/CONF/CA.CRT"
Sslverifyclient require
Sslverifydepth 10
</VirtualHost>
----------------------------
6. Test results
1). Use Chrome browser to enter Https://www.111cn.net
The client certificate was not imported, prompting for an error in SSL connection
2). So import Certificate:
Run the certificate file under A.windows
B. Go to the Certificate Import Wizard and do the next steps
Re-use Chrome browser input https://www.111cn.net
Tips

Done.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.