Erecting CA server for HTTPS communication, Web server using CA self-visa book and HTTPS communication

.

Tutorial Goal: Web server uses CA self-visa book to communicate with HTTPS

Date: August 19, 2015

Contact e-mail: [Email protected]

Q q Group: 1851 15701

51CTO Blog Home: http://990487026.blog.51cto.com

Be a blogger responsible for the reader.

====================================================
Get ready:

System environment: CentOS 6.6 X64 Desktop installation, installation of additional development kits


This machine is a visa agency with IP address 192.168.1.101
This machine itself turns on the HTTP service,
This tutorial is a sample of this machine both as a certification authority, and as a Web server, self-issued to their own visas.

===================================================
Start: Operate on the CA side

Visa Agency IP 192.168.1.101

Installing Mod_ssl
# yum Install OpenSSL mod_ssl-y

# cd/etc/pki/ca/

Generate key Pair CAKEY.PEM
# (Umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 2048)

To view the generated public key
# OpenSSL rsa-in Private/cakey.pem-text



Start the root certificate for the CA institution, 10 x509 type
# OpenSSL Req-new-x509-key private/cakey.pem-out cacert.pem-days 3655

Country Name (2 letter code) [XX]:CN
State or province name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization name (eg, company) [Default companies ltd]://here to fill in your corporate English name
Organizational unit Name (eg, section) []://Fill in your department here
Common name (eg, your name or your server ' s hostname) []:ca.51cto.com//Here fill out the domain name of the CA agency root
email address []:[email protected]//fill in your contact email

Create the required files
# Touch Index.txt Serial Crlnumber
# echo > Serial

CA root authority, ready to end, generate CA root certificate Cacert.pem


==================================================
Below: operation on Web service side
For example, I am a Web server site, below I want to generate their own private key key and CSR certificate request, and then send this information to CA visa agencies to help me visa, signed and then sent to me.

The following is the Web server side to generate their own private key and certificate requests, because this tutorial is to open the Web service itself, and as a CA visa agency, then the following operations are still on the local operation.

Generate the length of the private key 1024
cd/etc/httpd/
# mkdir SSL
# CD ssl/
# (Umask 077;openssl genrsa-out httpd.key 1024)

# OpenSSL Req-new-key httpd.key-out HTTPD.CSR

Country Name (2 letter code) [XX]:CN
State or province name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization name (eg, company) [Default companies ltd]://here to fill in your corporate English name
Organizational unit Name (eg, section) []://Fill in your department here
Common name (eg, your name or your server ' s hostname) []:www.51cto.com//Note: Fill in the domain name of your Web server
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []://Enter
An optional company name []://Enter


OK, the above operation generated a private key httpd.key and a visa request HTTPD.CSR two files.
If you knock the wrong way, delete the generated CSR, and then do it again.
========================================================

So far, your CA certification authority is ready, and the Web server's private key and the certificate request file CSR have been created as well.
So, start the visa.
Copy the Web-side CSR file to the CA side

cd/etc/pki/ca/
OpenSSL CA-IN/ETC/HTTPD/SSL/HTTPD.CSR-OUT/ETC/HTTPD/SSL/HTTPD.CRT

OK Generate CRT certificate file!



***********************************************************************
"If the error"
OpenSSL txt_db Error number 2 failed to update database
The reasons for this are:
This thing happens when certificates share common data. You cannot has a certificates that look otherwise the same.

Method One:
Delete the index.txt under Democa, and then touch a
RM index.txt
Touch Index.txt
　　

Method Two:
Modify Democa under Index.txt.attr
Set Unique_subject = yes
Change to Unique_subject = no

Method Three:
Set common name to a different
====================================================
Here's the Web service side operation:

See if you have an SSL module installed
# grep mod_ssl/etc/httpd/conf.d/*.conf

Installing Mod_ssl
# yum Install Mod_ssl
Vim/etc/httpd/conf.d/ssl.conf


DocumentRoot "/var/www/html"//Remove annotations
ServerName www.51cto.com:443//Remove annotations

SSLCERTIFICATEFILE/ETC/HTTPD/SSL/HTTPD.CRT//Specify the path of the CRT certificate that the CA signs to my certificate
Sslcertificatekeyfile/etc/httpd/ssl/httpd.key//Specify the path to the native private key

Save exit



Check syntax
# httpd-t
# Service httpd Restart
See if there's a 443 port.
# NETSTAT-TNLP or # SS-TNL
Then OK, port 443 has been monitored and can use HTTPS service.

Open the Iptables 443 port

Iptables-a input-p tcp-m TCP--dport 443-j ACCEPT

Service Iptables Save

=================================================
Access test:

Install the CA root certificate Cacert.pem to the browser side

Open Browser settings, find certificate import, install certificate to trusted


If you do not have a DNS server, point www.51cto.com to this Web server's IP

Modify the host file of the browser-side hosts to add
192.168.1.101 www.51cto.com

Microsoft C:\Windows\System32\drivers\etc
Linux vim/etc/hosts
MAC OS vi/etc/hosts

Access Test https://www.51cto.com/ok!



Internet Explorer accepts this certificate and does not appear with no trust warning
Roaming browser accepts this certificate without a distrust warning
The UC Browser accepts this certificate and does not receive an untrusted warning
===================================================
Here, the underlying service for HTTPS is already available.

Thank you for browsing, such as the question of this article, please email [email protected], open source community, you are more exciting!

This article comes from "Life is endless, tossing and turning." "Blog, be sure to keep this provenance http://990487026.blog.51cto.com/10133282/1686127

Erecting CA server for HTTPS communication, Web server using CA self-visa book and HTTPS communication