Essay-The creation and use of the OpenSSL certificate

Certificate category
-Root certificate generates the server certificate, which is the basis of the client certificate. Self-signed.
-The server certificate is issued by the root certificate. configured on the server.
-The client certificate is issued by the root certificate. Configured on the server, and sent to the customer, to allow customers to install in the browser.

Be aware that
1. The CN of the server certificate is consistent with ServerName, otherwise there is a warning when starting httpd.
2. When the browser installs the client certificate, it needs to convert PKCS12 to PFX format, otherwise it can be installed but not valid.
3. Install the root certificate into the browser's trusted CA, and you will not be alerted when you access the server.

Environment: centos6_x64 OpenSSL 1.0.1 apache2.2 Preparation

Echo-n >/etc/pki/ca/index.txt
echo ' xx ' >/etc/pki/ca/serial

Note that the index.txt needs to be initialized to 0 bytes, and even line wrapping cannot be. 1 root Certificates

# Modify/ETC/PKI/TLS/OPENSSL.CNF, Release nscerttype= server comment.
[Usr_cert]
nscerttype = Server

cd/etc/pki/ca
# Generate key
OpenSSL genrsa-out Private/myca.key 1024
  # generating a self-signed certificate
OpenSSL Req-new-x509-key private/myca.key-out certs/myca.crt

By importing this CRT into the client browser, the certificate warning will not be displayed. 2 server Certificate

Cd/etc/pki/tls
OpenSSL genrsa-out private/sv.key
# Build request
OpenSSL Req-new-key private/sv.key-out Priva TE/SV.CSR
# Use root certificate to sign
OpenSSL ca-in private/sv.csr-keyfile. /ca/private/myca.key-cert. /ca/certs/myca.crt-out CERTS/SV.CRT

Sometimes, when multiple certificates are issued, the signature fails due to duplication of information such as common name.
Index.txt and serial can be initialized. 3 Client Certificate

# Modify/ETC/PKI/TLS/OPENSSL.CNF, comment out nscerttype= server, remove the Nscerttype = client, email comment.
[Usr_cert]
nscerttype = client, email

cd/etc/pki/tls
OpenSSL genrsa-out private/clnt1.key 1024
OpenSSL req-new-key private/clnt1.key-out private/clnt1.csr
OpenSSL ca-in private/clnt1.csr-keyfile. /ca/private/myca.key-cert. /ca/certs/myca.crt-out CERTS/CLNT1.CRT

Personal certificates need to be converted to PFX format

OpenSSL pkcs12-export-in certs/clnt1.crt-out Certs/clnt1.pfx-inkey Private/clnt1.key

Apache Configuration

SSLCERTIFICATEFILE/ETC/PKI/TLS/CERTS/SV.CRT
Sslcertificatekeyfile/etc/pki/tls/private/sv.key
SSLCERTIFICATECHAINFILE/ETC/PKI/TLS/CERTS/CHAIN.CRT      <--, where did this come from?
SSLCACERTIFICATEFILE/ETC/PKI/TLS/CERTS/MYCA.CRT

    Sslverifyclient require
    sslverifydepth  1

nginx Configuration

    server {
        listen       443 SSL;
        server_name  localhost;
        Ssl_certificate      /etc/pki/tls/certs/sv2.crt;
        Ssl_certificate_key  /etc/pki/tls/private/sv2.key;
        Ssl_session_cache    shared:ssl:1m;
        Ssl_session_timeout  5m;
        Ssl_ciphers  high:!anull:! MD5;
        Ssl_prefer_server_ciphers on  ;
        SSL_CLIENT_CERTIFICATE/ETC/PKI/CA/CERTS/MYCA.CRT;
        Ssl_verify_client on;
        Ssl_verify_depth 1;

Additionally, you encounter an issue where the certificate cannot be deleted. The workaround is to:
Using MMC, enter the certificate and you can delete it.

When you configure Nginx on Windows, you may encounter a situation where modules such as caching are not available.
Need to comment out Ssl_session_cache and so on.

To generate a DH parameter:

Dhparam-out DH1024.PEM 1024