III. Certificate of Deployment
If you use two-way authentication, you will have three private keys and three certificates. They were Ca.key, CA.CRT, Server.key, SERVER.CRT, Client.key, CLIENT.CRT, and client.pfx to the browser.
If you use a one-way authentication with a CA certificate, the certificate and private key are Ca.key, CA.CRT, Server.key, Server.crt.
If you use a one-way authentication without a CA certificate, the certificate and private key are Server.key, SERVER.CRT.
1. Modify the httpd.conf file
In the case of **rpm installation, you do not need to modify the httpd.conf file because the include conf.d/*.conf is added by default in the httpd.conf file. In the RPM installation, the CONF.D folder already contains the ssl.conf file. So just modify the ssl.conf file to do it. **
**RPM installed APAHCE, there may be no mod-ssl at the beginning and need to be installed. The method is: Yum install mod_ssl or use RPM package installation, need mod_ssl Arp_util Distcache httpd Postgresql-libs and other Iraq relations. **
You can add the include conf.d/ssl.conf (the path to the Conf file used by the SSL module) in the httpd.conf file when you need to modify it.
2. Modify the ssl.conf file
[[email protected] CONF.D] #cp-P ssl.conf SSL.CONF.BK
[[email protected] CONF.D] #vi ssl.conf
---------------------------------------
Listen 443//Can be changed to another port
Sslpassphrasedialog Builtin//password required each time you restart Apache
Sslsessioncache Shmcb:/var/cache/mod_ssl/scache (512000)
Sslsessioncachetimeout 300
Sslmutex Default
Sslrandomseed Startup Builtin
Sslrandomseed Connect Builtin
<virtualhost _default_:443>
Sslengine on
Sslcertificatefile/etc/httpd/conf/ssl.crt/server.crt
Sslcertificatekeyfile/etc/httpd/conf/ssl.crt/server.key
SSLCACERTIFICATEFILE/ETC/HTTPD/CONF/SSL.CRT/CA.CRT//bidirectional use
Sslverifyclient require//bidirectional use, forcing the customer to hold an SSL certificate request
Sslverifydepth 10//bidirectional use
</VirtualHost>
---------------------------------------
You can re-import the key file as follows, you will need to enter the key file password every time you restart Apache.
[[email protected] ssl.crt] #openssl rsa-in server.key-out Server2.key
[[email protected] ssl.crt] #mv server.key Server.key.originalkey
[[email protected] ssl.crt] #mv server2.key Server.key
3. Restart Apache
[[email protected] SSL.CRT] #service httpd restart
If the port number is not the default of 443 (if 446), the following error may occur:
Starting httpd: (+) Permission denied:make_sock:could not bind to address [::]:446
(13) Permission denied:make_sock:could not bind to address 0.0.0.0:446
No listening sockets available, shutting down
Unable to open logs
[FAILED]
You can use the Semanagement tool to add Apache listening ports
[[email protected] ssl.crt] #semanage port-l|grep http
[[email protected] SSL.CRT] #semanage port-a-t http_port_t-p TCP 446
Restarting the Apache again should be available.
4. Open firewall port
[[email protected] conf] #cd/etc/sysconfig/
[[email protected] conf] #vi iptables
-------------------------------------
Add to
-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 446-j ACCEPT
-------------------------------------
[Email protected] sysconfig]#/etc/init.d/iptables restart
After configuration, if the client does not have a certificate installed, you cannot access the server with Port 446.
5. Client Installation Certificate
IE For example:
"Tools"-"Internet Options"-"Content"-"certificate"-"Trusted Root certification Authority"-"import", import ca.crt.
(Two-way authentication) "Tools"-"Internet Options"-"Content"-"certificate"-"personal"-"import", import CLIENT.P12, you need to enter the password of the file
Web sites can be accessed using HTTPS
* If there is a problem using IE access and other browsers such as Firefox, Google is not a problem, please do the following settings for IE:
"Tools"-"Internet Options"-"Advanced"-"security
SSL and TLS use the minimum version. such as SSL check "Use SSL 2.0", the other SSL version is not checked
TLS tick "Use TLS 1.0", other versions of TSL do not tick
* Other browser operation similar, there is a problem can Baidu search.
This article is from the "Dream to Reality" blog, please be sure to keep this source http://lookingdream.blog.51cto.com/5177800/1870099
Import SSL certificate under Linux (configured for Apache)