Apache + ssl + ca, apachessl

Source: Internet
Author: User
Tags install openssl to domain

Apache + ssl + ca, apachessl
Step 1: Set up an apache server. In the previous blog, you have completed the installation of SSL at http://www.cnblogs.com/sangmu/p/6422238.html #:

yum install mod_ssl -y     iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT service iptables save
1 vim/etc/httpd/conf. d/ssl. conf 2 3 Listen 443 // The listening port number 4 <VirtualHost _ default _: 443> // configure the virtual host. If only one website is encrypted, change default to domain name 5 DocumentRoot "/var/www/html" // The directory where the webpage file is located 6 ServerName www.example.com: 443 // encrypted website domain name 7 SSLEngine on // enable ssl 8 SSLCertificateFile/etc/httpd/conf/ssl. crt/test. crt // www server certificate location 9 SSLCertificateKeyFile/etc/httpd/conf/ssl. key/test. key // www server key location 10 SSLCACertificateFile/etc/pki/CA/ca. crt // CA server certificate Location 11 SSLVerifyClient require // whether two-way authentication is enabled. After the two-way authentication is enabled, the browser client must have a certificate issued by the CA 12 SSLVerifyDepth 10 // two-way authentication Layers
So far, ssl installation is complete. Step 3: Install CA ① install ca
yum install openssl -y vim /etc/pki/tls/openssl.cnf
1 dir =/etc/pki/CA // directory 2 certs = $ dir/certs // issue certificate location 3 crl_dir = $ dir/crl // revoke certificate location 4 database = $ dir/index.txt // index table 5 new_certs_dir = $ dir/newcerts // new certificate Location 6 certificate = $ dir/ca. crt // certificate location 7 serial = $ dir/serial // certificate serial number 8 crlnumber = $ dir/crlnumber // Certificate Revocation List 9 private_key = $ dir/private/ca. key // key location 10 countryName = optional11 stateOrProvinceName = optional12 organizationName = optional13 organizationalUnitName = optional
② Create directories and files
Cd/etc/pki/CAmkdir certs newcerts crltouch index.txt serial echo 01> serial // import the initial serial number
③ Generate the ca key
umask 077;openssl genrsa -out private/ca.key 2048  
Note: umask 077 // set the permission to generate the file genrsa // generate the private key-out // the private key storage path is 2048 // 2048 bytes. ④ issue your certificate ca to the ca. crt
1 openssl req-x509-new-key private/ca. key-out ca. crt-days 3652 Country Name (2 letter code) [GB]: CN // Country 3 State or Province Name (full name) [Berkshire]: JS // Province 4 Locality Name (eg, city) [Newbury]: NT // Region 5 Organization Name (eg, company) [My Company Ltd]: NTZD // organization Name 6 Organizational Unit Name (eg, section) []: DZX // Department 7 Common name (eg, your Name or your server's hostname) []: test4.sangmu.com // domain name 8 Email Address []: root // Email
Step 4: apply for a certificate and key from apache ① create a directory and file
cd /etc/httpd/confmkdir ssl.key ssl.crt
② Generate a key
umask 007;openssl genrsa -out ssl.key/test.key 2048
③ Fill in the certificate application request
umask 007;openssl genrsa -out ssl.key/test.key 2048

 

Step 5: Issue an application
openssl ca -in test.csr -out test.crt -days 100
Restart the service. At this time, encrypted access is allowed on the client.

 

 

If two-way authentication is enabled, You need to issue a certificate to the browser client ① generate the client key client. key
umask 077;openssl genrsa -out client.key 2048
② Fill in the certificate generation request client. csr
openssl req -new -key client.key -out client.csr
③ Issue client certificate client. crt
openssl ca -in client.csr -out client.crt -days 100
④ Client certificate format conversion
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 
⑤ Install ca root certificate ca. crt and clien certificate client. p12 on the client

  

Now we have completed two-way verification. Note: This experiment is performed in the centos5.5 + Windows 7 Google browser environment.

 

  

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.