Apache + ssl + ca, apachessl
Step 1: Set up an apache server. In the previous blog, you have completed the installation of SSL at http://www.cnblogs.com/sangmu/p/6422238.html #:
yum install mod_ssl -y iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT service iptables save
1 vim/etc/httpd/conf. d/ssl. conf 2 3 Listen 443 // The listening port number 4 <VirtualHost _ default _: 443> // configure the virtual host. If only one website is encrypted, change default to domain name 5 DocumentRoot "/var/www/html" // The directory where the webpage file is located 6 ServerName www.example.com: 443 // encrypted website domain name 7 SSLEngine on // enable ssl 8 SSLCertificateFile/etc/httpd/conf/ssl. crt/test. crt // www server certificate location 9 SSLCertificateKeyFile/etc/httpd/conf/ssl. key/test. key // www server key location 10 SSLCACertificateFile/etc/pki/CA/ca. crt // CA server certificate Location 11 SSLVerifyClient require // whether two-way authentication is enabled. After the two-way authentication is enabled, the browser client must have a certificate issued by the CA 12 SSLVerifyDepth 10 // two-way authentication Layers
So far, ssl installation is complete. Step 3: Install CA ① install ca
yum install openssl -y vim /etc/pki/tls/openssl.cnf
1 dir =/etc/pki/CA // directory 2 certs = $ dir/certs // issue certificate location 3 crl_dir = $ dir/crl // revoke certificate location 4 database = $ dir/index.txt // index table 5 new_certs_dir = $ dir/newcerts // new certificate Location 6 certificate = $ dir/ca. crt // certificate location 7 serial = $ dir/serial // certificate serial number 8 crlnumber = $ dir/crlnumber // Certificate Revocation List 9 private_key = $ dir/private/ca. key // key location 10 countryName = optional11 stateOrProvinceName = optional12 organizationName = optional13 organizationalUnitName = optional
② Create directories and files
Cd/etc/pki/CAmkdir certs newcerts crltouch index.txt serial echo 01> serial // import the initial serial number
③ Generate the ca key
umask 077;openssl genrsa -out private/ca.key 2048
Note: umask 077 // set the permission to generate the file genrsa // generate the private key-out // the private key storage path is 2048 // 2048 bytes. ④ issue your certificate ca to the ca. crt
1 openssl req-x509-new-key private/ca. key-out ca. crt-days 3652 Country Name (2 letter code) [GB]: CN // Country 3 State or Province Name (full name) [Berkshire]: JS // Province 4 Locality Name (eg, city) [Newbury]: NT // Region 5 Organization Name (eg, company) [My Company Ltd]: NTZD // organization Name 6 Organizational Unit Name (eg, section) []: DZX // Department 7 Common name (eg, your Name or your server's hostname) []: test4.sangmu.com // domain name 8 Email Address []: root // Email
Step 4: apply for a certificate and key from apache ① create a directory and file
cd /etc/httpd/confmkdir ssl.key ssl.crt
② Generate a key
umask 007;openssl genrsa -out ssl.key/test.key 2048
③ Fill in the certificate application request
umask 007;openssl genrsa -out ssl.key/test.key 2048
Step 5: Issue an application
openssl ca -in test.csr -out test.crt -days 100
Restart the service. At this time, encrypted access is allowed on the client.
If two-way authentication is enabled, You need to issue a certificate to the browser client ① generate the client key client. key
umask 077;openssl genrsa -out client.key 2048
② Fill in the certificate generation request client. csr
openssl req -new -key client.key -out client.csr
③ Issue client certificate client. crt
openssl ca -in client.csr -out client.crt -days 100
④ Client certificate format conversion
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
⑤ Install ca root certificate ca. crt and clien certificate client. p12 on the client
Now we have completed two-way verification. Note: This experiment is performed in the centos5.5 + Windows 7 Google browser environment.