OpenSSL self-built root certificate SSL + Apache

First, you need to understand some basic concepts before installing

1. Certificates used by SSL can be self-generated or signed by a commercial ca such as Verisign or thawte.

2. Certificate concept: First, you must have a root certificate, and then use the root certificate to issue the server certificate and customer certificate. Generally, the server certificate and customer certificate are in a hierarchical relationship. The root certificate and server certificate must be installed in SSL for authentication.

Therefore, in this environment, you must have at least three certificates: Root Certificate, server certificate, and client certificate.
Before a certificate is generated, a private key is usually used to generate a certificate request with the private key, and then use the root certificate of the Certificate Server to issue the certificate.

3. certificate issuance problem: I recently found a lot of information about OpenSSL, basically only generate the root certificate and private key and server certificate requests, and did not actually implement the visa. I refer to some documents here. I use a ca. Sh provided by OpenSSL to sign the certificate, rather than sign. Sh in mod_ssl.

Using the OpenSSL syntax to generate a certificate has many restrictions, such as the Directory and key location. It is troublesome. I tried it for several days and finally gave up. If you are interested, refer to the OpenSSL manual.

Step 1: Install OpenSSL and Apache
Download openssl-0.9.7e.tar.gz (the latest version) to www.openssl.org)
2. Uninstall the old opensll Library

Code: [copy to clipboard] # rpm-e -- nodeps OpenSSL
3. decompress the package:

Code: [copy to clipboard] # tar xzvf openssl-0.9.7e.tar.gz
4. Enter the OpenSSL directory and install it. Use -- prefix to specify the OpenSSL installation directory.

Code: [copy to clipboard] # cd openssl-0.9.7e
#./Config -- prefix =/usr/local/OpenSSL
# Make
# Make Test
# Make install
5. install Apache
Download httpd-2.0.52.tar.gz, the latest apacheversion, to www.apache.org/dist.
Decompress the package and go to the Apache directory. Install the required modules as needed. I have installed SSL, rewrite, and dynamic installation.

Code: [copy to clipboard] # tar zxvf httpd-2.0.52.tar.gz
# Cd httpd-2.0.52
#./Configure -- prefix = prefix -- enable-SSL -- enable-Rewrite -- enable-so -- With-SSL =/usr/local/OpenSSL
# Make
# Make install
Step 2: visa
After OpenSSL is installed, there is a ca. Sh file under OpenSSL, which is used for visa,
To sign three certificates, and then use these three certificates to deploy the SSL server.

1. Create an SSL under/usr/local/Apache/CONF. CRT directory, set ca. copy the sh file to/usr/local/Apache/CONF/SSL. CRT/directory

Code: [copy to clipboard] [root @ win SSL] # cp/usr/local/OpenSSL/SSL/MISC/CA. SH/usr/local/Apache/CONF/SSL. CRT/CA. sh
2. Run ca. Sh-newca. It will find a private key and password file of the CA you want. If this file does not exist? Press enter to automatically create the file. Enter the password to protect the file. In the future, you will need a company information to make the ca. CRT file. At last, an additional one is added to the current directory. /democa directory .. /democa/private/cakey. PEM is the key file of CA ,. /democa/cacert. PEM is the CRT file of CA.

Code: [copy to clipboard] [root @ win SSL. CRT] #./CA. Sh-newca
Enter the following information:

Quote:
Country name (2 letter code) [GB]: CN
State or province name (full name) [Berkshire]: Fuji
Locality name (eg, city) [Newbury]: Fuzhou
Organization Name (eg, company) [My Company Ltd]: fjjm
Organizational unit name (eg, section) []: FD
Common name (eg, your name or your server's hostname) []: Win
Email Address []: WIN@WIN.COM
In this way, a CA server is created, with the private key cakey. pem of the root certificate and a root certificate cacert. pem. Now you can get the cacert. pem for your visa.

3. Sign the server certificate
Generate the server private key:

Code: [copy to clipboard] [root @ win SSL. CRT] # OpenSSL genrsa-des3-out server. Key 1024
Generate server certificate request

Code: [copy to clipboard] [root @ win SSL. CRT] # OpenSSL req-New-key server. Key-out server. CSR
REQUIRED INFORMATION

Code: [copy to clipboard] country name (2 letter code) [GB]: CN
State or province name (full name) [Berkshire]: Fuji
Locality name (eg, city) [Newbury]: Fuzhou
Organization Name (eg, company) [My Company Ltd]: fjjm
Organizational unit name (eg, section) []: FD
Common name (eg, your name or your server's hostname) []: Win
Email Address []: WIN@WIN.COM
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: Win
An optional company name []: Wing
Finally, convert the server. CRT file MV into newreq. Pem, and then use ca. Sh for a visa.

Code: [copy to clipboard] [root @ win SSL. CRT] # mv server. CSR newreq. pem
[Root @ win SSL. CRT] #./CA. Sh-sign
In this way, the server certificate newcert. PEM is generated.
Change newcert. pem to server. CRT.

Code: [copy to clipboard] [root @ win SSL. CRT] # mv newcert. pem server. CRT
4. process the client:
Generate customer private key:

Code: [copy to clipboard] [root @ win SSL. CRT] # OpenSSL genrsa-des3-out client. Key 1024
Request

Code: [copy to clipboard] [root @ win SSL. CRT] # OpenSSL req-New-key client. Key-out client. CSR
Visa:

Code: [copy to clipboard] [root @ win SSL. CRT] # OpenSSL ca-in client. CSR-out client. CRT
Convert certificate format to PKCS12 format

Code: [copy to clipboard] [root @ win SSL. CRT] # OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. pfx
5. Three certificates and three private keys are available. One is the root certificate under democa, the server certificate under SSL. CRT, and the client certificate. And the root key under democa/private, the server key and customer key under SSL. CRT, and the certificate location and server key location under SSL. conf under Conf.

I created an SSL. CRT directory under conf and put all the keys and certificates here.

Code: [copy to clipboard] # cp democa/cacert. pem cacert. pem
Copy a certificate and rename it ca. CRT.

Code: [copy to clipboard] # cp cacert. pem ca. CRT
Step 3. Edit SSL. conf

Code: [copy to clipboard] # cd/usr/local/Apache/Conf
Edit SSL. conf

Code: [copy to clipboard] specifies the server certificate location
Sslcertificatefile/usr/local/Apache/CONF/SSL. CRT/server. CRT
Specify the server certificate Key location
Sslcertificatekeyfile/usr/local/Apache/CONF/SSL. CRT/server. Key
Certificate directory
Sslcacertificatepath/usr/local/Apache/CONF/SSL. CRT
Root Certificate location
Sslcacertificatefile/usr/local/Apache/CONF/SSL. CRT/cacert. pem
Enable client SSL requests
Sslverifyclient require
Sslverifydepth 1
Start SSL

Code: [copy to clipboard]/usr/local/Apache/bin/apachectl startssl
The password of server. Key is required.
So that a default SSL server and HTTP server are started,

Step 4. install and use the certificate
Run the ca. CRT root certificate and client. pfx client certificate generated just now to the client and install the client,
CA. CRT is installed to a trusted organization. Client. pfx is installed directly in Windows or in the personal certificate location, and then accessed by IP address http and HTTPS servers.