HTTPS service configuration based on apache2.4.4

Environment: Two Linux virtual machines and one Windows native, one for the Web server to use HTTPS transport apache2.4.4, another CA server, window to test the HTTPS configuration.

1.CA Server generates private CA

1.1 Generate private key, enter/ETC/PKI/CA

　　

[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem)     //  The CA private key must be stored in the private directory under the name Cakey.pem
Generating RSA private key, 1024x768 bit long modulus
..................................................++++++
........++++++
E is 65537 (0x10001)

1.2 Making a private CA

[email protected] ca]# OpenSSL req-New-x509-key Private/cakey.pem- outCacert.pem-days3655You is about to being asked to enter information that'll be Incorporatedinto your certificate request. what is about-to enter isWhat iscalled a distinguished Name or a DN. There is quite a few fields I can leave some blankfor some fields there would be adefaultvalue,if you enter'.'The field would be a left blank.-----Country Name (2Letter Code)                       [XX]:CN//Fill in the country at will, but be sure to remember the state or province name (full name) []:hangzhou Province Ibid. locality name (eg, city) [Default City]:hangzhou//cities ibid. Organization Name (E                        G, company) [Default Corporate Ltd]:taobao//Corporation Ibid. organizational Unit Name (eg, section) []:test Organization Common name (eg, your name or your server's hostname) []:test.com//Domain name here fill in your company's domain nameemail Address []:[email protected]//admin mail [[Email protected] ca]#

Look locally there are no certs, newcerts, CRL directories and index.txt, serial files if not created and give serial an initial value

[ email protected] ca]# lsca.key  certs  CRL  newcerts  private[email protected ] ca]# Touch serial index.txt[[email protected] ca]# lsca.key  certs  CRL  index.txt  newcerts   Private  serial[[email protected] ca]# echo "001">serial                

2.web Server generates CA request

2.1 For example, configure HTTPS for the HTTPD service

Create an SSL directory under/etc/httpd/, create a private key, and a CA request, this directory is optional

2.2 Generating the private key, Ibid.

077; OpenSSL genrsa  -out1024x768private1024x768long  modulus ....................... ++++++.............................. ++++++is65537 (0x10001

2.2 Generating a CA request

[email protected] ssl]# OpenSSL req-New-key Httpd.key- outHttpd.csryou is about is asked to enter information that'll be Incorporatedinto your certificate request. what is about-to enter isWhat iscalled a distinguished Name or a DN. There is quite a few fields I can leave some blankfor some fields there would be adefaultvalue,if you enter'.'The field would be a left blank.-----Country Name (2Letter Code) [XX]:CN///Front This information must be the same as the private CA, because it is internally private, so keep it up until you can sign the state or province name (the full name []:hangzhoulocality name [eg, city] [default city]:hangzhouorganization name (eg, company] [default company Ltd]:taobaoo Rganizational Unit name (eg, section) []:testcommon name (eg, your name or your server's hostname) []:www.a.org//The domain name here for you to configure the name of HTTPSEmail Address []:[email protected]please Enter the following'Extra'Attributesto be sent with your certificate Requesta challenge password []:an optional company name []:[[email Protect Ed] ssl]#

3. Send request HTTPD.CSR to CA server, request signature, copy past

[Email protected] ssl]# scp-p 5211 HTTPD.CSR 192.168.136.131:/tmp/

HTTPD.CSR 100% 688 0.7kb/s 00:00

4.CA Signing Request

4.1 There's a problem here.

[[email protected] ca]# OpenSSL  CA- in/TMP/HTTPD.CSR- off from/etc/pki/tls/ Openssl.cnfcheck that the request matches the signature       inch ' Policy ' configuration

4.2 Viewing configuration files

　　

# for the CA policy//This is the configuration CA request and CA which options are must (match) match, same, which is (optional) optional to fill out, which is (supplied) [Policy_match] This is wrong, is to change the default configuration changed the wrong, the red is the correct configuration, the Cn,henan,web and so on to change the red option, you can sign. CountryName=CN matchstateorprovincename=Henan matchOrganizationName=WEB matchorganizationalunitname=WEB Optionalcommonname=Test suppliedEmailAddress=[email protected] Optional# for the'anything'policy# at ThisPointinchTime, you must list all acceptable'Object'# Types. [Policy_anything]countryname=Optionalstateorprovincename=Optionallocalityname=Optionalorganizationname=Optionalorganizationalunitname=Optionalcommonname=suppliedemailaddress= Optional

4.3 CA Signature

[email protected] ca]# OpenSSL CA-inch/TMP/HTTPD.CSR- outhttpd.crtusing Configuration from/etc/pki/tls/Openssl.cnfcheck that the request matches the Signaturesignature okcertificate details:serial number:1(0x1) Validity not Before:jul +  to: -: +  -GMT not After:jul -  to: -: +  .GMT Subject:countryname=CN Stateorprovincename=Hangzhou OrganizationName=Taobao Organizationalunitname=Test commonname=www.a.org EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
c7:06:ac:d8:c2:49:da:f6:dd:1a:03:75:4f:94:26:fd:53:e7:18:5f
X509v3 Authority Key Identifier:
Keyid:f2:a3:e1:30:32:e5:24:38:6f:4d:ff:3f:97:b1:e7:84:4a:41:97:36

Certificate is to be certified until Jul 05:17:43 GMT (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] ca]# ls
CACERT.PEM certs CRL httpd.crt index.txt index.txt.attr index.txt.old newcerts private serial Serial.old
[Email protected] ca]#

5. The CA then sends HTTPD.CRT to the Web server

192.168. 136.135:/etc/httpd/ssl[email protected]192.168. 136.135 '  httpd.crt                                                                          3128     3. 1kb/s   xx :    

6 If the module needs to be installed without the Mode_ssl module, modify the Web server/etc/httpd/conf.d/httpd.conf configuration file first

6.1

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so     //Front # removed, if not loaded in this module will error Sslsessioncache: ' SHMCB ' Session cache not supported (known names:). Maybe need to load the appropriate Socache module (MOD_SOCACHE_SHMCB?).
LoadModule ssl_module modules/mod_ssl.so                     //Replace Oh # Remove load module

6.2 Configuring/etc/httpd/extra/httpd-ssl.conf

 sslcertificatefile  /etc/httpd/ssl/ HTTPD.CRT   //Modify certificate file location Sslcertificatek Eyfile   /etc/httpd/ssl/httpd.key// Modify key storage location 
 
 <virtualhost 192.168.136.135:443>//Modify configuration in Vitualhost and Httpd-vhost.cong 
 
 #& nbsp;  general setup for the virtual host 
 DocumentRoot "/usr/local/apache/htdocs/www.a.org" 
 ServerName www.a.org:443 
 ServerAdmin [email protected] 
 errorlog "/usr/local/apache/logs/error_log" 
 Transferlog "/usr/local/apache/logs/access_log" 
 
 #   SSL Engine Switch: 
 #   enable/ Disable SSL for this virtual host. 
 Sslengine on//This means to turn on SSL 
 
 
  

7. Restart the service, test www.a.org, because the private CA is not publicly used and is only used internally, so the Internet is not trusted. You can import the CA's certificate yourself and let the private CA be the trusted certificate issuer.

Download the CACERT.PEM on the CA server to local, change to CACER.CRT, install, import Add Trust.

HTTPS service configuration based on apache2.4.4