Preparing an SSL site
1. Self-built CA Visa server ip:192.168.1.5 computer name:jacktest (linux5.4-32b)
2. HTTP Server ip:192.168.1.3 computer name:test (linux5.4-32b)
3. Test server ip:192.168.1.19 computer name:test2 (winXP)
4, the Site name and certificate site name must be consistent, otherwise there is warning;
5, an IP address can only establish an SSL virtual host;
First, install the SSL environment
[email protected] conf.d]# yum Install mod_ssl
Installed:
Mod_ssl.i386 1:2.2.3-31.el5
Dependency installed:
Distcache.i386 0:1.4.5-14.1
[email protected] conf.d]# rpm-ql mod_ssl
/etc/httpd/conf.d/ssl.conf #SSL configuration file
/usr/lib/httpd/modules/mod_ssl.so #SSL Module
/var/cache/mod_ssl #SSL Cache Directory
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
Second, set up the CA server
[[email protected] ~]# cd/etc/pki/ca #CA server 192.168.1.5
[[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......+++
........................................................................................+++
E is 65537 (0x10001)
[email protected] ca]# ll private/
Total 4
-RW-------1 root root 1679 Dec 08:56 Cakey.pem
[[email protected] CA] # VI.. /tls/openssl.cnf
[Ca_default]
dir = /etc/pki/ca # Where Everything is kept
certs = $dir/ The certificate location issued
Crl_dir = $dir/CRL # where the issued CRL is Kept certificate location revoked
Database = $dir/index.txt # database index File issued certificate index file
#unique_subject = no # Set to "no" to allow creation of
# several ctificates with same su Bject.
new_certs_dir = $dir/newcerts # Default place for new Certs.
Certificate = $dir/CACERT.PEM # The CA certificate indicates the CA 's self-visa book
serial = $dir/serial # The current serial number indicates the present certificate serial numbers, the first time you want to specify
...
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
Countryname_default= CN
Countryname_min = 2
Countryname_max = 2
Stateorprovincename = State or province name (full name)
Stateorprovincename_default= Jiansu
Localityname = Locality Name (eg, city)
Localityname_default= Suzhou
0.organizationName = Organization Name (eg, company)
0.organizationname_default= Jacktest
# we can do this but it's not needed normally:-)
#1. OrganizationName = Second Organization Name (eg, company)
#1. Organizationname_default = World Wide Web Pty LTD
Organizationalunitname = organizational Unit Name (eg, section)
#organizationalUnitName_default =
Organizationalunitname_default =Tech
[email protected] ca]#OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3655
You is about-to is asked to-enter information that'll be incorporated#Generate self-signed certificates
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Jiansu]:
Locality Name (eg, city) [Suzhou]:
Organization Name (eg, company) [Jacktest]:
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:ca.jacktest.com
Email Address []:[email protected]
-----BEGIN CERTIFICATE-----
Miiemdcca4cgawibagijanetzkldkv8mma0gcsqgsib3dqebbquamigomqswcqyd
...
-----END CERTIFICATE-----
[[email protected] ca]# mkdir certs CRL Newcerts
[email protected] ca]# Touch index.txt
[Email protected] ca]# echo > serial
[[email protected] ca]# ls
Certs CRL Index.txt newcerts private serial
Third, set up the server request certificate
[email protected] ssl]# (Umask 077; OpenSSL genrsa 1024x768 > Httpd.key)
Generating RSA private key, 1024x768 bit long modulus
.....................................................++++++
....................................++++++
E is 65537 (0x10001)
[email protected] ssl]# ll
Total 8
-RW-------1 root root 887 Dec 09:40 Httpd.key
[email protected] ssl]#OpenSSL Req-new-key httpd.key-out HTTP.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:Jacktest # This is in line with the service party, otherwise the visa is unsuccessful
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:hello.jacktest.com
Email Address []:[email protected]
#hello. jacktest.com site name must be consistent with the certificate site name, otherwise there is a warning
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
[email protected] ssl]#ll
Total 12
-rw-r--r--1 root root 704 Dec 28 09:45HTTP.CSR
-RW-------1 root root 887 Dec 09:40 Httpd.key
[email protected] ssl]#SCP HTTP.CSR 192.168.1.5:/tmp
HTTP.CSR 100% 704 0.7kb/s 00:00
[Email protected] ssl]#
IV. Certificate of application signed by CA server upon receipt
[email protected] ca]#Ll/tmp/http.csr
-rw-r--r--1 root root 708 Dec 10:05/TMP/HTTP.CSR
[email protected] ca]#OpenSSL ca-in/tmp/http.csr-out/tmp/http.crt-days 3650
Using Configuration From/etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:1 (0x1)
Validity
Not Before:dec 02:08:24 GMT
Not After:dec 02:08:24 2026 GMT
Subject:
CountryName = CN
Stateorprovincename = Jiansu
OrganizationName = Jacktest
Organizationalunitname = Tech
CommonName = hello.jacktest.com
EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:4b:e1:d1:c5:0d:a0:f0:44:54:1b:d7:d3:12:c1:05:e6:61:9d:f8
X509v3 Authority Key Identifier:
Keyid:38:24:d5:41:1d:98:0d:69:90:0c:95:41:69:72:67:bb:62:4d:4b:a2
Certificate is to be certified until Dec 02:08:24 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[Email protected] ca]# cd/etc/pki/ca/
[[email protected] ca]# ls
CACERT.PEM certs CRL index.txt index.txt.attr index.txt.old newcerts private serial Serial.old
[email protected] ca]#Cat Index.txt
V 261226020824Z Unknown/c=cn/st=jiansu/o=jacktest/ou=tech/cn=hello.jacktest.com/[email protected]
[email protected] ca]#Cat serial#Next Visa number
02
[email protected] tmp]#SCP HTTP.CRT 192.168.1.3:/etc/httpd/ssl/
[email protected] ' s password:
HTTP.CRT 100% 3885 3.8kb/s 00:00
[Email protected] tmp]# rm-f http.*
[[email protected] ssl]# ll # Server 192.168.1.3
Total 16
-rw-r--r--1 root root 708 Dec 09:59 HTTP.CSR
-rw-r--r--1 root root 3885 Dec 10:25 http.crt
-RW-------1 root root 887 Dec 09:57 Httpd.key
Five, the CA server received after signing the certificate of application
[Email protected] conf.d]# VI ssl.conf
<virtualhost 192.168.1.3:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
ServerName www.jacktest.com: 443
DocumentRoot "/www/jacktest.com"
# Use separate log files for the SSL virtual host; Note that LogLevel
# is no inherited from httpd.conf.
Errorlog logs/Ssl_error_log
Transferlog logs/Ssl_access_log
LogLevel warn
# SSL Engine Switch:
# enable/disable SSL for this virtual host.
Sslengine on
# SSL Protocol Support:
# List the Enable protocol levels with which clients'll be able to
# Connect. Disable SSLv2 access by default:
Sslprotocol all-sslv2 #除V2以外
# Server Certificate:
# point Sslcertificatefile at a PEM encoded certificate. If
# The certificate is encrypted and then you'll be prompted for a
# Pass phrase. Note that a kill-hup'll prompt again. A New
# certificate can be generated using the Genkey (1) command.
Sslcertificatefile /ETC/HTTPD/SSL/HTTPD.CRT
# Server Private Key:
# If The key is not a combined with the certificate
# directive to point at the key file. Keep in mind that if
# you ' ve both a RSA and a DSA private key can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
Sslcertificatekeyfile /etc/httpd/ssl/httpd.key
[email protected] conf.d]#Ll/etc/httpd/ssl/http.crt
-rw-r--r--1 root root 3885 Dec 11:31/etc/httpd/ssl/http.crt
[Email protected] conf.d]# httpd-t
Syntax OK
[email protected] conf.d]#Service httpd Restart
stopping httpd: [FAILED]
Starting httpd: [OK]
[email protected] conf.d]#NETSTAT-TNLP |grep:443
TCP 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14998/httpd
[email protected] conf.d]#Service httpd Restart
stopping httpd: [OK]
Starting httpd: [OK]
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/8C/25/wKiom1hjUoryEGz1AAFKgWNlibw817.png-wh_500x0-wm_3 -wmp_4-s_3268129118.png "title=" Html10.png "alt=" Wkiom1hjuoryegz1aafkgwnlibw817.png-wh_50 "/>
---END---
Linux applications: Preparing SSL Sites