Linux applications: Preparing SSL Sites

Source: Internet
Author: User
Tags modulus openssl

Preparing an SSL site

1. Self-built CA Visa server ip:192.168.1.5 computer name:jacktest (linux5.4-32b)

2. HTTP Server ip:192.168.1.3 computer name:test (linux5.4-32b)

3. Test server ip:192.168.1.19 computer name:test2 (winXP)

4, the Site name and certificate site name must be consistent, otherwise there is warning;

5, an IP address can only establish an SSL virtual host;


First, install the SSL environment

[email protected] conf.d]# yum Install mod_ssl

Installed:
Mod_ssl.i386 1:2.2.3-31.el5
Dependency installed:
Distcache.i386 0:1.4.5-14.1

[email protected] conf.d]# rpm-ql mod_ssl
/etc/httpd/conf.d/ssl.conf #SSL configuration file
/usr/lib/httpd/modules/mod_ssl.so #SSL Module
/var/cache/mod_ssl #SSL Cache Directory
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem


Second, set up the CA server

[[email protected] ~]# cd/etc/pki/ca #CA server 192.168.1.5
[[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......+++
........................................................................................+++
E is 65537 (0x10001)
[email protected] ca]# ll private/
Total 4
-RW-------1 root root 1679 Dec 08:56 Cakey.pem
[[email protected] CA] # VI.. /tls/openssl.cnf

[Ca_default]
dir = /etc/pki/ca # Where Everything is kept

certs      = $dir/ The certificate location issued
Crl_dir    = $dir/CRL      # where the issued CRL is Kept certificate location revoked
Database   = $dir/index.txt     # database index File issued certificate index file
#unique_subject = no       # Set to "no" to allow creation of
         # several ctificates with same su Bject.
new_certs_dir   = $dir/newcerts   # Default place for new Certs.

Certificate = $dir/CACERT.PEM # The CA certificate indicates the CA 's self-visa book
serial = $dir/serial # The current serial number indicates the present certificate serial numbers, the first time you want to specify

...

[Req_distinguished_name]
CountryName = Country Name (2 letter code)
Countryname_default= CN
Countryname_min = 2
Countryname_max = 2

Stateorprovincename = State or province name (full name)
Stateorprovincename_default= Jiansu

Localityname = Locality Name (eg, city)
Localityname_default= Suzhou

0.organizationName = Organization Name (eg, company)
0.organizationname_default= Jacktest

# we can do this but it's not needed normally:-)
#1. OrganizationName = Second Organization Name (eg, company)
#1. Organizationname_default = World Wide Web Pty LTD

Organizationalunitname = organizational Unit Name (eg, section)
#organizationalUnitName_default =
Organizationalunitname_default =Tech

[email protected] ca]#OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3655
You is about-to is asked to-enter information that'll be incorporated#Generate self-signed certificates
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Jiansu]:
Locality Name (eg, city) [Suzhou]:
Organization Name (eg, company) [Jacktest]:
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:ca.jacktest.com
Email Address []:[email protected]
-----BEGIN CERTIFICATE-----
Miiemdcca4cgawibagijanetzkldkv8mma0gcsqgsib3dqebbquamigomqswcqyd
...
-----END CERTIFICATE-----

[[email protected] ca]# mkdir certs CRL Newcerts
[email protected] ca]# Touch index.txt
[Email protected] ca]# echo > serial
[[email protected] ca]# ls
Certs CRL Index.txt newcerts private serial


Third, set up the server request certificate

[email protected] ssl]# (Umask 077; OpenSSL genrsa 1024x768 > Httpd.key)
Generating RSA private key, 1024x768 bit long modulus
.....................................................++++++
....................................++++++
E is 65537 (0x10001)
[email protected] ssl]# ll
Total 8
-RW-------1 root root 887 Dec 09:40 Httpd.key

[email protected] ssl]#OpenSSL Req-new-key httpd.key-out HTTP.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:Jacktest # This is in line with the service party, otherwise the visa is unsuccessful
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:hello.jacktest.com
Email Address []:[email protected]
#hello. jacktest.com site name must be consistent with the certificate site name, otherwise there is a warning
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
[email protected] ssl]#ll
Total 12
-rw-r--r--1 root root 704 Dec 28 09:45HTTP.CSR
-RW-------1 root root 887 Dec 09:40 Httpd.key
[email protected] ssl]#SCP HTTP.CSR 192.168.1.5:/tmp
HTTP.CSR 100% 704 0.7kb/s 00:00
[Email protected] ssl]#


IV. Certificate of application signed by CA server upon receipt

[email protected] ca]#Ll/tmp/http.csr
-rw-r--r--1 root root 708 Dec 10:05/TMP/HTTP.CSR
[email protected] ca]#OpenSSL ca-in/tmp/http.csr-out/tmp/http.crt-days 3650
Using Configuration From/etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:1 (0x1)
Validity
Not Before:dec 02:08:24 GMT
Not After:dec 02:08:24 2026 GMT
Subject:
CountryName = CN
Stateorprovincename = Jiansu
OrganizationName = Jacktest
Organizationalunitname = Tech
CommonName = hello.jacktest.com
EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:4b:e1:d1:c5:0d:a0:f0:44:54:1b:d7:d3:12:c1:05:e6:61:9d:f8
X509v3 Authority Key Identifier:
Keyid:38:24:d5:41:1d:98:0d:69:90:0c:95:41:69:72:67:bb:62:4d:4b:a2
Certificate is to be certified until Dec 02:08:24 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[Email protected] ca]# cd/etc/pki/ca/
[[email protected] ca]# ls
CACERT.PEM certs CRL index.txt index.txt.attr index.txt.old newcerts private serial Serial.old
[email protected] ca]#Cat Index.txt
V 261226020824Z Unknown/c=cn/st=jiansu/o=jacktest/ou=tech/cn=hello.jacktest.com/[email protected]
[email protected] ca]#Cat serial#Next Visa number
02
[email protected] tmp]#SCP HTTP.CRT 192.168.1.3:/etc/httpd/ssl/
[email protected] ' s password:
HTTP.CRT 100% 3885 3.8kb/s 00:00
[Email protected] tmp]# rm-f http.*


[[email protected] ssl]# ll # Server 192.168.1.3
Total 16
-rw-r--r--1 root root 708 Dec 09:59 HTTP.CSR
-rw-r--r--1 root root 3885 Dec 10:25 http.crt
-RW-------1 root root 887 Dec 09:57 Httpd.key


Five, the CA server received after signing the certificate of application

[Email protected] conf.d]# VI ssl.conf

<virtualhost 192.168.1.3:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
ServerName www.jacktest.com: 443
DocumentRoot "/www/jacktest.com"

# Use separate log files for the SSL virtual host; Note that LogLevel
# is no inherited from httpd.conf.
Errorlog logs/Ssl_error_log
Transferlog logs/Ssl_access_log
LogLevel warn

# SSL Engine Switch:
# enable/disable SSL for this virtual host.
Sslengine on

# SSL Protocol Support:
# List the Enable protocol levels with which clients'll be able to
# Connect. Disable SSLv2 access by default:
Sslprotocol all-sslv2 #除V2以外

# Server Certificate:
# point Sslcertificatefile at a PEM encoded certificate. If
# The certificate is encrypted and then you'll be prompted for a
# Pass phrase.  Note that a kill-hup'll prompt again. A New
# certificate can be generated using the Genkey (1) command.
Sslcertificatefile /ETC/HTTPD/SSL/HTTPD.CRT

# Server Private Key:
# If The key is not a combined with the certificate
# directive to point at the key file. Keep in mind that if
# you ' ve both a RSA and a DSA private key can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
Sslcertificatekeyfile /etc/httpd/ssl/httpd.key

[email protected] conf.d]#Ll/etc/httpd/ssl/http.crt
-rw-r--r--1 root root 3885 Dec 11:31/etc/httpd/ssl/http.crt
[Email protected] conf.d]# httpd-t
Syntax OK
[email protected] conf.d]#Service httpd Restart
stopping httpd: [FAILED]
Starting httpd: [OK]
[email protected] conf.d]#NETSTAT-TNLP |grep:443
TCP 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14998/httpd
[email protected] conf.d]#Service httpd Restart
stopping httpd: [OK]
Starting httpd: [OK]

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/8C/25/wKiom1hjUoryEGz1AAFKgWNlibw817.png-wh_500x0-wm_3 -wmp_4-s_3268129118.png "title=" Html10.png "alt=" Wkiom1hjuoryegz1aafkgwnlibw817.png-wh_50 "/>


---END---

Linux applications: Preparing SSL Sites

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.