linux-Building CDA Digital certificate

CA Introduction

Build the CA server (data encryption transfer for Web services)

CA Server (172.40.55.10)

First step: Configure the CA signing environment

Step two: Generate the private key for the CA server

Step three: Create a root certificate for the CA server

Fourth step: Publish the root certificate file

First step: Configure the CA signing environment

[Email protected] ~]# RPM-QF/ETC/PKI/TLS/OPENSSL.CNF

Openssl-1.0.1e-42.el6.x86_64

[Email protected] ~]#

Vim/etc/pki/tls/openssl.cnf

[Ca_default]

Dir =/etc/pki/ca

Certs = $dir/certs

Certificate? = $dir The title of/MY-CA.CRT root certificate

Private_key? = $dir/private/my-ca.key private key Name

[Req_distinguished_name]

Countryname_default = CN Country

Stateorprovincename_default = Beijing province

Localityname_default = Beijing city

0.organizationname_default = Tarena Unit

: Wq

Build Index.txt, serial files as needed

[Email protected] ~]# CD/ETC/PKI/CA

[email protected] ca]# Touch index.txt

[Email protected] ca]# echo > serial

Step two: Generate the private key for the CA server

cd/etc/pki/ca/private/

OpenSSL genrsa-des3 2048 > My-ca.key (123456 password)

chmod My-ca.key

Step three: Create a root certificate for the CA server

cd/etc/pki/ca/

OpenSSL req-new-x509-key private/my-ca.key-days 365 > my-ca.crt (enter the password for the private key)

[email protected] ca]# OpenSSL req-new-x509-key private/my-ca.key-days 365 > MY-CA.CRT

Enter Pass phrase for Private/my-ca.key:

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [CN]:

State or province name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [Tarena]:

Organizational Unit Name (eg, section) []:mis

Common name (eg, your name or your server ' s hostname) []:ca.tarena.com

Email Address []:[email protected]

[Email protected] ca]#

Fourth step: Publish the root certificate file

cd/etc/pki/ca/

CP my-ca.crt/var/www/html/

Service httpd Restart

++++++++++++++++++++++++

Web server

1 Generate your own private key

2 Generating a certificate request file

3 CA Server Issue Certificate

4 Download the Issued certificate

5 When you configure the Web service to run, use the issued certificate

6 Restart website Service

1 Generate your own private key

cd/etc/pki/tls/private/

OpenSSL Genrsa 2048 > Www.key

chmod Www.key

2 Generating a certificate request file

cd/etc/pki/tls/private/

OpenSSL Req-new-key www.key >/ROOT/WWW.CSR

[Email protected] private]#

[email protected] private]# OpenSSL req-new-key www.key >/ROOT/WWW.CSR

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [CN]:

State or province name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [Tarena]:

Organizational Unit Name (eg, section) []:mis

Common name (eg, your name or your server ' s hostname) []:ca.tarenac^h.^h^c

[Email protected] private]#

[email protected] private]# OpenSSL req-new-key www.key >/ROOT/WWW.CSR

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [CN]:

State or province name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [Tarena]:

Organizational Unit Name (eg, section) []:mis

Common name (eg, your name or your server ' s hostname) []:ca.tedu.cn

Email Address []:[email protected]

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

[Email protected] private]#

3 CA server issues certificates and shares issued certificates

cd/etc/pki/ca/certs/

OpenSSL CA-IN/ROOT/WWW.CSR > Www.crt

[email protected] certs]# OpenSSL CA-IN/ROOT/WWW.CSR > Www.crt

Using Configuration From/etc/pki/tls/openssl.cnf

Enter Pass phrase For/etc/pki/ca/private/my-ca.key:

Check that the request matches the signature

Signature OK

Certificate Details:

Serial number:1 (0x1)

Validity

Not Before:may 7 09:20:09 GMT

Not After:may 7 09:20:09 GMT

Subject:

CountryName = CN

Stateorprovincename = Beijing

OrganizationName = Tarena

Organizationalunitname = Mis

CommonName = ca.tedu.cn

EmailAddress = [email protected]

X509v3 Extensions:

X509v3 Basic Constraints:

Ca:false

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

F9:5d:62:df:af:9e:23:29:be:b6:ce:dc:88:4f:e6:c7:b0:36:11:a6

X509v3 Authority Key Identifier:

Keyid:5b:1d:a7:f7:b6:22:fe:6d:f2:f1:8e:ce:89:eb:ef:58:e4:cf:a0:a5

Certificate is to be certified until 7 09:20:09 GMT (365 days)

Sign the certificate? [Y/n]:y

1 out of 1 certificate requests certified, commit? [Y/n]y

Write out database with 1 new entries

Data Base Updated

[Email protected] certs]#

CP www.crt/var/www/html/

4 The client downloads the issued certificate

cd/etc/pki/tls/certs/

Cp/etc/pki/ca/certs/www.crt./

[Email protected] certs]# ls/etc/pki/tls/private/

Www.key

[Email protected] certs]#

5 When you configure the Web service to run, use the issued certificate

Rpm-q Mod_ssl

Yum-y Install Mod_ssl

Vim/etc/httpd/conf.d/ssl.conf

Sslengine on

Sslcertificatefile/etc/pki/tls/certs/www.crt

Sslcertificatekeyfile/etc/pki/tls/private/www.key

: Wq

6 Restart website Service

Service httpd Restart

[[Email protected] conf]# PS aux | grep vmware-hostd

Netstat-untlap | grep:443

[Email protected] conf.d]# Netstat-utnalp | grep:443

TCP 0 0::: 443:::* LISTEN 8973/httpd

+++++++++++++++++++++++++++++++++++

Client

Http://web-ip

443 HTTPS://WEB-IP

[Email protected] conf]# elinks--dump https://localhost/one.html

ELinks: Deny connection

[Email protected] conf]#

[Email protected] conf]#

[Email protected] conf]# elinks--dump http://localhost/one.html

Hello a student

[Email protected] conf]#

++++++++++++++++++++++++++++++++++++

Site Client configuration (Access HTTP auto-jump HTTPS)

Https://172.40.55.10/one.html

Vim httpd.conf

<ifmodule ssl_module>

Sslrandomseed Startup Builtin

Sslrandomseed Connect Builtin

</IfModule>

Rewriteengine on

Rewritecond%{server_port}!^443$

Rewriterule (. *) https://%{server_name}/$1 [R]

: Wq

Service httpd REStat

Http://ca.tedu.cn/one.html

linux-Building CDA Digital certificate