linux-Building CDA Digital certificate

Source: Internet
Author: User
Tags builtin openssl

CA Introduction




Build the CA server (data encryption transfer for Web services)



CA Server (172.40.55.10)

First step: Configure the CA signing environment

Step two: Generate the private key for the CA server

Step three: Create a root certificate for the CA server

Fourth step: Publish the root certificate file


First step: Configure the CA signing environment

[Email protected] ~]# RPM-QF/ETC/PKI/TLS/OPENSSL.CNF

Openssl-1.0.1e-42.el6.x86_64

[Email protected] ~]#


Vim/etc/pki/tls/openssl.cnf

[Ca_default]

Dir =/etc/pki/ca

Certs = $dir/certs

Certificate? = $dir The title of/MY-CA.CRT root certificate

Private_key? = $dir/private/my-ca.key private key Name


[Req_distinguished_name]

Countryname_default = CN Country

Stateorprovincename_default = Beijing province

Localityname_default = Beijing city

0.organizationname_default = Tarena Unit

: Wq


Build Index.txt, serial files as needed

[Email protected] ~]# CD/ETC/PKI/CA

[email protected] ca]# Touch index.txt

[Email protected] ca]# echo > serial


Step two: Generate the private key for the CA server

cd/etc/pki/ca/private/

OpenSSL genrsa-des3 2048 > My-ca.key (123456 password)

chmod My-ca.key


Step three: Create a root certificate for the CA server

cd/etc/pki/ca/

OpenSSL req-new-x509-key private/my-ca.key-days 365 > my-ca.crt (enter the password for the private key)


[email protected] ca]# OpenSSL req-new-x509-key private/my-ca.key-days 365 > MY-CA.CRT

Enter Pass phrase for Private/my-ca.key:

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [CN]:

State or province name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [Tarena]:

Organizational Unit Name (eg, section) []:mis

Common name (eg, your name or your server ' s hostname) []:ca.tarena.com

Email Address []:[email protected]

[Email protected] ca]#



Fourth step: Publish the root certificate file

cd/etc/pki/ca/

CP my-ca.crt/var/www/html/

Service httpd Restart


++++++++++++++++++++++++

Web server

1 Generate your own private key

2 Generating a certificate request file

3 CA Server Issue Certificate

4 Download the Issued certificate

5 When you configure the Web service to run, use the issued certificate

6 Restart website Service


1 Generate your own private key

cd/etc/pki/tls/private/

OpenSSL Genrsa 2048 > Www.key

chmod Www.key


2 Generating a certificate request file

cd/etc/pki/tls/private/

OpenSSL Req-new-key www.key >/ROOT/WWW.CSR


[Email protected] private]#

[email protected] private]# OpenSSL req-new-key www.key >/ROOT/WWW.CSR

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [CN]:

State or province name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [Tarena]:

Organizational Unit Name (eg, section) []:mis

Common name (eg, your name or your server ' s hostname) []:ca.tarenac^h.^h^c

[Email protected] private]#

[email protected] private]# OpenSSL req-new-key www.key >/ROOT/WWW.CSR

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [CN]:

State or province name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [Tarena]:

Organizational Unit Name (eg, section) []:mis

Common name (eg, your name or your server ' s hostname) []:ca.tedu.cn

Email Address []:[email protected]


Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

[Email protected] private]#


3 CA server issues certificates and shares issued certificates

cd/etc/pki/ca/certs/

OpenSSL CA-IN/ROOT/WWW.CSR > Www.crt


[email protected] certs]# OpenSSL CA-IN/ROOT/WWW.CSR > Www.crt

Using Configuration From/etc/pki/tls/openssl.cnf

Enter Pass phrase For/etc/pki/ca/private/my-ca.key:

Check that the request matches the signature

Signature OK

Certificate Details:

Serial number:1 (0x1)

Validity

Not Before:may 7 09:20:09 GMT

Not After:may 7 09:20:09 GMT

Subject:

CountryName = CN

Stateorprovincename = Beijing

OrganizationName = Tarena

Organizationalunitname = Mis

CommonName = ca.tedu.cn

EmailAddress = [email protected]

X509v3 Extensions:

X509v3 Basic Constraints:

Ca:false

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

F9:5d:62:df:af:9e:23:29:be:b6:ce:dc:88:4f:e6:c7:b0:36:11:a6

X509v3 Authority Key Identifier:

Keyid:5b:1d:a7:f7:b6:22:fe:6d:f2:f1:8e:ce:89:eb:ef:58:e4:cf:a0:a5


Certificate is to be certified until 7 09:20:09 GMT (365 days)

Sign the certificate? [Y/n]:y



1 out of 1 certificate requests certified, commit? [Y/n]y

Write out database with 1 new entries

Data Base Updated

[Email protected] certs]#



CP www.crt/var/www/html/


4 The client downloads the issued certificate

cd/etc/pki/tls/certs/

Cp/etc/pki/ca/certs/www.crt./


[Email protected] certs]# ls/etc/pki/tls/private/

Www.key

[Email protected] certs]#


5 When you configure the Web service to run, use the issued certificate

Rpm-q Mod_ssl

Yum-y Install Mod_ssl

Vim/etc/httpd/conf.d/ssl.conf

Sslengine on

Sslcertificatefile/etc/pki/tls/certs/www.crt

Sslcertificatekeyfile/etc/pki/tls/private/www.key

: Wq


6 Restart website Service

Service httpd Restart



[[Email protected] conf]# PS aux | grep vmware-hostd


Netstat-untlap | grep:443


[Email protected] conf.d]# Netstat-utnalp | grep:443

TCP 0 0::: 443:::* LISTEN 8973/httpd




+++++++++++++++++++++++++++++++++++

Client

Http://web-ip

443 HTTPS://WEB-IP

[Email protected] conf]# elinks--dump https://localhost/one.html

ELinks: Deny connection

[Email protected] conf]#

[Email protected] conf]#

[Email protected] conf]# elinks--dump http://localhost/one.html

Hello a student

[Email protected] conf]#

++++++++++++++++++++++++++++++++++++

Site Client configuration (Access HTTP auto-jump HTTPS)

Https://172.40.55.10/one.html


Vim httpd.conf

<ifmodule ssl_module>

Sslrandomseed Startup Builtin

Sslrandomseed Connect Builtin

</IfModule>

Rewriteengine on

Rewritecond%{server_port}!^443$

Rewriterule (. *) https://%{server_name}/$1 [R]

: Wq

Service httpd REStat


Http://ca.tedu.cn/one.html


linux-Building CDA Digital certificate

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.