OpenSSL self-built certificate SSL + Apache

OpenSSL self-built certificate SSL + Apache

I have prepared it. Well, the following is my note. For details, enter the author name: wingger. In this article, we will test the certificate on Linux9 + apache2.0.52, tomcat5.5.6, j2se1.5, and openssl0.97. The purpose of this article is to communicate. If any errors occur, please advise. Reprinted, please indicate the source, and maintain the integrity of the article Start installation now First, you need to understand some basic concepts before installing 1. Certificates used by SSL can be self-generated or signed by a commercial ca such as Verisign or thawte. 2. Certificate concept: First, you must have a root certificate, and then use the root certificate to issue the server certificate and customer certificate. Generally, the server certificate and customer certificate are in a hierarchical relationship. The root certificate and server certificate must be installed in SSL for authentication. Therefore, in this environment, you must have at least three certificates: Root Certificate, server certificate, and client certificate. Before a certificate is generated, a private key is usually used to generate a certificate request with the private key, and then use the root certificate of the Certificate Server to issue the certificate. 3. certificate issuance problem: I recently found a lot of information about OpenSSL, basically only generate the root certificate and private key and server certificate requests, and did not actually implement the visa. I refer to some documents here. I use a ca. Sh provided by OpenSSL to sign the certificate, rather than sign. Sh in mod_ssl. Using the OpenSSL syntax to generate a certificate has many restrictions, such as the Directory and key location. It is troublesome. I tried it for several days and finally gave up. If you are interested, refer to the OpenSSL manual. Step 1: Install OpenSSL and Apache Download openssl-0.9.7e.tar.gz (the latest version) to www.openssl.org) 2. Uninstall the old opensll Library # Rpm-e -- nodeps OpenSSL Copy code 3. decompress the package: # Tar xzvf openssl-0.9.7e.tar.gz Copy code 4. Enter the OpenSSL directory and install it. Use -- prefix to specify the OpenSSL installation directory. # Cd openssl-0.9.7e #./Config -- prefix =/usr/local/OpenSSL # Make # Make Test # Make install Copy code 5. install Apache Download httpd-2.0.52.tar.gz, the latest apacheversion, to www.apache.org/dist. Decompress the package and go to the Apache directory. Install the required modules as needed. I have installed SSL, rewrite, and dynamic installation. # Tar zxvf httpd-2.0.52.tar.gz # Cd httpd-2.0.52 #./Configure -- prefix = prefix -- enable-SSL -- enable-Rewrite -- enable-so -- With-SSL =/usr/local/OpenSSL # Make # Make install Copy code Step 2: visa After OpenSSL is installed, there is a ca. Sh file under OpenSSL, which is used for visa, To sign three certificates, and then use these three certificates to deploy the SSL server. 1. Create an SSL under/usr/local/Apache/CONF. CRT directory, set ca. copy the sh file to/usr/local/Apache/CONF/SSL. CRT/directory [Root @ win SSL] # cp/usr/local/OpenSSL/SSL/MISC/CA. sh/usr/local/Apache/CONF/SSL. CRT/CA. Sh Copy code 2. Run ca. Sh-newca. It will find a private key and password file of the CA you want. If this file does not exist? Press enter to automatically create the file. Enter the password to protect the file. In the future, you will need a company information to make the ca. CRT file. At last, an additional one is added to the current directory. /democa directory .. /democa/private/cakey. PEM is the key file of CA ,. /democa/cacert. PEM is the CRT file of CA. [Root @ win SSL. CRT] #./CA. Sh-newca Copy code Enter the following information: Quote: Country name (2 letter code) [GB]: CN State or province name (full name) [Berkshire]: Fuji Locality name (eg, city) [Newbury]: Fuzhou Organization Name (eg, company) [My Company Ltd]: fjjm Organizational unit name (eg, section) []: FD Common name (eg, your name or your server's hostname) []: Win Email Address []: WIN@WIN.COM In this way, a CA server is created, with the private key cakey. pem of the root certificate and a root certificate cacert. pem. Now you can get the cacert. pem for your visa. 3. Sign the server certificate Generate the server private key: [Root @ win SSL. CRT] # OpenSSL genrsa-des3-out server. Key 1024 Copy code Generate server certificate request [Root @ win SSL. CRT] # OpenSSL req-New-key server. Key-out server. CSR Copy code REQUIRED INFORMATION Country name (2 letter code) [GB]: CN State or province name (full name) [Berkshire]: Fuji Locality name (eg, city) [Newbury]: Fuzhou Organization Name (eg, company) [My Company Ltd]: fjjm Organizational unit name (eg, section) []: FD Common name (eg, your name or your server's hostname) []: Win Email Address []: WIN@WIN.COM Please enter the following 'extra 'attributes To be sent with your certificate request A challenge password []: Win An optional company name []: Wing Copy code Finally, convert the server. CRT file MV into newreq. Pem, and then use ca. Sh for a visa. [Root @ win SSL. CRT] # mv server. CSR newreq. pem [Root @ win SSL. CRT] #./CA. Sh-sign Copy code In this way, the server certificate newcert. PEM is generated. Change newcert. pem to server. CRT. [Root @ win SSL. CRT] # mv newcert. pem server. CRT Copy code 4. process the client: Generate customer private key: [Root @ win SSL. CRT] # OpenSSL genrsa-des3-out client. Key 1024 Copy code Request [Root @ win SSL. CRT] # OpenSSL req-New-key client. Key-out client. CSR Copy code Visa: [Root @ win SSL. CRT] # OpenSSL ca-in client. CSR-out client. CRT Copy code Convert certificate format to PKCS12 format [Root @ win SSL. CRT] # OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. pfx Copy code 5. Three certificates and three private keys are available. One is the root certificate under democa, the server certificate under SSL. CRT, and the client certificate. And the root key under democa/private, the server key and customer key under SSL. CRT, and the certificate location and server key location under SSL. conf under Conf. I created an SSL. CRT directory under conf and put all the keys and certificates here. # Cp democa/cacert. pem cacert. pem Copy code Copy a certificate and rename it ca. CRT. # Cp cacert. pem ca. CRT Copy code Step 3. Edit SSL. conf # Cd/usr/local/Apache/Conf Copy code Edit SSL. conf Specify the server certificate location Sslcertificatefile/usr/local/Apache/CONF/SSL. CRT/server. CRT Specify the server certificate Key location Sslcertificatekeyfile/usr/local/Apache/CONF/SSL. CRT/server. Key Certificate directory Sslcacertificatepath/usr/local/Apache/CONF/SSL. CRT Root Certificate location Sslcacertificatefile/usr/local/Apache/CONF/SSL. CRT/cacert. pem Enable client SSL requests Sslverifyclient require Sslverifydepth 1 Copy code Start SSL /Usr/local/Apache/bin/apachectl startssl Copy code The password of server. Key is required. So that a default SSL server and HTTP server are started, Step 4. install and use the certificate Run the ca. CRT root certificate and client. pfx client certificate generated just now to the client and install the client, CA. CRT is installed to a trusted organization. Client. pfx is installed directly in Windows or in the personal certificate location, and then accessed by IP address http and HTTPS servers.