To issue a certificate to a Web site using OpenSSL

Source: Internet
Author: User

Background introduction

In a production environment, it is sometimes necessary to use self-signed certificates, and Google Chrome has lowered the SHA1 algorithm level since 2016, and OpenSSL uses the SHA1 algorithm, which describes how OpenSSL uses SHA256 encryption algorithms to encrypt Web sites. The topology diagram is as follows:

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m02/86/39/wkiom1e5qvagqsrkaaa5ewba0he807.png-wh_500x0-wm_3-wmp_4-s_3847867786.png "title = "1.png" style= "Float:none;" alt= "Wkiom1e5qvagqsrkaaa5ewba0he807.png-wh_50"/>

Operation Steps

1. Installing the HTTPD Service

Yum-y Install httpd

Chkconfig httpd on

Service httpd Start

Without domain name resolution, HTTPD will start very slowly and prompt

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m00/86/39/wkiom1e5qvbrxnpbaaalqmkvtbu073.png-wh_500x0-wm_3-wmp_4-s_2393242155.png "title = "2.png" style= "Float:none;" alt= "Wkiom1e5qvbrxnpbaaalqmkvtbu073.png-wh_50"/>

The workaround is to modify the httpd configuration file vim/etc/httpd/conf/httpd.conf

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m01/86/39/wkiol1e5qvfbputpaaavvqk3gg0417.png-wh_500x0-wm_3-wmp_4-s_3340140590.png "title = "3.png" style= "Float:none;" alt= "Wkiol1e5qvfbputpaaavvqk3gg0417.png-wh_50"/>

Create a index.html file in the/var/www/html directory, write the content as a home page, and see if port 80 is listening properly.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m00/86/39/wkiom1e5qveir4pnaaa0jya95o4110.png-wh_500x0-wm_3-wmp_4-s_2714755178.png "title = "4.png" style= "Float:none;" alt= "Wkiom1e5qveir4pnaaa0jya95o4110.png-wh_50"/>

2. Issuing a self-signed certificate for a CA

The first thing to note is that the certificate is a key pair made up of a public key and a private key, so the certificate needs to be issued by the Mr. Key pair, so enter the/ETC/PKI/CA directory to generate a key pair and save to the/etc/pki/ca/private directory named Cakey.pem

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m02/86/39/wkiol1e5qveqxnncaaas0g3ifpq030.png-wh_500x0-wm_3-wmp_4-s_2030896119.png "title = "5.png" style= "Float:none;" alt= "Wkiol1e5qveqxnncaaas0g3ifpq030.png-wh_50"/>

Unlike Linux and Windows, the file types are not differentiated by suffix names, where key pairs need to be named Cakey.pem in the/etc/pki/ca/private directory because they are in the/etc/pki/tls/openssl configuration file The path and name of the CA key pair and certificate are default , and if you do not store by default, remember to modify the configuration file

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m01/86/39/wkiom1e5qvjwxaosaacaahilb70198.png-wh_500x0-wm_3-wmp_4-s_782092895.png "title= "6.png" style= "Float:none;" alt= "Wkiom1e5qvjwxaosaacaahilb70198.png-wh_50"/>

You also need to change the default_md of the [Ca_dfault] field, here is the encryption algorithm that sets the certificate issued by this CA

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m00/86/39/wkiol1e5qviwv0qhaabmyh9xjse573.png-wh_500x0-wm_3-wmp_4-s_1332997513.png "title = "7.png" style= "Float:none;" alt= "Wkiol1e5qviwv0qhaabmyh9xjse573.png-wh_50"/>

also modify the [Req] field DEFAULT_MD, here is the encryption algorithm to set the CA self-signed certificate, if only to the issuing of the certificate algorithm set to SHA256, under the Google Browser is still not trusted, because a trusted certificate in addition to itself, must The entire certificate chain is trusted

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m00/86/39/wkiol1e5qviijargaaa_jjmyzly265.png-wh_500x0-wm_3-wmp_4-s_4047471634.png "title = "8.png" style= "Float:none;" alt= "Wkiol1e5qviijargaaa_jjmyzly265.png-wh_50"/>

Generate the CA's self-signed certificate, certificate book title and path to be consistent with the configuration file, no longer repeat, focus on the Red Box section later detailed introduction

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m01/86/39/wkiom1e5qvndclsfaabesidaok4357.png-wh_500x0-wm_3-wmp_4-s_4140697711.png "title = "9.png" style= "Float:none;" alt= "Wkiom1e5qvndclsfaabesidaok4357.png-wh_50"/>

-new Request a new certificate

-X509 Certificate Format standard

-key Key File Location

-days Certificate Validity period

Be careful when filling out the certificate information common name must be consistent with the name you want to apply

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m01/86/39/wkiol1e5qvntt3feaabbjxecy00054.png-wh_500x0-wm_3-wmp_4-s_3049583582.png "title = "10.png" style= "Float:none;" alt= "Wkiol1e5qvntt3feaabbjxecy00054.png-wh_50"/>

There are no index.txt, serial, crlnumber files in the configuration file under the/etc/pki/ca path, so you also need to manually create

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m02/86/39/wkiom1e5qvnah-j9aaavk-e8eak996.png-wh_500x0-wm_3-wmp_4-s_3731912616.png "title = "11.png" style= "Float:none;" alt= "Wkiom1e5qvnah-j9aaavk-e8eak996.png-wh_50"/>

Set an initial certificate issuance number after creation, and the operation on the CA is complete

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m02/86/39/wkiol1e5qvqsn1pmaaawkvodbsk018.png-wh_500x0-wm_3-wmp_4-s_1013979690.png "title = "12.png" style= "Float:none;" alt= "Wkiol1e5qvqsn1pmaaawkvodbsk018.png-wh_50"/>

3.WEB Site Request Certificate

Enter the/ETC/HTTPD directory to create an SSL directory under which to generate a key for the Web server Http.key

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m00/86/39/wkiom1e5qvrxxme1aaaeteaxy9u072.png-wh_500x0-wm_3-wmp_4-s_4274369714.png "title = "13.png" style= "Float:none;" alt= "Wkiom1e5qvrxxme1aaaeteaxy9u072.png-wh_50"/>

Then generate a certificate request for the Web server

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m00/86/39/wkiol1e5qvrjlrs0aab1bbgbnho266.png-wh_500x0-wm_3-wmp_4-s_1703736958.png "title = "14.png" style= "Float:none;" alt= "Wkiol1e5qvrjlrs0aab1bbgbnho266.png-wh_50"/>

Careful observation will find that he and CA's self-signed certificate is very similar, compared to the CA's self-signed certificate less-x509 and-days two parameters, through the man Req document learned req command using-x509 parameter generated is a self-signed certificate and replace the certificate request , Therefore,-x509 cannot be used here, and this is only a certificate request, the validity period of the certificate should be specified by the CA, so the-days option is not required here

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m02/86/39/wkiom1e5qvvregssaaavavnf134030.png-wh_500x0-wm_3-wmp_4-s_1092250439.png "title = "15.png" style= "Float:none;" alt= "Wkiom1e5qvvregssaaavavnf134030.png-wh_50"/>

Because the CA is the same machine as the web, there is no need to copy the request to another machine and issue the certificate directly

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m01/86/39/wkiol1e5qvucpmfoaaahzr5xrco555.png-wh_500x0-wm_3-wmp_4-s_2564922667.png "title = "16.png" style= "Float:none;" alt= "Wkiol1e5qvucpmfoaaahzr5xrco555.png-wh_50"/>

HTTPD does not install the Mod_ssl module by default, it cannot be accessed using HTTPS, requires yum-y install MOD_SSL manual installation, and finds the Mod_ssl configuration file

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m00/86/39/wkiom1e5qvzyvevgaaapn3i-gde445.png-wh_500x0-wm_3-wmp_4-s_3065010615.png "title = "17.png" style= "Float:none;" alt= "Wkiom1e5qvzyvevgaaapn3i-gde445.png-wh_50"/>

Open mod_ssl configuration file, according to the actual specified Web site's certificate file and private key file path, after exiting use httpd-t to check the configuration file, and then restart the httpd service, the Web site configuration is complete

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m01/86/39/wkiom1e5qvzbt3yjaabrtlsn2es194.png-wh_500x0-wm_3-wmp_4-s_3547775370.png "title = "18.png" style= "Float:none;" alt= "Wkiom1e5qvzbt3yjaabrtlsn2es194.png-wh_50"/>

4.Client Terminal configuration

Export the CA's self-signed certificate/etc/pki/ca/cacert.pem to the desktop, rename it to CACERT.CRT, and then import it to the trusted root certification authority via MMC

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m01/86/39/wkiol1e5qv2cltnsaadbtzfgndw426.png-wh_500x0-wm_3-wmp_4-s_2685589742.png "title = "19.png" style= "Float:none;" alt= "Wkiol1e5qv2cltnsaadbtzfgndw426.png-wh_50"/>

Modify client side Local host file to complete client side configuration

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m02/86/39/wkiol1e5qv2jjnzkaaau8d8pkug226.png-wh_500x0-wm_3-wmp_4-s_2613238263.png "title = "20.png" style= "Float:none;" alt= "Wkiol1e5qv2jjnzkaaau8d8pkug226.png-wh_50"/>

5. Detection

Use Google Chrome to enter the address to open the validation effect

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s1.51cto.com/wyfs02/m01/86/39/wkiom1e5qv2rme6daabmyohglq0585.png-wh_500x0-wm_3-wmp_4-s_4020322144.png "title = "21.png" style= "Float:none;" alt= "Wkiom1e5qv2rme6daabmyohglq0585.png-wh_50"/>




This article from "Rabbit-like rabbit sen Broken" blog, please be sure to keep this source http://arkling.blog.51cto.com/2844506/1840800

To issue a certificate to a Web site using OpenSSL

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.