Web server/CA certification Authority/Client Access

---Web server---

#yum Install Httpd-y
#service httpd Start
#chkconfig httpd on
#vi/var/www/html/index.html
---------------
<br>172.16.254.101
---------------
# OpenSSL Genrsa 1024x768 > Web.key
Make a 1024-length private key
# OpenSSL Req-new-key web.key-days 365-out WEB.CSR
Generate a signature request
Req---A subcommand in OpenSSL for certificate and signature requests
-new---Create a
-key---Specifying the private key
-days---Validity
-out---Output
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default company ltd]:uplooking
Organizational Unit Name (eg, section) []:instructor
Common name (eg, your name or your server ' s hostname) []:s1.uplooking.com
Email Address []:[email protected]

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []: < press ENTER >
An optional company name []: < press ENTER >

#scp/ROOT/WEB.CSR S2:/root

---CA Certification Body---
---> Sign the S1 signature request WEB.CSR issue generation WEB.CRT

S2 is not a CA certification authority now
Need to first deploy S2 as CA certification Authority

Deploying CA certification bodies is cumbersome,
We use the wrong way to build CA certification bodies,
and issue a signature request

# OpenSSL ca-in web.csr-out web.crt//Direct issue See error tips
Using Configuration From/etc/pki/tls/openssl.cnf
Error opening CA Private KEY/ETC/PKI/CA/PRIVATE/CAKEY.PEM

# OpenSSL Genrsa 1024x768 >/etc/pki/ca/private/cakey.pem
Generate the private key required by the CA certification Authority

# OpenSSL ca-in web.csr-out web.crt
Using configuration from/etc/pki/tls/openssl.cnf
Error opening CA certific Ate/etc/pki/ca/cacert.pem

# OpenSSL Req-new-key/etc/pki/ca/private/cakey.pem-days 365-x509-out/etc/pki/ca/cacert.pem
//Generate self-signed certificate for CA certification Authority
//-x509 Digital Certificate Protocol
You is about-to-be-asked to-enter information that'll be-incorporated
into your certificate R Equest.
What's about-is called a distinguished Name or a DN.
There was quite a few fields and you CA n leave some blank
for some fields there would be a default value,
If you enter '. ', the field would be is left BLANK.
-----
Country name (2 letter code) [XX]:CN
State or province name (full name) []:liaoning
Locality name (eg, CIT y) [Default City]:shenyang
Organization Name (eg, company) [Default company ltd]:uplooking
Organizational Unit Name (eg, section) []:uplooking
Common name (eg, your name or your server ' s hostname) []:s2.uplooking.com
Email Addr ESS []:[email protected]

# OpenSSL ca-in web.csr-out web.crt
Using Configuration From/etc/pki/tls/openssl.cnf
/etc/pki/ca/index.txt:no such file or directory
Unable to open '/etc/pki/ca/index.txt '

# Touch/etc/pki/ca/index.txt//Generate CA's index file

# OpenSSL ca-in web.csr-out web.crt
Using Configuration From/etc/pki/tls/openssl.cnf
/etc/pki/ca/serial:no such file or directory
Error while loading serial number

# echo >/etc/pki/ca/serial//Generate CA's serial number file

----------------------------
Steps to generate a most basic CA certification authority for signing

# OpenSSL Genrsa 1024x768 >/etc/pki/ca/private/cakey.pem
Generate the private key required by the CA certification Authority
# OpenSSL Req-new-key/etc/pki/ca/private/cakey.pem-days 365-x509-out/etc/pki/ca/cacert.pem
Generate a self-signed certificate for the CA certification authority
# Touch/etc/pki/ca/index.txt//Generate CA's index file
# echo >/etc/pki/ca/serial//Generate CA's serial number file
-----------------------------

# OpenSSL ca-in web.csr-out WEB.CRT//Certificate Issued
Using Configuration From/etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:1 (0x1)
Validity
Not Before:aug 01:51:32 GMT
Not After:aug 01:51:32 GMT
Subject:
CountryName = CN
Stateorprovincename = Liaoning
OrganizationName = uplooking
Organizationalunitname = Instructor
CommonName = s1.uplooking.com
EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7b:e3:e3:19:af:bd:08:74:a3:49:58:96:4f:bc:82:df:2b:1a:9 6:06
X509v3 Authority Key Identifier:
Keyid:65:48:30:af:9e:a4:45:33:ed:e6:7c:9f:cd:c7:82:c8:b 1:7D:7E:C4

Certificate is to be certified until 01:51:32 GMT (365 days)
Sign the certificate? [Y/n]:y

1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated

#scp/ROOT/WEB.CRT S1:/root

---Web server---
#yum Install Mod_ssl-y

# ls web.*
WEB.CRT WEB.CSR Web.key
Certificate Signing Request private key

# vi/etc/httpd/conf.d/ssl.conf
-------------------------
Sslcertificatefile/etc/pki/tls/certs/web.crt
Sslcertificatekeyfile/etc/pki/tls/private/web.key
-------------------------
#
# CP web.crt/etc/pki/tls/certs/
# CP web.key/etc/pki/tls/private/
# Service httpd Restart
# Netstat-antulp | grep:443

Use a browser to access your HTTPS Web site

Import the CA's certificate into IE browser, and then view the Web page

---CA Server---
# yum Install Vsftpd-y
# service VSFTPD Start
# CP/ETC/PKI/CA/CACERT.PEM/VAR/FTP/PUB/S2CA.CRT

Client Download S2CA.CRT Certificate
When the download is complete, import the certificate

Web server/CA certification Authority/Client Access