Discover checking ssl certificate with openssl, include the articles, news, trends, analysis and practical advice about checking ssl certificate with openssl on alibabacloud.com
Use the OpenSSL to verify the certificate chain with the following command:Debian:/home/zhaoya/openssl#openssl verify-cafile Root_cert User_certThe Root_cert can contain a lot of certificates, you can use the Cat command to merge multilevel CA certificates into a file, and then the program will load after startup Root_
One of the things faced by many network engineers is the maintenance and update of SSL certificates. For the author, SSL certificates are mainly used for VPN deployment, but there are also many network devices that need certificates to encrypt client-to-server communication. Every time I claim that I need a certificate, everyone will become speechless, and the
holder of the certificate, the public key of the holder, and the signature of the signer, among others
Note: In cryptography, the number is a standard, the specification of public key authentication, certificate revocation list, authorization credentials, credential path verification algorithm.
Steps to create a self-signed certificate
Use SSL Certificate for connection in HAProxy
I. Environment Introduction
I was notified that the website should be changed from http to https. The current front-end architecture of my website is shown in:
Suppose we have two physical machines with many tomcat containers on each physical machine. The front end uses the http layer Load Balancing conducted by haproxy, And then we use LVS load balancing on th
ca.crt-keyfile ca.key-config openssl.cfgOpenssl ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key-config openssl.cfgPS: Update the contents of the index.txt.attr file to Unique_subject = No if you report an error such as update databaseNote: There is an error: Using configuration from/usr/share/ssl/openssl.cfg I am unable to access the./democa/newcerts directory./demo Ca/newcerts:no such file or directoryWORKAROUND: 1). mkdir-p./democa/newce
professionals, we don't have to bother to go straight to the chase.
Ii. using OpenSSL to generate SSL Key and CSR
Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted site, rather than a certificate error prompts. So we skip the steps from the visa book and start signing up for a third-party trusted
Background
Due to the heart of openssl recently, I changed the ssl library 1.0.1g. I need to use this library to connect to the server. However, after I find that the Library is replaced, for some domain names, the ssl handshake will fail. In order to find out the cause of failure, we can find the handshaking status in the op
learn how to set up such a user account by following steps 1-4 in our initial server setup for Ubuntu 14.04.After this, you'll also need to the Nginx Web server installed. If you would a entire LEMP (Linux, Nginx, MySQL, PHP) stack on your server, you can follow we guide on s Etting up LEMP on Ubuntu 14.04.If you just want the Nginx Web server, you can instead just type:sudo apt-get updatesudo apt-get install nginxStep One-create the SSL CertificateW
Go from: http://blog.csdn.net/madding/article/details/26717963 generate self signed certificate# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,# Enter the words, each time you use this key to enter the password, security, or there should be a password protection > OpenSSL genrsa-des3-out selfsign.ke
After you enable Apache Mod_ssl, you need a certificate to function properly. Wrote a script to manipulate it. The first thing to make sure is that there are OpenSSL on the machine.
Copy Code code as follows:
#!/bin/sh
#
# The root directory for SSL certificate output.ssloutputroot= "/etc/apache_ssl"If
longer have to waste more words, directly into the business.
Ii. using OpenSSL to generate SSL Key and CSR
Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted Web site, rather than appear the certificate error prompts. So we skip the steps from the visa book and start by signing the
/CLNT1.CRT
Personal certificates need to be converted to PFX format
OpenSSL pkcs12-export-in certs/clnt1.crt-out Certs/clnt1.pfx-inkey Private/clnt1.key
Apache Configuration
SSLCERTIFICATEFILE/ETC/PKI/TLS/CERTS/SV.CRT
Sslcertificatekeyfile/etc/pki/tls/private/sv.key
SSLCERTIFICATECHAINFILE/ETC/PKI/TLS/CERTS/CHAIN.CRT
nginx Configuration
server {
listen 443 SSL;
server_na
need to be named Cakey.pem in the/etc/pki/ca/private directory because they are in the/etc/pki/tls/openssl configuration file The path and name of the CA key pair and certificate are default , and if you do not store by default, remember to modify the configuration file650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ")
one, installation preparation 1. Installing OpenSSL To enable Apache to support SSL, you need to install OpenSSL support first. Recommended download installation openssl-0.9.8k.tar.gz download OPENSSL:HTTP://WWW.OPENSSL.ORG/SOURCE/TAR-ZXF openssl-0.9.8k.tar.gz //Unzip the
don't have to bother to go straight to the chase.Ii. using OpenSSL to generate SSL Key and CSRBecause only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted site, rather than a certificate error prompts. So we skip the steps from the visa book and start signing up for a third-party trusted
; "src=" Http://s3.51cto.com/wyfs02/M02/77/3E/wKiom1ZlilWhsbA3AAAzUO3vbz8220.png "title=" 11.png "alt=" Wkiom1zlilwhsba3aaazuo3vbz8220.png "/>3. Copy Cacert.pem, and modify the appropriate permissions650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/77/3E/wKiom1Zlit3DqB29AAAZBfTprs0966.png "title=" 12.png "alt=" Wkiom1zlit3dqb29aaazbftprs0966.png "/>4. Modify the MySQL configuration file and add the diagram content to the MYSQLD segment650) this.width=650; "src=" Http://s2.51cto.com/wyf
The code is as follows
Copy Code
OpenSSL x509-req-days 3650-in hupohost.csr-signkey hupohost.key-out hupohost.crt
Here 3650 is the certificate validity period recommendation 3650 haha. This is random. The last file to use is key and CRT files.If you need to use a PFX you can use the following command to generate
The code is as follows
Copy Code
The recommended use of Openssl,linux is basically self-bringing. OpenSSL under Windows is tossing for 3 hours, giving up all kinds of DLLs. Directly talk about the topic, WebService SSL two-way authentication. I. Certificate-related build work 1.Key pair generation[generate private key, remember password, save this fil
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.