Configuring SSL in Linux :
=========================
Before Configuration of SSL:
=============================
1. cd /usr/sbin
2. ls -lrt ap*
3. sh apachectl start
4. Now connect from the client. it will say certificate not verified.
Follow the below steps to get a valid certificate:
=================================================
1. Create Certificate and Configuring SSL in Redhat Linux 4.5
mkdir /sslcert
chmod 0700 sslcert
cd /sslcert
mkdir certs private
echo '100001' >serial
touch certindex.txt
touch openssl.cnf
vi openssl.cnf
2. Copy the bellow content of "###End openssl"
============================================
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = /sslcert
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
#
###End openssl
#
==============================================================
Note : Now we are inside the sslcert directory :
3. openssl req -x509 -newkey rsa:1024 -keyout private/cakey.pem -out cacert.pem -days 10000 -config openssl.cnf
output :
===================================================================
Generating a 1024 bit RSA private key
.........++++++
..............................................................++++++
writing new private key to 'private/cakey.pem'
4. Enter PEM pass phrase: sample1
5. Organization Name (company) [My Company]:doyensys
6. Organizational Unit Name (department, division) []:dba
7. Email Address []:dba@doyensys.com
8. Locality Name (city, district) [My Town]:chennai
9. State or Province Name (full name) [State or Providence]:tamilnadu
10. Country Name (2 letter code) [US]:IN
11. Common Name (hostname, IP, or your name) []:sys46.doyen.in
====================================================================
Note : The name of the host name should be given correctly.
12. Now inside the private Directory cakey.pem is generated and cacert.pem is generated outside.
13. Now inside the sslcert
openssl req -nodes -new -x509 -keyout apache.key -out apache_request.pem -days 3650 -config openssl.cnf
14. The following two files are generated :
-rw-r--r-- 1 applmgr dba 1273 Apr 17 20:26 apache_request.pem
-rw-r--r-- 1 applmgr dba 891 Apr 17 20:26 apache.key
15. openssl x509 -x509toreq -in apache_request.pem -signkey apache.key -out apache.csr
The following file is generated :
rw-r--r-- 1 applmgr dba 2180 Apr 17 20:26 apache.csr
16. openssl x509 -req -days 10 -in apache.csr -signkey apache.key -out apache.crt
Note : we can increase it from 10 days to more.
17. cp -f apache.crt /etc/httpd/conf/ssl.crt/server.crt
cp -f apache.key /etc/httpd/conf/ssl.key/server.key
18. /usr/sbin/apachectl restart
Note : If already running we can stop and the give start.
19. Now connect from client .
20. View Certificate
21. Install certificate.
22. Now it will be installed and start a new browser, So that it will be a valid certificate.
==============================================================
No comments:
Post a Comment