Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to generate self-signed certificates under CentOS". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn how to generate a self-signed certificate under CentOS.

1. Generate a self-signed certificate

Usually, to configure a https server, you need an X509 certificate certified by a formal CA authority. When the client connects to the https server, the CA's common key is used to check the correctness of the certificate. But to get the CA certificate is a very troublesome thing, and it also costs a certain amount of money. So usually some small institutions will use self-signed certificates. That is, do your own CA and sign your own server certificate.

There are two main steps in this process, first to generate your own CA certificates, and then to generate and sign certificates for each server. I use OpenSSL to generate self-signed certificates.

The first step is to create a certificate for CA:

Openssl genrsa-des3-out my-ca.key 2048

Openssl req-new-x509-days 3650-key my-ca.key-out my-ca.crt

This generates my-ca.key and my-ca.crt files, which hold the keys necessary to use my-ca.crt to make signatures and should be kept safe. The latter can be made public. The above order sets the validity period for my-ca.key to 10 years.

Use a command

Openssl x509-in my-ca.crt-text-noout

You can view the contents of the my-ca.crt file.

Once you have the CA certificate, you can generate a certificate for your own server:

Openssl genrsa-des3-out mars-server.key 1024

Openssl req-new-key mars-server.key-out mars-server.csr

Openssl x509-req-in mars-server.csr-out mars-server.crt-sha1-CA my-ca.crt-CAkey my-ca.key-CAcreateserial-days 3650

The first two commands generate key and csr files, and the last command creates an x509 signing certificate for mars-server.csr through my-ca.crt.

It is important to note that when executing the second command above, the Common Name option should enter the domain name of the server, otherwise there will be additional prompts each time the user accesses through the https protocol.

Use a command

Openssl x509-in mars-server.crt-text-noout

You can view the contents of the mars-server.crt file.

two。 Configure the Apache server

First, create the / etc/apache2/ssl directory and copy the my-ca.crt, mars-server.key, and mars-server.crt files you just made into this directory.

Then execute the command.

A2emod ssl

Activate the SSL module of Apache, and then add a virtual host to / etc/apache2/sites-enable/, which is similar to adding a normal virtual host, except that the port of that host should be 443. The configuration is as follows:

NameVirtualHost *: 443

ServerName localhost

DocumentRoot / var/www

SSLEngine On

SSLCipherSuite HIGH:MEDIUM

SSLProtocol all-SSLv2

SSLCertificateFile / etc/apache2/ssl/mars-server.crt

SSLCertificateKeyFile / etc/apache2/ssl/mars-server.key

SSLCACertificateFile / etc/apache2/ssl/my-ca.crt

Order deny,allow

Allow from localhost

ServerName localhost

DocumentRoot / var/www

Order deny,allow

Allow from localhost

The above configuration ensures that users can see the same content when accessing ports 443 and 80, but only using different protocols. After modifying the configuration, you can restart the Apache server, and you need to enter the password of mars-server.key. Access it with a browser

Https://localhost/

You should see a pop-up dialog box that allows you to confirm whether you trust the certificate of the site, and after selecting trust, you can view the content of the site.

Since most Apache servers start automatically when the server starts, to avoid entering a password when starting Apache, you can generate an unencrypted mars-server.key file with the following command:

Openssl rsa-in mars-server.key-out mars-server.key.insecure

Replace the original key file with the newly generated mars-server.key.insecure.

At this point, I believe you have a deeper understanding of "how to generate a self-signed certificate under CentOS". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.