Shulou(Shulou.com)06/02 Report--

Description of blog post [preface]:

In order to realize the final chapter of HTTPS series, this article will explain in detail the configuration process of OpenSSL installation, key generation, CSR generation, certificate generation, ROOT CA creation and httpd installation and configuration from beginning to end.

If you want to quickly implement the configuration, you can pull it directly to the end of the article, and I have singled out the configuration commands for summary.

At the current point in time [June 7, 2017], the level of technology mastered is limited, and there may be a lot of knowledge that is not in-depth or comprehensive enough. I hope you can point out the problems and communicate together. if you find that there is a deviation between the content of this article and the actual situation in the follow-up work and study, the content of this blog will be improved.

1. The first bullet: to realize the first bullet of the HTTPS series [introduction to the concept of http,https,www,web]

Link to blog posts: http://watchmen.blog.51cto.com/6091957/1922919

2. Second bullet: implement the second bullet of HTTPS series [introduction to the concepts of asymmetric encryption, public key and private key, digital signature, OpenSSL and HTTPS]

Link to blog posts: http://watchmen.blog.51cto.com/6091957/1923426

3. Third bullet: realize the concept understanding of the third bullet of HTTPS series [digital signature, digital certificate, CA authentication, etc.]

Link to blog posts: http://watchmen.blog.51cto.com/6091957/1924747

4. Fourth bullet: realize the fourth play of HTTPS series [TLS, SSL concept understanding]

Link to blog posts: http://watchmen.blog.51cto.com/6091957/1927937

References:

1. Https://www.openssl.org/

2. Reference document: Ivan Ristic-Bulletproof SSL and TLS [awesome, Bible, Classic, must-read]

Download link: http://down.51cto.com/data/2306452

3. Reference document: Ivan Ristic-openssl-cookbook [classic must-read]

Download link: http://down.51cto.com/data/2315234

Text:

1. OpenSSL is an open source project, which is a robust, commercial, and functional toolset that implements transport layer security (TLS) and secure socket layer (SSL) protocols. That is: openssl is an open source implementation of tls/ssl, similar to openssh is an open source implementation of ssh, is a software installed on the server.

2. The Web server transmits data by default using HTTP protocol (plain text protocol), and HTTP will not encrypt the data in transmission in any form. So this leads to major flaws in its security. Common security problems such as: the network middleman can see any passing packet content through the packet grabbing tool, and can even set up a WEB server on the network to impersonate the real server. In this case, it is very likely that end users are not actually communicating data with real servers. In order to solve these security problems, most companies generally apply HTTPS protocol to their web servers. For that type of site that provides only access and download, that is, users can only read content and do not actually submit any information, HTTP is still a viable option. However, for sites that store sensitive information, such as users who need to log in to get the site's services, then HTTPS is necessary. HTTPS can provide the following capabilities for a website. 1) ensure that all packets transmitted through the server are encrypted. 2) an official digital certificate is established so that the fake server cannot pretend to be a real server.

3. TLS1.1 and TLS1.2 are not supported until the openssl version is above 1.0.x, but not in the previous version. It is recommended to install a new version to meet the version requirements.

4. X.509 is a digital certificate standard developed by the International Telecommunication Union (ITU-T), that is, it is a certificate standard, not a certificate format, similar to POSIX for Linux.

5. Apache 2.4.x series and openssl 1.1.x series are not compatible

Environmental information

Operating system information

Weblogic@suse11-weblogic:~ > cat / etc/SuSE-release

SUSE Linux Enterprise Server 11 (x86 / 64)

VERSION = 11

PATCHLEVEL = 0

Weblogic@suse11-weblogic:~ > uname-r

2.6.27.19-5-default

Note: please ignore my kernel and system version. The production system versions currently maintained range from SLES 11 sp0 to sp4, so I built a new virtual machine and accidentally picked the lowest version, but it does not affect it. This is more representative.

Detailed version information of openssl included with the system: openssl version-a

Weblogic@suse11-weblogic:~ > openssl version-a

OpenSSL 0.9.8h 28 May 2008

Built on: Sat Feb 21 02:45:26 UTC 2009

Platform: linux-x86_64

Options: bn (64) md2 (int) rc4 (ptr,int) des (idx,cisc,4,long) blowfish (idx)

Compiler: gcc-fPIC-DOPENSSL_PIC-DZLIB-DOPENSSL_THREADS-D_REENTRANT-DDSO_DLFCN-DHAVE_DLFCN_H-DL_ENDIAN-DNO_ASM-fmessage-length=0-O2-Wall-D_FORTIFY_SOURCE=2-fstack-protector-funwind-tables-fasynchronous-unwind-tables-g-fomit-frame-pointer-fno-strict-aliasing-DTERMIO-Wall-fstack-protector-fprofile-use

OPENSSLDIR: "/ etc/ssl"

Note: the OPENSSLDIR: "/ etc/ssl" at the end of the command refers to the configuration file of openssl and the storage path of the certificate

As you can see, my Openssl is 0.9.8h and does not support the latest protocol, so it is recommended to install the latest version of openssl. The whole configuration process is described below.

1. Compile and install the latest version of openssl

Install version: openssl-1.1.0e.tar.gz download link: http://www.openssl.org/source

Suse11-weblogic:/home/weblogic # tar-xzf openssl-1.1.0e.tar.gz

Suse11-weblogic:/home/weblogic/openssl-1.1.0e #. / config-prefix=/opt/openssl-openssldir=/opt/openssl enable-ec_nistp_64_gcc_128

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # echo $? Check whether the output is 0

An error occurred during make:

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # make

. Intermediate output ellipsis

Please run the same make command again

Make: * * [configdata.pm] error 1

The reason for the problem is that the time of the virtual machine is different from the actual time. The time of the virtual machine is 2016, and this version was released on February 16, 2017. Therefore, the system detects a time exception, resulting in this error. After the time is reset, the problem is resolved and the normal make can continue. Resolution process:

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # date-s "2017-05-23 16:27:00"

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # hwclock-w

Reset the system time and synchronize the system time to the hardware clock time.

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # make

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # make install

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # ln-s / opt/openssl/lib/libssl.so.1.1 / usr/lib64/libssl.so.1.1

Suse11-weblogic:/home/weblogic/openssl-1.1.0e # ln-s / opt/openssl/lib/libcrypto.so.1.1 / usr/lib64/libcrypto.so.1.1

Note: the related library files of the new version (1.1.0e) need to be placed under the relevant location, because the correct execution of the openssl command requires reading these dynamic link libraries

Suse11-weblogic:~ # vim / etc/profile

Add a line at the end of the file and save exit: export PATH=/opt/openssl/bin:$PATH

Suse11-weblogic:~ # source / etc/profile

2. Openssl supports commands and parameters

Openssl is a cryptographic toolset that contains many commands to implement different functions.

Suse11-weblogic:/opt/openssl/bin # openssl help

Standard commands

Asn1parse caciphers cms

Crl crl2pkcs7 dgst dhparam

Dsa dsaparam ececparam

Enc engineerrstrexit

Gendsagenpkey genrsahelp

List nseq ocsp passwd

Pkcs12pkcs7 pkcs8 pkey

Pkeyparam pkeyutl prime rand

Rehashreq rsa rsautl

S_client s_server s_timesess_id

Smime speed spkac srp

Tsverifyversion x509

Message Digest commands (see the `dgst' command for more details)

Blake2b512blake2s256gost md4

Md5 mdc2 rmd160sha1

Sha224sha256sha384sha512

Cipher commands (see the `enc' command for more details)

Aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb

Aes-256-cbc aes-256-ecb base64bf

Bf-cbcbf-cfbbf-ecbbf-ofb

Camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb

Camellia-256-cbc camellia-256-ecb cast cast-cbc

Cast5-cbc cast5-cfb cast5-ecb cast5-ofb

Des des-cbc des-cfb des-ecb

Des-ede des-ede-cbc des-ede-cfb des-ede-ofb

Des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb

Des-ofb des3 desx idea

Idea-cbc idea-cfb idea-ecb idea-ofb

Rc2 rc2- 40-cbcrc2-64-cbcrc2-cbc

Rc2-cfb rc2-ecb rc2-ofb rc4

Rc4-40seed seed-cbc seed-cfb

Seed-ecb seed-ofb

Here the editor deletes all the blank lines, so the typesetting is wrong. There is no way. Type the correct format and take a look at it.

First paragraph: show all available commands

Paragraph 2: display all supported information summary algorithms

Paragraph 3: show all supported encryption commands

3. Configure openssl

Configuring openssl generally follows the following steps:

1. Generate key

2. Generate a certificate signing request (CSR) based on the key and send it to CA

3. CA accepts CSR and generates certificates

4. Get the issued certificate and start using it.

3.1. Key generation

Openssl supports RSA, DSA and ECDSA algorithms, but not all algorithms are suitable for all situations. Usually, we web servers choose to use RSA algorithm, because DSA is only supported to 1024 bits (IE browsers can only recognize 1024 bits), but this does not mean that DSA only supports 1024 bits; while ECDSA algorithms are usually widely supported by CA For SSH, DSA and RSA will be widely used, because ECDSA is not supported by all clients, and there may be problems with ssh.

Recommended configuration: 2048 bits for RSA and DSA, and at least 256bit for ECDSA

3.1.1. Generate keys using RSA encryption algorithm

With regard to the length of the key, the default length of RSA (512 bit by default for RSA) is very insecure and is recommended to be modified to a high-intensity number of digits.

Suse11-weblogic:/opt/openssl/bin # openssl genrsa-aes128-out fd.key 2048

Note: the key of the ras algorithm is generated with 2048 bits. The symmetric encryption algorithm used is AES 128. here you need to enter the specified key password in PEM format.

Suse11-weblogic:/opt/openssl/bin # openssl rsa-in fd.key-pubout-out fd-public.key

Note: extract the public key from the key and generate it separately. Enter the password of the key above here.

View key command:

1. View the contents of the key: cat fd.key

2. View the structure and content of the key: openssl rsa-text-in fd.key

3.1.2. Use DSA encryption algorithm to generate key

The generation of a DSA key requires two steps: the DSA configuration parameter is generated, and then the key can be generated, instead of being generated with a single command like RSA.

Suse11-weblogic:/opt/openssl/private # openssl dsaparam-genkey 2048 | openssl dsa-out dsa.key-aes128

Note: generate the key of the DSA algorithm, the key length is 2048 bits, and the symmetric encryption algorithm used is AES 128. here you need to enter the specified key password and the key format is PEM.

Suse11-weblogic:/opt/openssl/private # openssl dsa- in dsa.key-pubout-out dsa-public.key

Note: extract the public key from the key and generate it separately. Enter the password of the key above here.

View key command:

1. View the contents of the key: cat dsa.key

2. View the structure and content of the key: openssl dsa-text-in dsa.key

3.1.3. Use ECDSA encryption algorithm to generate key

The generation of the ECDSA key also requires two steps: change the ECDSA configuration parameter to the key before the key can be generated.

Suse11-weblogic:/opt/openssl/private # openssl ecparam-genkey-name secp256r1 | openssl ec-out ec.key-aes128

Note: the key of the ECDSA algorithm is generated. The key length is 256bits. The symmetric encryption algorithm used is AES 128. here you need to enter the specified key password and the key format is PEM.

Suse11-weblogic:/opt/openssl/private # openssl ec- in ec.key-pubout-out ec-public.key

Note: extract the public key from the key and generate it separately. Enter the password of the key above here.

View key command:

1. View the contents of the key: cat ec.key

2. View the structure and content of the key: openssl ec-text-in ec.key

Generate a certificate signing request (CSR)

Once we have the key, we can send the key to CA and request CA to generate a certificate for us, that is, Certificate Signing Request (CSR)

The CSR information contains the requester's public key information and application information, which will be included in the certificate issued by CA later.

3.2.1. Initial newly generated CSR

Note: the process of generating CSR is an interactive process that requires users to provide personalized information about user-generated personalized certificates. If you do not want to enter this information, you must enter a dot "." on the command line instead of just enter. If you really do not enter any information, then openssl will use the default value to fill in this part of the application information (default value is not recommended)

Suse11-weblogic:/opt/openssl/private # openssl req-new-key fd.key-out fd.csr

Enter pass phrase for fd.key:

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [AU]: CN

State or Province Name (full name) [Some-State]: BJ

Locality Name (eg, city) []: BJ

Organization Name (eg, company) [Internet Widgits Pty Ltd]: PICC

Organizational Unit Name (eg, section) []: PICC

Common Name (e.g. Server FQDN or YOUR name) []: watchmen.blog.51cto.com

Email Address []: 568100840@qq.com

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Note: for more information about challenge password, see RFC 2985, which is a newly introduced option for certificate revocation. If you enter this password, this information will be included in the CSR sent to CA. Basically, CA does not use parameters. Most documents recommend that this option be left blank, and the existence of this option has no effect on the security of the key.

3.2.2. Generate the original CSR again based on the application information in the existing certificate

If your certificate is about to expire and you need to update the certificate, but still want to use the original public key and application information, then you can use this way to generate the CSR again using the information of the existing certificate

Suse11-weblogic:/opt/openssl/private # openssl x509-x509toreq-in fd.crt-out fd.csr-signkey fd.key

Note: there is nothing to say here, see for yourself.

3.2.3. Silently generate CSR using the application information in the configuration file

Sometimes, if we are inconvenient or want to save time, we can write the application information into the configuration file in advance, and then load the configuration file to generate CSR

Suse11-weblogic:/opt/openssl/private # vim fd.cnf

[req]

Prompt = no

Distinguished_name = dn

Req_extensions = ext

Input_password = 111111

[dn]

CN = watchmen.blog.51cto.com

EmailAddress = 568100840.com

O = PICC

L = BJ

C = CN

[ext]

SubjectAltName = DNS:www.51cto.com,DNS:51cto.com

Note: the above is the content of the file, 111111 is the password of the key, and as described in the ext field below, assign certificates to multiple sites

Suse11-weblogic:/opt/openssl/private # openssl req-new-config fd.cnf-key fd.key-out fd-second.csr

Note: it is really convenient to test by yourself.

Accept CSR and generate certificate

After the CSR is generated, you can send CSR to the current well-known CA structure on the Internet to request a certificate (for a fee, of course) or process the request yourself (yes, free)

Check the CSR before sending it. The following is the view CSR command:

Suse11-weblogic:/opt/openssl/private # openssl req-text-in fd.csr-noout

Certificate Request:

Data:

Version: 1 (0x0)

Subject: C = CN, ST = BJ, L = BJ, O = PICC, OU = PICC, CN = watchmen.blog.51cto.com, emailAddress = 568100840@qq.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:b7:78:2a:5b:75:41:eb:01:40:4c:55:b1:35:74:

35:4d:ae:91:77:96:0b:ac:74:0f:cc:47:28:bc:31:

... Too many omissions.

Exponent: 65537 (0x10001)

Attributes:

A0:00

Signature Algorithm: sha256WithRSAEncryption

22:c3:78:2c:18:3b:e5:34:95:bd:9a:08:cc:12:b4:42:75:3d:

73:8f:d5:8e:ff:50:a3:df:29:e6:62:ba:2a:38:46:da:eb:42:

... Too many omissions.

3.3.1. Generate self-signed certificate

Suse11-weblogic:/opt/openssl/private # openssl x509-req-days 3650-in fd.csr-signkey fd.key-out fd.crt

Signature ok

Subject=C = CN, ST = BJ, L = BJ, O = PICC, OU = PICC, CN = watchmen.blog.51cto.com, emailAddress = 568100840@qq.com

Getting Private key

Enter pass phrase for fd.key: [enter the key password here]

Note: valid for 3650 days, that is, 10 years, do not say anything, you see the officer to see the order.

Here comes the benefit. Openssl provides a simpler and more crude way to apply for a certificate directly according to the key without the need for a CSR.

1) you need to enter CSR application information interactively and manually:

Openssl req-new-x509-days 3650-key fd.key-out fd.crt

2) there is no need to enter CSR application information manually:

Openssl req-new-x509-days 3650-key fd.key-out fd.crt-subj "/ C=CN/L=BJ/O=PICC/CN=watchmen.blog.51cto.com"

3.3.2. Generate self-signed certificates for multiple hosts

By default, openssl generates certificates for only one requesting user, which means that if users have a batch of related web sites that need to apply for certificates, you can only assign different certificates to each site, but this is only the default.

At present, there are two ways to assign certificates to multiple hosts, which one can be used according to the actual situation.

1. List all sites that require certificates

2. Use wildcards to match sites that need certificates

In fact, you should use this way: 51cto.com and * .51cto.com; that is, list the main domain name and use wildcards to match any subdomain name

1) generate site domain name configuration file

Suse11-weblogic:/opt/openssl/private # vim fd.ext

SubjectAltName = DNS:*.51cto.com, DNS:51cto.com

Note: the above are the contents of the fd.ext file

2) generate multi-site certificates

Suse11-weblogic:/opt/openssl/private # openssl x509-req-days 365-in fd.csr-signkey fd.key-out fd-second.crt-extfile fd.ext

Signature ok

Subject=C = CN, ST = BJ, L = BJ, O = PICC, OU = PICC, CN = watchmen.blog.51cto.com, emailAddress = 568100840@qq.com

Getting Private key

Enter pass phrase for fd.key: [enter key password here]

Note: key file is required here. CSR file exists and can be used together (skip the CSR generation step).

3.3.3. Check the certificate

Suse11-weblogic:/opt/openssl/private # openssl x509-text-in fd.crt-noout

Certificate:

Data:

Version: 1 (0x0)

Serial Number:

Bd:8f:b6:44:4f:2f:d6:93

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = CN, ST = BJ, L = BJ, O = PICC, OU = PICC, CN = watchmen.blog.51cto.com, emailAddress = 568100840@qq.com

Validity

Not Before: May 23 16:31:29 2017 GMT

Not After: May 21 16:31:29 2027 GMT

Subject: C = CN, ST = BJ, L = BJ, O = PICC, OU = PICC, CN = watchmen.blog.51cto.com, emailAddress = 568100840@qq.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:b7:78:2a:5b:75:41:eb:01:40:4c:55:b1:35:74:

35:4d:ae:91:77:96:0b:ac:74:0f:cc:47:28:bc:31:

... Too much, a little.

Exponent: 65537 (0x10001)

Signature Algorithm: sha256WithRSAEncryption

12:3a:c2:5f:c2:5f:8c:f7:2d:c4:39:30:6f:ff:d8:e9:46:a9:

D6:e4:4d:f8:9d:2a:ce:31:1d:74:25:35:6a:07:52:bb:7c:0c:

... Too much, a little.

Self-signed certificates usually contain only these basic certificate data, while certificates issued by CA institutions have some additional fields

The two parameters KU (Key Usage) and EKU (Extended Key Usage) limit what certificates can be used. When these two parameters are enabled, only users in the list are allowed to use this certificate. When this parameter is not enabled, there are no restrictions on the use of this certificate. Here is an example

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

CRL (Certificate Revocation List) Certificate revocation list

This list can be used to list all certificates and keys that client or server users should no longer trust, usually issued regularly (for example, updated every 7 days)

Download address of list file: http://crl.starfieldtech.com/sfs3-20.crl

3.3.4, certificate type

Keys and certificates can be stored in various forms, that is, you may need to convert the format during transmission

1) Certificate type-DER (Binary)

This type of certificate is native x.509 standard certificate, does not do any other processing, and is coded as: DER ASN.1

2) Certificate type-PEM (ASCII)

This type of certificate contains DER native certificates encoded as base64, with the entire certificate format starting with:-BEGIN CERTIFICATE- and ending with-END CERTIFICATE-.

3) Certificate type-PKCS#7

This type of certificate is relatively rare. Interested partners can check out RFC 2315 here.

4) key type-DER (Binary)

This type of key is stored in its native form, encoded as: DER ASN.1

5) key type-PEM (ASCII)

This type of key contains DER native keys encoded as base64, and sometimes contains additional metadata, such as the type of algorithm used

6) key & & Certificate type-PKCS#12 (PFX)

This complex type protects key and certificate chains, and its extensions are generally .p12 and .pfx. This type is commonly used in Microsoft products.

3.3.5. Certificate type conversion

1) convert PEM type to DER

Suse11-weblogic:/opt/openssl/certs # openssl x509-inform PEM-in fd.crt-outform DER-out fd.der

2) convert DER type to PEM

Suse11-weblogic:/opt/openssl/certs # openssl x509-inform DER-in fd.der-outform PEM-out fd.pem

As for other types of conversions that are not commonly used, they are no longer written here. Interested friends can read their own books, which are written very clearly in the book.

4. Customize the CA Center (Certificate Authority)

Good, the key knowledge has come, this chapter, will explain how to build your own CA center, openssl has provided all the things you need to build CA, but does not provide, such as graphics and other more friendly configuration interface, all in the form of command-line configuration, on the other hand, through the command-line configuration will be more professional and efficient direct, and the command line can also help you understand.

The biggest challenge in setting up and running a private CA is not how to set up, but how to secure the infrastructure, that is, to secure this CA server. For example, root key must be saved offline because it is the root cause of all security. On the other hand, the list of expired certificates such as CRL and OCSP must be updated regularly (as mentioned in crl, OCSP is a real-time certificate online verification protocol, which complements the CRL mechanism. Through OCSP, browsers can verify certificates to CA institutions in real time.)

Through this section, you will create two configuration files, a root-ca.conf to control the root CA (root CA), and a sub-ca.conf to control the subordinate CA of the root CA

Root CA Configuration- creates a root-ca.conf profile

Before we start creating CA, we need to prepare a configuration file (root-ca.conf) that will tell us exactly what we are configuring. This is an optional, in some configurations, this operation can be omitted, but if some complex operations are involved, this file is still very useful. Let's familiarize ourselves with this configuration file before we actually start the operation. This configuration will be used in our configuration later.

The content format of the root-ca.conf configuration file looks something like this:

[default]

Name = root-ca

Domain_suffix = example.com

Aia_url = http://$name.$domain_suffix/$name.crt

Crl_url = http://$name.$domain_suffix/$name.crl

Ocsp_url = http://ocsp.$name.$domain_suffix:9080

Default_ca = ca_default

Name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]

CountryName = "CN"

OrganizationName = "Example"

CommonName = "Root CA

[ca_default]

Home =.

Database = $home/db/index

Serial = $home/db/serial

Crlnumber = $home/db/crlnumber

Certificate = $home/$name.crt

Private_key = $home/private/$name.key

RANDFILE = $home/private/random

New_certs_dir = $home/certs

Unique_subject = no

Copy_extensions = none

Default_days = 3650

Default_crl_days = 365

Default_md = sha256

Policy = policy_c_o_match

[policy_c_o_match]

CountryName = match

StateOrProvinceName = optional

OrganizationName = match

OrganizationalUnitName = optional

CommonName = supplied

EmailAddress = optional

[req]

Default_bits = 4096

Encrypt_key = yes

Default_md = sha256

Utf8 = yes

String_mask = utf8only

Prompt = no

Distinguished_name = ca_dn

Req_extensions = ca_ext

[ca_ext]

BasicConstraints = critical,CA:true

KeyUsage = critical,keyCertSign,cRLSign

SubjectKeyIdentifier = hash

[sub_ca_ext]

AuthorityInfoAccess = @ issuer_info

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:true,pathlen:0

CrlDistributionPoints = @ crl_info

ExtendedKeyUsage = clientAuth,serverAuth

KeyUsage = critical,keyCertSign,cRLSign

NameConstraints = @ name_constraints

SubjectKeyIdentifier = hash

[crl_info]

URI.0 = $crl_url

[issuer_info]

CaIssuers;URI.0 = $aia_url

OCSP;URI.0 = $ocsp_url

[name_constraints]

Permitted;DNS.0=example.com

Permitted;DNS.1=example.org

Excluded;IP.0=0.0.0.0/0.0.0.0

Excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:false

ExtendedKeyUsage = OCSPSigning

KeyUsage = critical,digitalSignature

SubjectKeyIdentifier = hash

Note:

The first paragraph: define some basic information about CA

The second paragraph: [ca_dn] contains fields such as country and organization, but the well-known fee-based CA will not contain this information, because we are private CA here.

The third paragraph: [cadefault] and [policycomatch] both belong to the third paragraph, which is used to deal with certificate signature requests (that is, CSR). You can see that the period of validity, specific encryption algorithm, certificate command and path are defined in this paragraph, and the later [policyco_match] is used to set the policy (I don't understand it here).

The fourth paragraph: [req] and [ca_ext], which defines the parameters of CSR. The [ca-ext] information below will be referenced throughout the CA creation process, and all subordinate CA will be constrained by these configurations.

The fifth paragraph: [subcaext] and [crl_info] and [issuerinfo] and [nameconstraints], this configuration is about the configuration of OSCP, so I won't go into details here.

Paragraph 6: [ocsp_ext], an extension of OCSP will come in handy when using OCSP

4.1.Create root certification authority-ROOT CA

Well, the fun has finally begun, and the process of creating a brand new ROOT CA can be divided into the following steps:

1. Configure and create a directory structure

2. Initialize the key file and generate CSR

3. Generate a certificate

4.1.1. Root CA directory structure creation: Root CA Directory Structure

Suse11-weblogic:/opt/openssl # mkdir root-ca

Suse11-weblogic:/opt/openssl # cd root-ca

Suse11-weblogic:/opt/openssl/root-ca # mkdir certs db private

Suse11-weblogic:/opt/openssl/root-ca # chmod 700 private/

Suse11-weblogic:/opt/openssl/root-ca # touch db/index

Suse11-weblogic:/opt/openssl/root-ca # openssl rand-hex 16 > db/serial

Suse11-weblogic:/opt/openssl/root-ca # echo 1001 > db/crlnumber

Suse11-weblogic:/opt/openssl/root-ca # vim root-ca.conf [enter the contents of the file above, save and exit]

Note:

1. The certs directory is used to store certificates.

2. The db directory is used as a certificate database to record the number of certificates and CRL

3. The private directory is used to store keys.

4.1.2. Generate key file and CSR

The creation of the root CA is mainly divided into two steps. The first step is to generate the key and CSR (the application information is read from the previous root-ca.conf configuration file), and the second step is to create a self-signed certificate.

1) generate generation key and CSR

Suse11-weblogic:/opt/openssl/root-ca # openssl req-new-config root-ca.conf-out root-ca.csr-keyout private/root-ca.key

Generating a 4096 bit RSA private key

.... + +

... + +

Writing new private key to 'private/root-ca.key'

Enter PEM pass phrase: [you need to enter the password to be set for the private key]

Verifying-Enter PEM pass phrase: [enter password again]

Note: the application information is read root-ca.conf, so you can see that rsa uses 4096-bit [req] section configuration in the file]

4.1.3. Generate a self-signed certificate

1) create a self-signed certificate

Suse11-weblogic:/opt/openssl/root-ca # openssl ca-selfsign-config root-ca.conf-in root-ca.csr-out root-ca.crt-extensions ca_ext

Using configuration from root-ca.conf

Enter pass phrase for. / private/root-ca.key:

Can't open. / db/index.attr for reading, No such file or directory

140544382932720:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:74:fopen ('. / db/index.attr','r')

140544382932720:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81:

Check that the request matches the signature

Signature ok

Certificate Details:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

44:56:53:54:11:68:f3:75:fe:a3:6b:60:cf:be:cb:71

Issuer:

CountryName = CN

OrganizationName = Example

CommonName= Root CA

Validity

Not Before: May 24 05:40:03 2017 GMT

Not After: May 22 05:40:03 2027 GMT

Subject:

CountryName = CN

OrganizationName = Example

CommonName= Root CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:bb:96:c9:6d:69:fa:b4:65:7c:7b:a1:07:51:ef:

9d:f5:53:49:4a:64:f8:60:f7:3d:cf:6d:d4:4e:b6:

... Save about 40 lines.

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

X509v3 Subject Key Identifier:

F4:3C:60:6D:C2:B2:77:57:E0:2D:0C:09:DE:31:C9:A8:2F:1E:AA:9E

Certificate is to be certified until May 22 05:40:03 2027 GMT (3650 days)

Sign the certificate? [yAssociation]: y [you need to enter y manually here]

1 out of 1 certificate requests certified, commit? [yAssociation] y [here you need to enter y manually]

Write out database with 1 new entries

Data Base Updated

Note: the-extensions parameter reads the contents of the [ca_ext] of the configuration file

The contents of the certificate will be stored in the. / db/index file, and a certificate will generate a line of content.

Suse11-weblogic:/opt/openssl/root-ca/db # cat index

V 270522054003Z 445653541168F375FEA36B60CFBECB71 unknown / C=CN/O=Example/CN=Root CA

Note: the six fields are explained as follows:

1. Status flag (V for valid, R for revoked, E for expired)

2. Expiration date (in YYMMDDHHMMSSZ format)

3 、 Revocation date or empty if not revoked

4. Serial number (hexadecimal)

5 、 File location or unknown if not known

6 、 Distinguished name

2) generate a CRL list file for the newly generated CA

Suse11-weblogic:/opt/openssl/root-ca # openssl ca-gencrl-config root-ca.conf-out root-ca.crl

Using configuration from root-ca.conf

Enter pass phrase for. / private/root-ca.key: [enter key password]

3) add: revoke the generated certificate, use the-revoke command

Suse11-weblogic:/opt/openssl/root-ca # cd certs/

Suse11-weblogic:/opt/openssl/root-ca/certs # ls

445653541168F375FEA36B60CFBECB71.pem

Suse11-weblogic:/opt/openssl/root-ca/certs # cp 445653541168F375FEA36B60CFBECB71.pem 1002.pem

Suse11-weblogic:/opt/openssl/root-ca # openssl ca-config root-ca.conf-revoke certs/1002.pem-crl_reason keyCompromise

Using configuration from root-ca.conf

Enter pass phrase for. / private/root-ca.key:

Revoking Certificate 445653541168F375FEA36B60CFBECB71.

Data Base Updated

Suse11-weblogic:/opt/openssl/root-ca # cat db/index

R 270522054003Z 170524072152Z keyCompressor 445653541168F375FEA36B60CFBECB71 unknown / C=CN/O=Example/CN=Root CA Note: you can see that I copied the original pem certificate file and ordered 1002, and then revoked the 1002.pem file. In fact, I revoked the certificate, that is to say, the revocation mainly depends on the contents of the file (mainly depends on the serial number of the certificate file, which has a corresponding relationship in the. / db/index file)

4) create an OCSP signature for the certificate

OCSP is a real-time certificate online verification protocol, which is a supplement to the CRL mechanism. Through OCSP, browsers can verify certificates to CA institutions in real time.

Because the OCSP certificate does not contain revocation information, that is, the OCSP certificate cannot be revoked, we recommend that the expiration time of OCSP be set to be shorter. 30 days is a relatively safe time value.

1. Generate the CSR of OCSP

Suse11-weblogic:/opt/openssl/root-ca # openssl req-new-newkey rsa:2048-subj "/ C=CN/O=Example/CN=OCSP Root Responder"-keyout private/root-ocsp.key-out root-ocsp.csr

Generating a 2048 bit RSA private key

.. + +

. +

Writing new private key to 'private/root-ocsp.key'

Enter PEM pass phrase: [enter key password]

Verifying-Enter PEM pass phrase: [confirm password]

-

Note: this is a non-CA certificate, so we do not use root CA's configuration file

2. CA signature to generate the certificate of OCSP

Suse11-weblogic:/opt/openssl/root-ca # openssl ca-config root-ca.conf-in root-ocsp.csr-out root-ocsp.crt-extensions ocsp_ext-days 30

Using configuration from root-ca.conf

Enter pass phrase for. / private/root-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

44:56:53:54:11:68:f3:75:fe:a3:6b:60:cf:be:cb:72

Issuer:

CountryName = CN

OrganizationName = Example

CommonName= Root CA

Validity

Not Before: May 24 07:56:24 2017 GMT

Not After: Jun 23 07:56:24 2017 GMT

Subject:

CountryName = CN

OrganizationName = Example

CommonName= OCSP Root Responder

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:c2:a9:04:12:56:d2:69:20:4c:28:99:8d:26:89:

E7:e1:f6:53:89:1d:af:82:06:14:f8:e6:ff:71:56:

... Omit many lines.

De:89

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Authority Key Identifier:

Keyid:F4:3C:60:6D:C2:B2:77:57:E0:2D:0C:09:DE:31:C9:A8:2F:1E:AA:9E

X509v3 Basic Constraints: critical

CA:FALSE

X509v3 Extended Key Usage:

OCSP Signing

X509v3 Key Usage: critical

Digital Signature

X509v3 Subject Key Identifier:

03:9E:B5:7E:5F:5C:D8:3A:EF:80:83:87:42:F0:11:CF:56:5E:D9:5C

Certificate is to be certified until Jun 23 07:56:24 2017 GMT (30 days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

3. Generate OCSP responder

You now have all the necessary conditions to start the OCSP responder

Suse11-weblogic:/opt/openssl/root-ca # openssl ocsp-port 9080-index db/index-rsigner root-ocsp.crt-rkey private/root-ocsp.key-CA root-ca.crt-text

Enter pass phrase for private/root-ocsp.key: [enter key password]

Waiting for OCSP client connections...

Note: you can see that the listener has been started to listen for client requests

Copy another terminal connection, execute the following command in another window, or adjust the above command to the background. It is recommended to open 2 terminals, because there will be an output display on it.

Suse11-weblogic:/opt/openssl/root-ca # openssl ocsp-issuer root-ca.crt-CAfile root-ca.crt-cert root-ocsp.crt-url http://127.0.0.1:9080

Response verify OK

Root-ocsp.crt: good

This Update: May 24 08:05:34 2017 GMT

Note: use this command to check the validity of the certificate. The URL on the last side refers to the address of the OCSP responder, where the status of the root-ca.crt certificate is detected. The last time refers to the time when the certificate was generated. Verify OK means that the certificate has not been revoked by revoke.

4.2.Create the root certification authority ROOT CA subordinate CA-Creating a Subordinate CA

The process of creating subordinate CA pairs largely reflects the process of creating the root CA, which also requires the creation of CRL, OCSP, etc.

Subordinate CA Configuration- creates a sub-ca.conf profile

The configuration file changes according to the root-ca.conf. The following are the changes, and the rest can be kept by default.

[default]

Name = sub-ca

Ocsp_url = http://ocsp.$name.$domain_suffix:9081

[ca_dn]

CountryName = "CN"

OrganizationName = "Example"

CommonName = "Sub CA"

[ca_default]

Default_days = 365

Default_crl_days = 30

Copy_extensions = copy

[server_ext]

AuthorityInfoAccess = @ issuer_info

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:false

CrlDistributionPoints = @ crl_info

ExtendedKeyUsage = clientAuth,serverAuth

KeyUsage = critical,digitalSignature,keyEncipherment

SubjectKeyIdentifier = hash

[client_ext]

AuthorityInfoAccess = @ issuer_info

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:false

CrlDistributionPoints = @ crl_info

ExtendedKeyUsage = clientAuth

KeyUsage = critical,digitalSignature

SubjectKeyIdentifier = hash

Note:

1. Here, the port of OCSP is defined as 9081, which is different from 9080 of the root CA. The validity period is set to 365days, the update time of CRL is 30 days, and the copy_extensions in the third paragraph is set to copy, which means that extended information from CSR (from root-ca.conf) and information not recorded by subordinate CA will be recorded in the certificate, that is, you allow others to have limited direct control over the contents of the certificate. This is a dangerous move, but it may be helpful in a small environment.

2. In this configuration file, we have added two sections, [serverext] and [clientext]. The difference between these two paragraphs lies in KeyUsage and extendedKeyUsage. Notice that we set the basic constraint basicConstraints, but we set it to flas. The reason for this is

3. I didn't want to take it out, but for the sake of convenience in the future, I'd better paste out the contents of this file.

Suse11-weblogic:/opt/openssl/sub-ca # cat sub-ca.conf

[default]

Name = sub-ca

Domain_suffix = example.com

Aia_url = http://$name.$domain_suffix/$name.crt

Crl_url = http://$name.$domain_suffix/$name.crl

Ocsp_url = http://ocsp.$name.$domain_suffix:9081

Default_ca = ca_default

Name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]

CountryName = "CN"

OrganizationName = "Example"

CommonName = "Sub CA

[ca_default]

Home =.

Database = $home/db/index

Serial = $home/db/serial

Crlnumber = $home/db/crlnumber

Certificate = $home/$name.crt

Private_key = $home/private/$name.key

RANDFILE = $home/private/random

New_certs_dir = $home/certs

Unique_subject = no

Copy_extensions = copy

Default_days = 365

Default_crl_days = 30

Default_md = sha256

Policy = policy_c_o_match

[policy_c_o_match]

CountryName = match

StateOrProvinceName = optional

OrganizationName = match

OrganizationalUnitName = optional

CommonName = supplied

EmailAddress = optional

[req]

Default_bits = 4096

Encrypt_key = yes

Default_md = sha256

Utf8 = yes

String_mask = utf8only

Prompt = no

Distinguished_name = ca_dn

Req_extensions = ca_ext

[ca_ext]

BasicConstraints = critical,CA:true

KeyUsage = critical,keyCertSign,cRLSign

SubjectKeyIdentifier = hash

[sub_ca_ext]

AuthorityInfoAccess = @ issuer_info

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:true,pathlen:0

CrlDistributionPoints = @ crl_info

ExtendedKeyUsage = clientAuth,serverAuth

KeyUsage = critical,keyCertSign,cRLSign

NameConstraints = @ name_constraints

SubjectKeyIdentifier = hash

[crl_info]

URI.0 = $crl_url

[issuer_info]

CaIssuers;URI.0 = $aia_url

OCSP;URI.0 = $ocsp_url

[name_constraints]

Permitted;DNS.0=example.com

Permitted;DNS.1=example.org

Excluded;IP.0=0.0.0.0/0.0.0.0

Excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:false

ExtendedKeyUsage = OCSPSigning

KeyUsage = critical,digitalSignature

SubjectKeyIdentifier = hash

[server_ext]

AuthorityInfoAccess = @ issuer_info

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:false

CrlDistributionPoints = @ crl_info

ExtendedKeyUsage = clientAuth,serverAuth

KeyUsage = critical,digitalSignature,keyEncipherment

SubjectKeyIdentifier = hash

[client_ext]

AuthorityInfoAccess = @ issuer_info

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:false

CrlDistributionPoints = @ crl_info

ExtendedKeyUsage = clientAuth

KeyUsage = critical,digitalSignature

SubjectKeyIdentifier = hash

Well, the fun finally begins, and the process of creating a new ROOT CA subordinate CA can be divided into the following steps:

1. Configure and create a directory structure

2. Initialize the key file and CSR

3. Generate a certificate

4.2.1. Create the directory structure of subordinate CA

Suse11-weblogic:/opt/openssl # mkdir sub-ca

Suse11-weblogic:/opt/openssl # cd sub-ca

Suse11-weblogic:/opt/openssl/sub-ca # mkdir certs db private

Suse11-weblogic:/opt/openssl/sub-ca # chmod 700 private/

Suse11-weblogic:/opt/openssl/sub-ca # touch db/index

Suse11-weblogic:/opt/openssl/sub-ca # openssl rand-hex 16 > db/serial

Suse11-weblogic:/opt/openssl/sub-ca # echo 1001 > db/crlnumber

Suse11-weblogic:/opt/openssl/sub-ca # cp.. / root-ca/root-ca.conf. / sub-ca.conf

Suse11-weblogic:/opt/openssl/sub-ca # vim sub-ca.conf [modify or add the above needed changes, save and exit]

Note:

1. The certs directory is used to store certificates.

2. The db directory is used as a certificate database to record the number of certificates and CRL

3. The private directory is used to store keys.

4.2.2, generate key and CSR

Suse11-weblogic:/opt/openssl/sub-ca # openssl req-new-config sub-ca.conf-out sub-ca.csr-keyout private/sub-ca.key

Generating a 4096 bit RSA private key

. . + +

... + +

Writing new private key to 'private/sub-ca.key'

Enter PEM pass phrase: [enter key password here]

Verifying-Enter PEM pass phrase: [enter password again]

-

Suse11-weblogic:/opt/openssl/sub-ca #

4.2.3. ROOT CA signs and generates a certificate for the CSR

Note: here is to use the previously generated ROOT CA to sign this subordinate CA, to understand this relationship

Suse11-weblogic:/opt/openssl/sub-ca # cd.. / root-ca

Suse11-weblogic:/opt/openssl/root-ca # openssl ca-config.. / root-ca/root-ca.conf-in.. / sub-ca/sub-ca.csr-out.. / sub-ca/sub-ca.crt-extensions sub_ca_ext

Using configuration from.. / root-ca/root-ca.conf

Enter pass phrase for. / private/root-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

44:56:53:54:11:68:f3:75:fe:a3:6b:60:cf:be:cb:73

Issuer:

CountryName = CN

OrganizationName = Example

CommonName= Root CA

Validity

Not Before: May 24 08:59:04 2017 GMT

Not After: May 22 08:59:04 2027 GMT

Subject:

CountryName = CN

OrganizationName = Example

CommonName= Sub CA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:dd:3b:99:b1:d8:c7:a7:d3:54:0c:09:62:a2:e4:

2e:ba:45:2e:9c:b3:3a:9e:ff:a5:a7:59:1d:9b:4b:

... About 40 lines are omitted.

Exponent: 65537 (0x10001)

X509v3 extensions:

Authority Information Access:

CA Issuers-URI: http://root-ca.example.com/root-ca.crt

OCSP-URI: http://ocsp.root-ca.example.com:9080

X509v3 Authority Key Identifier:

Keyid:F4:3C:60:6D:C2:B2:77:57:E0:2D:0C:09:DE:31:C9:A8:2F:1E:AA:9E

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 CRL Distribution Points:

Full Name:

URI: http://root-ca.example.com/root-ca.crl

X509v3 Extended Key Usage:

TLS Web Client Authentication, TLS Web Server Authentication

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

X509v3 Name Constraints:

Permitted:

DNS:example.com

DNS:example.org

Excluded:

IP:0.0.0.0/0.0.0.0

IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

X509v3 Subject Key Identifier:

C4:1F:0C:07:47:F7:AA:DF:21:75:CD:4B:20:AF:5C:94:13:B0:E9:70

Certificate is to be certified until May 22 08:59:04 2027 GMT (3650 days)

Sign the certificate? [yAssociation]: y [confirmation required]

1 out of 1 certificate requests certified, commit? [yzone] y [need to confirm]

Write out database with 1 new entries

Data Base Updated

Note:

1. Here the ROOT CA generates a certificate for the subordinate CA and officially announces that the subordinate CA can exist independently and issue certificates to other companies. At present, there are 2 layers in the certificate chain.

2. The OCSP correspondent here has not been started yet, and the startup command refers to the root ca above.

4.3.The subordinate CA issues certificates to companies or individuals

In the actual situation of certificate issuance, we do not use ROOT CA to issue certificates for the applied companies or individuals, but subordinate CA, such as layer 2 CA or layer 3 CA, to issue certificates. As for why, it is mainly due to security considerations, which I believe you can understand.

4.3.1. Issue certificates to company servers

Suse11-weblogic:/opt/openssl/sub-ca # openssl ca-config sub-ca.conf-in server.csr-out server.crt-extensions server_ext

Note: I believe you are already familiar with the command format for certificate generation. For server-side certificates, use the extension of the [server_ext] section to restrict them.

4.3.2. Issue certificates to individual clients (usually refers to browsers)

Suse11-weblogic:/opt/openssl/sub-ca # openssl ca-config sub-ca.conf-in client.csr-out client.crt-extensions client_ext

Note: I believe you are already familiar with the command format for certificate generation. For client certificates, use the [client_ext] paragraph extension to restrict them.

5. Compile and install the latest version of HTTPD

5.1. Download the required dependent software packages

Dependencies:

1. Apr-1.5.2.tar.gz; download link: http://apr.apache.org/download.cgi

2. Apr-util-1.5.4.tar.gz; download link: http://apr.apache.org/download.cgi

3. Pcre2-10.23.tar.gz: download link: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/

Download the httpd package and install the Web service

Download version: httpd-2.4.25.tar.gz

Download link: http://httpd.apache.org/download.cgi#apache24

Here, according to the prompts on the official website, we install apr,apr-utils and other dependent software packages into the directory unzipped by httpd

NTP-slave:~/soft # tar-zxvf httpd-2.4.25.tar.gz

NTP-slave:~/soft # tar-zxvf 1-apr-1.5.2.tar.gz-C / root/soft/httpd-2.4.25/srclib/

NTP-slave:~/soft # cd / root/soft/httpd-2.4.25/srclib/apr-1.5.2

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-1.5.2 #. / configure-prefix=/usr/local/apr

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-1.5.2 # make

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-1.5.2 # make install

NTP-slave:~/soft # tar-zxvf 2-apr-util-1.5.4.tar.gz-C / root/soft/httpd-2.4.25/srclib/

NTP-slave:~/soft # cd / root/soft/httpd-2.4.25/srclib/apr-util-1.5.4

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-util-1.5.4 #. / configure-prefix=/usr/local/apr-util-with-apr=/usr/local/apr/bin/apr-1-config

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-util-1.5.4 # make

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-util-1.5.4 # make install

NTP-slave:~/soft # tar-zxvf 3--pcre2-10.23.tar.gz

NTP-slave:~/soft # cd pcre2-10.23 /

NTP-slave:~/soft/pcre2-10.23 #. / configure-- prefix=/usr/local/pcre

NTP-slave:~/soft/pcre2-10.23 # make

NTP-slave:~/soft/pcre2-10.23 # make install

Add a ssl encryption module when compiling httpd. If you don't know what the command should look like, you can execute this command to view it:

NTP-slave:~/soft/httpd-2.4.25 #. / configure-- help | grep ssl

NTP-slave:~/soft/httpd-2.4.25 #. / configure-prefix=/usr/local/httpd-enable-so-enable-ssl-with-apr=/usr/local/apr-with-apr-util=/usr/local/apr-util/-with-pcre=/usr/local/pcre/bin/pcre2-config

While performing this, an error occurred: checking for OpenSSL version > = 0.9.8a. FAILED, this is very embarrassing. Fortunately, we have already installed it once. We quickly install the new version according to the previous method, so we will not write the steps here. This time we install openssl under / usr/local.

NTP-slave:~/soft/httpd-2.4.25 #. / configure-prefix=/usr/local/httpd-enable-so-enable-ssl-with-apr=/usr/local/apr-with-apr-util=/usr/local/apr-util/-with-pcre=/usr/local/pcre/bin/pcre2-config-with-ssl=/usr/local/openssl

NTP-slave:~/soft/httpd-2.4.25 # make

And then reported the following mistake.

Util_pcre.c:49:18: error: pcre.h: No such file or directory

Here is the need to install pcre-devel, but the SLSE system does not have this software package (I have been looking for it for a long time), so we can only take the second way. After downgrading pcre to pcre-8.40, this problem will be solved naturally, and the partners of other systems can install pcre-devel directly to solve the problem.

After loading it, we'll continue.

NTP-slave:~/soft/httpd-2.4.25 #. / configure-prefix=/usr/local/httpd-enable-so-enable-ssl-with-apr=/usr/local/apr-with-apr-util=/usr/local/apr-util/-with-pcre=/usr/local/pcre-with-ssl=/usr/local/openssl

NTP-slave:~/soft/httpd-2.4.25 # make

Here, when we were in make, TMD made another mistake. It was simply unbearable. For so many problems, the wrong report is as follows:

/ root/soft/httpd-2.4.25/support/ab.c:2468: undefined reference to `CRYPTO_malloc_init'

/ root/soft/httpd-2.4.25/support/ab.c:2398: undefined reference to `SSLv2_client_method'

Looked on the Internet, said that the version of openssl is not compatible, well, the two latest software is not compatible, this is understandable, let's install the lower version to have a look. Installed here, it is really a problem to find that the versions of various software are compatible with each other, this is also a business opportunity, there is also a problem with the latest version of pcre, and there is also a problem with the latest version of openssl. I wonder if it is not possible to keep these two versions unchanged and replace httpd with a lower version? Our openssl version has been changed to a lower version.

Note: apache 2.4.x series and openssl 1.1.x series are not compatible

Here are the results of my attempts [all failures]:

NTP-slave:/usr/local/openssl/lib # openssl version OpenSSL 1.0.2l 25 May 2017

NTP-slave:~/soft/httpd-2.4.25 # openssl version OpenSSL 1.0.2h 3 May 2016

NTP-slave:/usr/local/openssl/lib # openssl version OpenSSL 1.0.2 22 Jan 2015

NTP-slave:/usr/local/openssl/lib # openssl version OpenSSL 1.0.1 14 Mar 2012

It was only later that I realized that these versions should be OK, but since the problem occurred, I have not executed make clean to clear the cache, resulting in this problem. After make clean deleted the cache files generated in the previous make process, and after using the degraded version of openssl-1.0.2j.tar.gz, this problem should be solved, with the following error:

/ usr/lib64/gcc/x86_64-suse-linux/4.3/../x86_64-suse-linux/bin/ld: / usr/local/openssl/lib/libssl.a (s3_srvr.o): relocation R_X86_64_32 against `.rodata 'can not be used when making a shared object; recompile with-fPIC

As you can see, this should be the problem of openssl again. I am ashamed to say that there is less fPIC compilation at the time of compilation. At first, I thought it was the problem of httpd. I compiled and compiled httpd for several days, but I still didn't solve it. Later, I realized that it was still the problem of openssl. We recompiled and installed openssl, using the following parameter-fPIC.

NTP-slave:~/soft/openssl-1.0.2j #. / config-fPIC-prefix=/usr/local/openssl-openssldir=/usr/local/openssl enable-ec_nistp_64_gcc_128

NTP-slave:~/soft/openssl-1.0.2j # make

NTP-slave:~/soft/openssl-1.0.2j # make install

Perfect solution!

With regard to this-fPIC parameter, it acts during the compilation phase, telling the compiler to generate location-independent code (Position-Independent Code), and the resulting code has no absolute address, all using relative addresses, so the code can be loaded into any location in memory by the loader and executed correctly. This is exactly what the shared library requires. When the shared library is loaded, the location in memory is not fixed. With regard to this parameter, I still do not understand, record it first, and then have the opportunity to study it carefully later.

After recompiling and installing openssl, we go to the unzipped directory of httpd, recompile and execute the installation smoothly without error.

Strands of order:

1. Openssl needs to be reinstalled. Pay attention to version requirements and compilation parameters.

2. Apr,apr-util,pcre and so on can follow the correct requirements mentioned above.

3. Execute the correct compilation and installation of httpd

5.3.Use encryption module to implement https for httpd

1. Create a directory where the key certificate is stored in the httpd directory, and generate the key and certificate in it.

NTP-slave:/usr/local/httpd # mkdir openssl

NTP-slave:/usr/local/httpd/openssl # openssl genrsa-aes128-out fd.key 2048

NTP-slave:/usr/local/httpd/openssl # openssl req-new-key fd.key-out fd.csr

NTP-slave:/usr/local/httpd/openssl # openssl x509-req-days 3650-in fd.csr-signkey fd.key-out fd.crt

2. Edit the configuration file: / usr/local/httpd/conf/extra/httpd-ssl.conf, and make a backup first.

36 lines of the 36 Listen 443 # file define the encryption port. The default is 443.

Line 80 SSLProtocol all-SSLv3 # defines the encryption protocol, which supports all but not SSLv3, which actually means that only TLSv1 and above are supported

one hundred and twenty two

one hundred and twenty three

124 # General setup for the virtual host

125 DocumentRoot "/ usr/local/httpd/htdocs/ssl"

126 ServerName "www.watchmenhttps.com"

127 ServerAdmin "568100840@qq.com"

128 ErrorLog "/ usr/local/httpd/logs/error_log"

129 TransferLog "/ usr/local/httpd/logs/access_log"

one hundred and thirty

131 # SSL Engine Switch:

132 # Enable/Disable SSL for this virtual host.

133 SSLEngine on

Line 145 of the SSLCertificateFile "/ usr/local/httpd/conf/server.crt" # file defines the certificate path, and we modify it to our certificate path

146SSLCertificateFile "/ usr/local/httpd/openssl/fd.crt"

Line 156 of the file 156 # SSLCertificateKeyFile "/ usr/local/httpd/conf/server.key" # defines the key path, which we modify to our certificate path

157 SSLCertificateKeyFile "/ usr/local/httpd/openssl/fd.key"

3. Edit the configuration file: / usr/local/httpd/conf/httpd.conf, and make a backup first.

52 Listen 80 # port defaults to 80. We will keep it unchanged and will not modify it.

131 LoadModule ssl_module modules/mod_ssl.so # remove 131s comments

We still need to define the access domain name of 192 # ServerName www.example.com:80 # http.

193 ServerName www.watchmen.com

493 Include conf/extra/httpd-ssl.conf # remove the comments from line 493

4. After starting the service and checking the results, we have come to our inspection environment. After studying for so long, we have to take an exam.

NTP-slave:/usr/local/httpd/conf # / usr/local/httpd/bin/apachectl restart

The following error occurred at this time:

AH00526: Syntax error on line 93 of / usr/local/httpd/conf/extra/httpd-ssl.conf:

SSLSessionCache: 'shmcb' session cache not supported (known names:). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)

Solution: open httpd.conf, find LoadModule socache_shmcb_module modules/mod_socache_shmcb.so, and remove the previous comments.

88 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

NTP-slave:/usr/local/httpd/conf # / usr/local/httpd/bin/apachectl restart

Httpd not running, trying to start

Apache/2.4.25 mod_ssl (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Private key www.watchmenhttps.com:443:0 (/ usr/local/httpd/openssl/fd.key)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

Let's test it (Note: you need to add the mapping from IP to domain name in the local hosts file in advance):

1. The first is http

2. Then https

6. Quick configuration

This section will extract the core commands from OpenSSL installation to certificate generation and HTTP-related configuration from the above to facilitate rapid execution. In the fast configuration, for simplicity, it is written to generate certificates directly and use ROOT CA as certificates. Subordinate CA is not used here, and friends can use subordinate CA to issue certificates in a simulated real environment.

1. OpenSSL installation

Install version: openssl-1.0.2j.tar.gz, download link: http://www.openssl.org/source

Please confirm the server time first to avoid installation failure (there should not be many people like me. Note that if it is a httpd-2.4.x series, please downgrade the openssl version. Here I will take the openssl-1.0.2j version as an example)

NTP-slave:~/soft # tar-zxvf openssl-1.0.2j.tar.gz

NTP-slave:~/soft # cd openssl-1.0.2j/

NTP-slave:~/soft/openssl-1.0.2j #. / config-fPIC-prefix=/usr/local/openssl-openssldir=/usr/local/openssl enable-ec_nistp_64_gcc_128

NTP-slave:~/soft/openssl-1.0.2j # make

NTP-slave:~/soft/openssl-1.0.2j # make install

NTP-slave:~/soft/openssl-1.0.2j # ln-s / usr/local/openssl/lib/libcrypto.a / usr/lib64/libcrypto.a

NTP-slave:~/soft/openssl-1.0.2j # ln-s / usr/local/openssl/lib/libssl.a / usr/lib64/libssl.a

Suse11-weblogic:~ # vim / etc/profile

Export PATH=/opt/openssl/bin:$PATH adds this line at the end of the file and then saves the exit

Suse11-weblogic:~ # source / etc/profile

2. Generate key and CSRsuse11-weblogic:~/wxh # openssl genrsa-aes128-out fd.key 2048

Suse11-weblogic:~/wxh # openssl req-new-key fd.key-out fd.csr

Enter pass phrase for fd.key:

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [AU]: CN

State or Province Name (full name) [Some-State]: BJ

Locality Name (eg, city) []: BJ

Organization Name (eg, company) [Internet Widgits Pty Ltd]: PICC

Organizational Unit Name (eg, section) []: PICC

Common Name (e.g. Server FQDN or YOUR name) []: www.watchmen.com

[note: it must be noted here that the FQDN information filled in is the actual domain name accessed by the client, so it must be noted here, for example, if Baidu should be www.baidu.com, 51 will not be advertised for testing]

Email Address []: 568100840@qq.com

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

An additional step: extract the public key from the secret key, optional

Suse11-weblogic:~/wxh # openssl rsa-in fd.key-pubout-out fd-public.key

3. Certificate generation

1. Instead of creating a ROOT CA, generate a certificate directly (for quick configuration, this method is recommended)

Suse11-weblogic:~/wxh # openssl x509-req-days 3650-in fd.csr-signkey fd.key-out fd.crt

Signature ok

Subject=C = CN, ST = BJ, L = BJ, O = PICC, OU = PICC, CN = www.watchmen.com, emailAddress = 568100840@qq.com

Getting Private key

Enter pass phrase for fd.key: [enter the key password here]

Note: valid for 3650 days, that is, 10 years, do not say anything, you see the officer to see the order.

2. Create a CA and issue a certificate using CA signature

Execution order:

1. Create the root CA directory structure and create the root-ca.conf

2. Generate the secret key, CSR, and then sign and issue a certificate to yourself to make yourself a CA.

3. Sign and issue certificates for the above CSR.

1) create a root-ca.conf

Suse11-weblogic:~/wxh # mkdir sub-ca

Suse11-weblogic:~/wxh # cd sub-ca

Suse11-weblogic:~/wxh/root-ca # mkdir certs db private

Suse11-weblogic:~/wxh/root-ca # chmod 700 private/

Suse11-weblogic:~/wxh/root-ca # touch db/index

Suse11-weblogic:~/wxh/root-ca # openssl rand-hex 16 > db/serial

Suse11-weblogic:~/wxh/root-ca # echo 1001 > db/crlnumber

Suse11-weblogic:~/wxh/root-ca # vim sub-ca.conf [enter the following, save and exit]

[default]

Name = root-ca

Domain_suffix = picc.com

Aia_url = http://$name.$domain_suffix/$name.crt

Crl_url = http://$name.$domain_suffix/$name.crl

Ocsp_url = http://ocsp.$name.$domain_suffix:9080

Default_ca = ca_default

Name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]

CountryName = "CN"

OrganizationName = "PICC"

CommonName = "Root CA

[ca_default]

Home = / root/wxh/root-ca

Database = $home/db/index

Serial = $home/db/serial

Crlnumber = $home/db/crlnumber

Certificate = $home/$name.crt

Private_key = $home/private/$name.key

RANDFILE = $home/private/random

New_certs_dir = $home/certs

Unique_subject = no

Copy_extensions = none

Default_days = 3650

Default_crl_days = 365

Default_md = sha256

Policy = policy_c_o_match

[policy_c_o_match]

CountryName = match

StateOrProvinceName = optional

OrganizationName = match

OrganizationalUnitName = optional

CommonName = supplied

EmailAddress = optional

[req]

Default_bits = 4096

Encrypt_key = yes

Default_md = sha256

Utf8 = yes

String_mask = utf8only

Prompt = no

Distinguished_name = ca_dn

Req_extensions = ca_ext

[ca_ext]

BasicConstraints = critical,CA:true

KeyUsage = critical,keyCertSign,cRLSign

SubjectKeyIdentifier = hash

[sub_ca_ext]

AuthorityInfoAccess = @ issuer_info

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:true,pathlen:0

CrlDistributionPoints = @ crl_info

ExtendedKeyUsage = clientAuth,serverAuth

KeyUsage = critical,keyCertSign,cRLSign

NameConstraints = @ name_constraints

SubjectKeyIdentifier = hash

[crl_info]

URI.0 = $crl_url

[issuer_info]

CaIssuers;URI.0 = $aia_url

OCSP;URI.0 = $ocsp_url

[name_constraints]

Permitted;DNS.0=picc.com

Permitted;DNS.1=picc.org

Excluded;IP.0=0.0.0.0/0.0.0.0

Excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]

AuthorityKeyIdentifier = keyid:always

BasicConstraints = critical,CA:false

ExtendedKeyUsage = OCSPSigning

KeyUsage = critical,digitalSignature

SubjectKeyIdentifier = hash

2) generate the secret key, CSR and issue a certificate for your signature

Suse11-weblogic:~/wxh/root-ca # openssl req-new-config root-ca.conf-out root-ca.csr-keyout private/root-ca.key

Suse11-weblogic:~/wxh/root-ca # openssl ca-selfsign-config root-ca.conf-in root-ca.csr-out root-ca.crt-extensions ca_ext

3) issue a certificate under the signature of the above CSR request

Suse11-weblogic:~/wxh/root-ca # openssl ca-config root-ca.conf-in.. / fd.csr-out.. / fd.crt

4. Install httpd to realize https

1. Use the Web server that comes with the system for configuration

NTP-slave:~ # zypper in apache*

NTP-slave:~ # cd / etc/apache2/

NTP-slave:/etc/apache2 # cd vhosts.d/

NTP-slave:/etc/apache2/vhosts.d # cp vhost-ssl.template watchmenvhost.conf

NTP-slave:/etc/apache2/vhosts.d # vim watchmenvhost.conf

The relevant important contents in the modified file are as follows [only some important contents have been intercepted]:

# General setup for the virtual host

DocumentRoot "/ srv/www/htdocs"

# ServerName www.example.com:443

ServerName www.watchmen2.com:443

# ServerAdmin webmaster@example.com

ErrorLog / var/log/apache2/error_log

TransferLog / var/log/apache2/access_log

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host.

SSLEngine on

# 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:

SSLProtocol all-SSLv2-SSLv3

SSLCertificateFile / etc/apache2/openssl/fd2.crt

SSLCertificateKeyFile / etc/apache2/openssl/fd.key

Modify SSL startup conditions

NTP-slave:/etc/apache2/vhosts.d # vim / etc/sysconfig/apache2

133 # APACHE_SERVER_FLAGS= ""

134 APACHE_SERVER_FLAGS= "- D SSL"

213 # APACHE_START_TIMEOUT= "2"

214 APACHE_START_TIMEOUT= "10"

Start the service

NTP-slave:/etc/apache2/vhosts.d # / etc/init.d/apache2 restart

Syntax OK

Shutting down httpd2 (waiting for all children to terminate) done

Starting httpd2 (prefork) Apache/2.2.12 mod_ssl/2.2.12 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server www.watchmen2.com:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

Done

NTP-slave:/etc/apache2/vhosts.d #

OK, let's visit the page: https://www.watchmen.com/ https://www.watchmen2.com/ separately.

We found a very interesting phenomenon. It is normal for us to visit the first URL, but when we visit the next URL, the browser will prompt us: "your connection is not secure", as shown in the following figure:

1)

2)

This is because the URL requested before obtaining the certificate is www.watchmen.com, not www.watchmen2.com.

2. Install httpd with source code for configuration

1) download the required dependent package dependencies:

1. Apr-1.5.2.tar.gz; download link: http://apr.apache.org/download.cgi

2. Apr-util-1.5.4.tar.gz; download link: http://apr.apache.org/download.cgi

3. Pcre2-10.23.tar.gz: download link: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/

2) download the httpd package and install the Web service

Download version: httpd-2.4.25.tar.gz

Download link: http://httpd.apache.org/download.cgi#apache24

Note: here, we need to install apr,apr-utils and other dependent packages into the directory unzipped by httpd

NTP-slave:~/soft # tar-zxvf httpd-2.4.25.tar.gz

NTP-slave:~/soft # tar-zxvf 1-apr-1.5.2.tar.gz-C / root/soft/httpd-2.4.25/srclib/

NTP-slave:~/soft # cd / root/soft/httpd-2.4.25/srclib/apr-1.5.2

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-1.5.2 #. / configure-prefix=/usr/local/apr

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-1.5.2 # make

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-1.5.2 # make install

NTP-slave:~/soft # tar-zxvf 2-apr-util-1.5.4.tar.gz-C / root/soft/httpd-2.4.25/srclib/

NTP-slave:~/soft # cd / root/soft/httpd-2.4.25/srclib/apr-util-1.5.4

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-util-1.5.4 #. / configure-prefix=/usr/local/apr-util-with-apr=/usr/local/apr/bin/apr-1-config

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-util-1.5.4 # make

NTP-slave:~/soft/httpd-2.4.25/srclib/apr-util-1.5.4 # make install

NTP-slave:~/soft # tar-zxvf 3--pcre-8.40.tar.gz

NTP-slave:~/soft # cd pcre2-10.23 /

NTP-slave:~/soft/pcre-8.40 #. / configure-prefix=/usr/local/pcre

NTP-slave:~/soft/pcre-8.40 # make

NTP-slave:~/soft/pcre-8.40 # make install

Add a ssl encryption module when compiling httpd. If you don't know what the command should look like, you can execute this command to view it:

NTP-slave:~/soft/httpd-2.4.25 #. / configure-- help | grep ssl

NTP-slave:~/soft/httpd-2.4.25 #. / configure-prefix=/usr/local/httpd-enable-so-enable-ssl-with-apr=/usr/local/apr-with-apr-util=/usr/local/apr-util/-with-pcre=/usr/local/pcre-with-ssl=/usr/local/openssl

NTP-slave:~/soft/httpd-2.4.25 # make

NTP-slave:~/soft/httpd-2.4.25 # make install

3. Use encryption module to implement https for httpd

1. Create a directory where the key certificate is stored in the httpd directory, and generate the key and certificate in it.

NTP-slave:/usr/local/httpd # mkdir openssl

NTP-slave:/usr/local/httpd/openssl # openssl genrsa-aes128-out fd.key 2048

NTP-slave:/usr/local/httpd/openssl # openssl req-new-key fd.key-out fd.csr

NTP-slave:/usr/local/httpd/openssl # openssl x509-req-days 3650-in fd.csr-signkey fd.key-out fd.crt

2. Edit the configuration file: / usr/local/httpd/conf/extra/httpd-ssl.conf, and make a backup first.

36 lines of the 36 Listen 443 # file define the encryption port. The default is 443.

Line 80 SSLProtocol all-SSLv3 # defines the encryption protocol, which supports all but not SSLv3, which actually means that only TLSv1 and above are supported

one hundred and twenty two

one hundred and twenty three

124 # General setup for the virtual host

125 DocumentRoot "/ usr/local/httpd/htdocs/ssl"

126 ServerName "www.watchmenhttps.com"

127 ServerAdmin "568100840@qq.com"

128 ErrorLog "/ usr/local/httpd/logs/error_log"

129 TransferLog "/ usr/local/httpd/logs/access_log"

one hundred and thirty

131 # SSL Engine Switch:

132 # Enable/Disable SSL for this virtual host.

133 SSLEngine on

Line 145 of the SSLCertificateFile "/ usr/local/httpd/conf/server.crt" # file defines the certificate path, and we modify it to our certificate path

146SSLCertificateFile "/ usr/local/httpd/openssl/fd.crt"

Line 156 of the file 156 # SSLCertificateKeyFile "/ usr/local/httpd/conf/server.key" # defines the key path, which we modify to our certificate path

157 SSLCertificateKeyFile "/ usr/local/httpd/openssl/fd.key"

3. Edit the configuration file: / usr/local/httpd/conf/httpd.conf, and make a backup first.

52 Listen 80 # port defaults to 80. We will keep it unchanged and will not modify it.

88 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so # remove comments from 80 lines

131 LoadModule ssl_module modules/mod_ssl.so # remove 131s comments

We still need to define the access domain name of 192 # ServerName www.example.com:80 # http.

193 ServerName www.watchmen.com

493 Include conf/extra/httpd-ssl.conf # remove the comments from line 493

4. Start the service

NTP-slave:/usr/local/httpd/conf # / usr/local/httpd/bin/apachectl start

Httpd not running, trying to start

Apache/2.4.25 mod_ssl (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Private key www.watchmenhttps.com:443:0 (/ usr/local/httpd/openssl/fd.key)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

End:

Thank you for reading, have a fruitful day, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.