method one:
Create a root certificate with the OPENSSL tool, and use it as a signature to generate a corresponding certificate.
1) Modify some configuration files of CA
vi /etc/pki/tls/openssl.cnf:
[ policy_match ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optionalNo need to modify it, just take a look, [ policy_match ]the matching rules set in , it is possible that because the tools used in the certificate are different, even if the csr appears to have the same countryName, stateOrProvinceName, etc., but the certificate is still generated in the end The error report is the rule that the certificate and CA must match.
2) Generate root key
# cd /etc/pki/CA/Create two initial files in the CA directory:# touch index.txt serial # echo 01 > serial# openssl genrsa -out private/cakey.pem 2048
2) Generate root certificate
Use the req command to generate a self-signed certificate:
# openssl req -new -x509-days 36500 -key private/cakey.pem -out cacert.pem
You will be prompted to enter some content, because it is private, so you can enter it at will (the previously modified openssl.cnf will be presented here), it is best to remember to keep it consistent with the later. The above self-signed certificate cacert.pemshould be /etc/pki/CAgenerated under
3) Generate a usable certificate for the server
The above operations are all done on the CA server, and only need to be done once, now go to the nginx server to execute
# cd /etc/nginx/ssl
# openssl genrsa -out nginx.key 20484) Generate signing request for server certificate
# openssl req -new -key nginx.key -out nginx.csr
...
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY
Organizational Unit Name (eg, section) []:IT_SECTION
Common Name (e.g. server FQDN or YOUR name) []:your.domain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
...
You will also be prompted to enter some content, and the rest is optional, except that Commone Nameit must be the server domain name or host name of the server you want to grant the certificate to, and the challenge password is left blank.
5) Use a private CA to generate a signature for the server certificate and generate a corresponding certificate
Next, send the certificate request csr file generated in the previous step to the CA server and execute it on the CA
openssl ca -in nginx.csr -days 3650 -out nginx.crt另外在极少数情况下,上面的命令生成的证书不能识别,试试下面的命令: # openssl x509 -req -in nginx.csr -days 3650 -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out server.crt
The above issuance process is actually used by default -cert cacert.pem -keyfile cakey.pem. These two files are /etc/pki/CAthe root key and root certificate generated in the previous two steps. Send the generated crt certificate back to the nginx server for use.
At this point, we have all the files needed to establish a ssl secure connection, and the server's crt and key are located in the configured directory, the rest is how to use the certificate.
6 ) Add root certificate for linux
This step is not necessary, it usually occurs in the development and test environment, and the specific application should provide a method for adding certificates.
curlThe tool can simulate sending requests on linux, but when it accesses https encrypted websites, it will prompt the following information:
# curl https://sean:[email protected]:8000/
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
The above information indicates that curl does not find the root certificate in the linux certificate trust set. You can use curl --insecureit to not verify the reliability of the certificate. This can only ensure that the data is encrypted and transmitted, but it cannot guarantee that the other party is the service we want to access. Use curl --cacert cacert.pemto manually specify the root certificate path. We can also add the root certificate to the system (CentOS 5,6) default bundle:
# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak} 备份以防出错
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
# curl https://sean:[email protected]:8000
"docker-registry server (dev) (v0.8.1)"
7 ) nginx configuration certificate
/etc/nginx/sites-available/defaultAdd under the server directive in the nginx configuration file (probably ):
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
Also note that the server_name should be the same as the Common Name when applying for the certificate, and port 443 should be opened. Of course, there are other configuration contents about web server encryption, such as encrypting only some URLs and implementing mandatory https access for URL redirection, please refer to other information.
8 ) tomcat configuration certificate
Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores
Direct configuration of certificates is not supported, nor is it supported in normal mode. Available in APR mode.
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>Ordinary NIO BIO mode, you need to convert the corresponding KEYSTORE first
openssl pkcs12 -export -in server.crt -inkey nginx.key
-out mycert.p12 -name tomcat -CAfile cacrt.pem
-caname root -chain
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
SSLEnabled="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/mycert.p12" keystorePass="123456" keystoreType="PKCS12" />
Finish. The next step is to import the CA certificate into the client browser for secure access.
Method 2: Haven't tried
To obtain and install a Certificate from a Certificate Authority (like verisign.com, thawte.com or trustcenter.de), read the previous section and then follow these instructions:
Create a local Certificate Signing Request (CSR)
In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:
- Create a local self-signed Certificate (as described in the previous section):
Note: In some cases you will have to enter the domain of your website (i.e.
keytool -genkey -alias tomcat -keyalg RSA -keystore <your_keystore_filename>www.myside.org) in the field "first- and lastname" in order to create a working Certificate. - The CSR is then created with:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>
Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.
Importing the Certificate
Now that you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.
- Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.
For Verisign.com commercial certificates go to: http://www.verisign.com/support/install/intermediate.html
For Verisign.com trial certificates go to: http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to: http://www.thawte.com/certs/trustmap.html - Import the Chain Certificate into your keystore
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate> - And finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>
References:
http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
https://segmentfault.com/a/1190000002569859
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Administration_and_Configuration_Guide/Generate_a_SSL_Encryption_Key_and_Certificate.html