1.SELinux security
issue
in this case requires familiarity with switches and protective mechanism of SELinux policy configuration, complete the following tasks:
1) the SELinux Linux servers to enforcing mandatory mode
2) SELinux is enabled in the state, the adjustment strategy open vsftpd service anonymous upload access
3) move from the / root directory of a package file to the FTP download directory, adjust the strategy so that it can be downloaded
steps
to achieve this case need to follow the steps below.
Step one: SELinux Linux server in enforcing force mode
1) is fixedly arranged: to modify / etc / selinux / config file
to confirm or modify SELINUX to enforcing mode:
[SVR5 the root @ ~] # Vim / etc / selinux / config
SELINUX = enforcing
SELINUXTYPE Targeted =
2) temporary configuration: the setenforce command
to view the current status of SELinux, is disabled if it is necessary according to the first) step restart the system configuration; if the permissive enforcing the setenforce command to change to:
[the root ~ @ SVR5 ] # getenforce
Permissive
[SVR5 the root @ ~] # enforcing the setenforce. 1 // or the setenforce
[SVR5 the root @ ~] # getenforce
Enforcing
Step Two: In SELinux enabled, adjust its strategy to open anonymous upload access service vsftpd
1) Configure vsftpd service that allows anonymous uploaded as a test environment
[root @ SVR5 ~] # yum -y install vsftpd
... ...
[root @ SVR5 ~] # vim /etc/vsftpd/vsftpd.conf
anonymous_enable = YES // turn on anonymous access
write_enable = YES
anon_umask = 022
anon_upload_enable = YES // allowed to upload files
anon_mkdir_write_enable = YES // allowed to upload directory
[root @ SVR5 ~] # chown the FTP / var / the FTP / Pub
[root @ SVR5 ~] # Service vsftpd Start
to start vsftpd to vsftpd: [OK]
2) Verify FTP upload access when SELinux is enabled
in setting the boolean targeted policy in , anonymous FTP is disabled by default and write full access:
[root @ SVR5 ~] # LS> test.txt
[root @ SVR5 ~] # 192.168.4.5 the FTP
[root @ SVR5 ~] # the FTP 192.168.4.5
... ...
the Name (192.168 .4.5: root): the FTP
331 Please the Specify at The password.
password:
. 230 the Login successful
Remote System of the type IS UNIX.
the Using the MODE binary to Transfer Files.
the FTP> cd Pub
250 Directory successfully changed.
the FTP> // try PUT test.txt Upload test file
local: test.txt Remote: test.txt
227 Entering Passive Mode (192,168,4,5,121,146).
553 Could not create file. // failed to upload
the FTP> quit
221 Goodbye.
3) adjust SELinux Boolean value associated with FTP, open upload written permission
checks related allow_ftpd the SELinux Boolean value, if it is off, then it is modified to ON:
[root @ SVR5 ~] # getsebool -a | grep allow_ftpd // Check Boolean value
allow_ftpd_anon_write -> OFF
allow_ftpd_full_access -> OFF
....
[root @ SVR5 ~] # setsebool -P allow_ftpd_anon_write = 1 // Sets a boolean value
[root @ SVR5 ~] # setsebool -P allow_ftpd_full_access = 1
[root @ SVR5 ~] # getsebool -a | grep allow_ftpd // confirm the modifications
allow_ftpd_anon_write -> ON
allow_ftpd_full_access -> ON
4) access vsftpd service again, tested find anonymous upload is already available
[root @ SVR5 ~] # the FTP 192.168.4.5
... ...
the Name (192.168.4.5:root): the FTP
331 Please the Specify at The password.
Password:
. 230 the Login successful
Remote System of the type IS UNIX.
The Using the MODE binary to Transfer Files.
The FTP> cd Pub
250 Directory successfully changed.
The FTP> PUT test.txt // try to upload a test file
local: test.txt remote: test.txt
Entering Passive Mode 227 (192,168,4,5,63,249).
150 to the send the Data Ok.
226 Transfer Complete. // successfully uploaded
237 bytes Sent in 6.3e-05 secs (3761.90 Kbytes / sec)
the FTP> quit
221 Goodbye.
step three: moving a package file from the / root directory of the FTP download directory, adjust the security context of the file
1) Close FTP Boolean value allow_ftpd_full_access to test
because this will be expanded to open FTP directory access (ignoring security context), the proposed first turn it off.
[SVR5 the root @ ~] # setsebool-allow_ftpd_full_access = 0
[the root SVR5 @ ~] # getsebool allow_ftpd_full_access
allow_ftpd_full_access -> OFF
2) create a test FTP for downloading two files
created by the two compressed test root, a built directly into the / var / ftp / directory, the other to establish / root / down, and then moved to / var / ftp / directory.
[SVR5 the root @ ~] # ZCF /var/ftp/d1.tar.gz the install.log the tar *
[SVR5 the root @ ~] # ZCF d2.tar.gz the install.log the tar *
[SVR5 the root @ ~] # D2 Music Videos .tar.gz / var / FTP /
[the root SVR5 @ ~] -LH /var/ftp/d?.tar.gz LS #
-rw-R & lt-r--. the root. 1 at 10:16 on August 16 the root 13K / var / FTP / d1.tar.gz
-rw-R & lt-r--.. 1. 8 the root the root 13K 10:16 /var/ftp/d2.tar.gz dated 16
. 3) through FTP download testing
using download commands of wget both package file, download the second package will fail (see document).
[root @ SVR5 ~] # wget ftp://192.168.4.5/d1.tar.gz
... ...
==> PASV ... complete. ==> RETR d1.tar.gz ... complete.
... ...
2013-08-16 10:36:16 (235 MB / S) - "d1.tar.gz" Saved [13124]
[root @ SVR5 ~] # wget ftp://192.168.4.5/d2.tar.gz
... ...
==> PASV ... complete. ==> RETR d2.tar.gz ...
file "d2.tar.gz" does not exist.
4) Check the security context of the test package, the second package is successfully downloaded again properly adjusted.
[SVR5 the root @ ~] # LS /var/ftp/d?.tar.gz the -Z
-rw-r-- the root-R & lt unconfined_u the root: object_r: public_content_t: S0 /var/ftp/d1.tar.gz.
- . RW-R & lt unconfined_u the root-r-- the root: object_r: admin_home_t: S0 /var/ftp/d2.tar.gz
[SVR5 the root @ ~] # public_content_t /var/ftp/d2.tar.gz the chcon -t
[the root SVR5 ~ @] LS # /var/ftp/d2.tar.gz the -Z
. -rw-r-- the root-R & lt unconfined_u the root: object_r: public_content_t: S0 /var/ftp/d2.tar.gz
[root @ SVR5 ~] # wget ftp://192.168.4.5/d2.tar.gz
... ...
==> PASV ... complete. ==> RETR d2.tar.gz ... complete.
Length: 13124 (13K) (informal data)
... ...
2013-08-16 10:42:21 (178 MB / S) - "d2.tar.gz" Saved [13124]
Note: chcon operation of the embodiment Alternatively or as restorecon /var/ftp/d2.tar.gz chcon --reference = / var / ftp / d1.tar.gz /var/ftp/d2.tar.gz, the same effect.
2. encryption and decryption application
question
in this case require the use of tools to achieve gpg encryption / decryption and signature software and other functions, respectively, to complete the following tasks:
1) Check the MD5 checksum files and
2) using the GPG implementation file confidentiality protection, encryption and decryption
3) using GPG achieve integrity check package, check package signatures
scheme
using two RHEL6 virtual machine encryption operation is mainly done on svr5, while pc205 as a receiver, test client software signature release with the machine, shown in Figure -1.
FIG -1 
step
to achieve this case the following procedure is required.
Step a: MD5 checksum and check the file
before 1) and view the file checksum changes, its checksum for the new file copy and change
[the root SVR5 @ ~] # Vim file1.txt
abcdef
123 456 779
[SVR5 the root @ ~] cp file1.txt file2.txt #
[root @ SVR5 ~] # CAT file1.txt> file3.txt
consistent [root @ svr5 ~] # md5sum file? .txt // contents of the file, the checksum is also unchanged
b92aa0f8aa5d5af5a47c6896283f3536 file1 .txt
b92aa0f8aa5d5af5a47c6896283f3536 file2.txt
b92aa0f8aa5d5af5a47c6896283f3536 file3.txt
2) minor changes to the file content, check and check again, you will find the checksum is very different
[root @ svr5 ~] # echo "x" >> file1.txt
[root @ SVR5 ~] # md5sum File? .txt
6be3efe71d8b4b1ed34ac45f4edd2ba7 file1.txt
b92aa0f8aa5d5af5a47c6896283f3536 file2.txt
b92aa0f8aa5d5af5a47c6896283f3536 file3.txt
Step 2: Using symmetric encryption GPG protected document
1) gpg symmetric encryption operation
do the following:
[SVR5 the root @ ~] # GPG -C file2.txt
... ...
prompted to enter the password twice successively. If the GNOME desktop environment, setting a password interface program will be pop-up window, as shown in FIG -2:
FIG -2
If the tty terminal performs the cryptographic operation, the interface is text prompt, as FIG -3.
FIG -3
prompted input password twice, document (automatically suffixed .gpg) to generate encrypted, as long as the transfer process to send an encrypted file (such file2.txt.gpg) on it.
[SVR5 the root @ ~] # * File file2.txt
file2.txt: the ASCII text
file2.txt.gpg: Data // use this file to someone else pass
2) gpg symmetric decryption operation
after receiving the encrypted file must be decryption in order to view its contents.
[root @ pc205 ~] # head -1 file2.txt.gpg // not decrypt view garbled
X▒ ܶ n▒-E▒▒0▒▒▒ u▒▒ (▒
. 7> 0-▒▒▒, 2 = ▒9 [* c \ ▒ {▒ / ▒▒, ▒▒eSx
[root @ pc205 ~] # gpg -d file2.txt.gpg> file2.txt // decrypted save
gpg: 3DES encrypted data
... // ... When prompted, enter the correct password
gpg: encrypted with a password
gpg: Warning : complete packets are not protected by
[root @ pc205 ~] # cat file2.txt // Check the file decryption
abcdef
123 456 779
Step 3: Use GPG asymmetric encryption protected files
when asymmetric encryption / decryption file, the sender (the UserA) to the recipient (UserB) the public key encrypted file, the recipient own private key to decrypt, the process is as follows.
1) the recipient UserB create their own public, private key
performs gpg --gen-key operation, and prompted to choose to create a key:
[PC205 UserB @ ~] $ gpg --gen-key
GPG (GnuPG) 2.0. 14; Copyright © 2009 as Free Software Foundation, Inc.
This IS as Free Software: you are as Free to Change the redistribute and IT.
There IS NO WARRANTY, to at The extent permitted by LAW.
Please select what kind of key you want to use:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (only for signing)
(4) RSA (signature only)
Your selection? // directly enter the default (. 1)
the RSA key length should be between 1024 and 4096.
You want how much the key dimensions? (2048) // accept the default 2048
you requested key size is 2048
, please set this key expiration date.
Key 0 = never expire
= key expires n days
w = weeks key expires after n
m = n key may expire
y = n in key expires after
the expiration date is the key? (0) // never expires accept the default
key will never expire
more correct? (y / n) y // answer y
A need to the User ID by You the Identify your Key; at The Software at The constructs the User ID
from the Name at The Real, the Comment and Email Address in the this form:
"Heinrich Heine (Der Dichter) [email protected] "
real name: UserB
e-mail address: [email protected]
Notes: user B
you have selected the user ID:
"UserB (the user B) [email protected] "
Change the name (N), comments ©, e-mail address (E) or OK (O) / Quit (Q)? o // o Enter the confirmation
you need a password to protect your private key.
can not connect to `/home/UserB/.gnupg/S.gpg-agent ': No such file or directory
we need to generate a lot of random bytes. This time you can do more chores (such as the keyboard, move
the mouse, hard disk read and write), it makes the random number generator has a better chance of getting a sufficient number of entropy.
// write the prompts to do here, such as the dd command
gpg: /home/UserB/.gnupg/trustdb.gpg: the establishment of a trust database
gpg: key 421C9354 is marked as absolute trust in
public and secret key generation and signed.
gpg: Checking trust database
gpg: 3 parts needed barely trust and 1 full trust, PGP trust model
gpg: depth: 0 Effectiveness: Signed 1: 0 trust: 0-, 0q, 0n, 0m , 0f, 1U
Pub 2048R / 421C9354 2013-08-16
key fingerprint 8A27 6FB5 1315 CEF8 D8A0 = F0C9 A65B 9354 7DA6 421C
UID UserB (the User B) [email protected]
Sub 2048R / 9FA3AD25 2013-08-16
2) derived recipient UserB its public key file
user's public key, private key information are stored in the pubring.gpg and secring.gpg file:
[UserB @ PC205 ~] $ gpg --list-public-key ring Keys // View
/ home / UserB / .gnupg / pubring.gpg
pub 2048R/421C9354 2013-08-16
uid UserB (User B) [email protected]
sub 2048R/9FA3AD25 2013-08-16
[PC205 UserB @ ~] $ --list-GPG-Secret Keys
/home/UserB/.gnupg/secring.gpg // Check private key ring
2048R sec / 421C9354 2013-08-16
UID UserB (the User B) [email protected]
SSB 2048R / 9FA3AD25 2013-08-16
Use gpg -import command option binding which text export public key, to the sender UserA:
[UserB @ PC205 ~] $ gpg -a --export UserB> /tmp/UserB.pub
[UserB @ PC205 ~] $ 192.168.4.5 the FTP
... ...
the Name (192.168.4.5:UserB): the FTP
331 Please the Specify at The password.
Password:
. successful 230 the Login
the Remote System IS the UNIX type.
the Using binary MODE to Transfer Files.
FTP> Pub CD
250 Directory successfully changed.
FTP> LCD / tmp /
the Local Directory now / tmp
FTP> // via FTP PUT UserB.pub public key to the sender host
local: UserB.pub remote: UserB.pub
Entering Passive Mode 227 (192,168,4,6,59,39).
150 Ok to Send Data.
226 Transfer Complete.
1719 bytes in Sent 0.000127 secs (13535.43 Kbytes / sec)
FTP> quit
221 Goodbye.
. 3) introducing sender UserA recipient's public key information
using public key information gpg command binding -import option to import the sender to the recipient specified in the encrypted file to invoke the corresponding public key.
[SVR5 the UserA @ ~] $ --import /var/ftp/pub/UserB.pub GPG
GPG: Key 421C9354: public key "UserB (the User B) [email protected] " has introduced
the total quantity to be processed: gpg :. 1
GPG: imported:. 1 (the RSA:. 1)
[SVR5 the UserA @ ~] $ echo "the I Love you."> tosend.txt
[SVR5 the UserA @ ~] -e $ -R & lt UserB tosend.txt GPG
GPG: 9FA3AD25 : There is no evidence that this key really belongs to the named user
2048R Pub / 9FA3AD25 2013-08-16 UserB (the User B) [email protected]
master key fingerprint: 8A27 6FB5 1315 CEF8 D8A0 A65B F0C9 7DA6 421C 9354
subkey Fingerprint: 08EA 5D11 FB25 9AF1 8137 0E47 AD13 F31B 9FA3 AD25
This is the key that does not necessarily belong to an individual user identity claims. If you really know from
what has been done, you can answer yes to the next question.
Anyway to use this key it? (y / N) y // confirm uses to encrypt the file
[SVR5 the UserA @ ~] $ Exit
Zimbabwe Logout
[SVR5 the root @ ~] # CP /home/UserA/tosend.txt.gpg /var/ftp/tosend.txt .gpg
4) UserB recipient receives the encrypted file to your own private key to decrypt the file
[UserB @ PC205 ~] $ wget ftp://192.168.4.5/tosend.txt.gpg
2013-08-16 15:28:30 ( 40.8 MB / s) - "tosend.txt.gpg " saved [355]
[UserB @ PC205 ~] $ gpg -d tosend.txt.gpg> tosend.txt
you need to enter a password to unlock the user's private key : "UserB (the User B) [email protected] "
2048-bit RSA keys, key number 9FA3AD25, established in 2013-08-16 (the primary key No. 421C9354)
// verify the private key password
can not connect to `/ home / UserB / .gnupg / S.gpg- agent ': no file or directory
gpg: 2048 by RSA key encryption, the key number is 9FA3AD25, to generate 2013-08-16
"UserB (the User B) UserB @ tarena.com "
[UserB @ pc205 ~] content files after $ cat tosend.txt // obtain the decryption
I love you.
Step 4: Use GPG to achieve integrity check package, check package signatures
1) on the pc205, as the author UserB create a separate package signatures
will be distributed to other users to download the package together, signature files, public files.
[UserB @ pc205 ~] $ tar zcf tools-1.2.3.tar.gz / etc / hosts // Create a test package
[UserB @ pc205 ~] $ gpg -b tools-1.2.3.tar.gz // create separate digital signatures
[PC205 UserB @ ~] -LH Tools $ LS-1.2.3.tar.gz * UserB.pub
-rw-RW-R-. UserB 170. UserB. 1. 8 dated 17 21:18 tools-1.2.3 .tar.gz
-rw-RW-R-. UserB UserB 287. 1. 8-dated Tools 1.2.3.tar.gz.sig 21:22. 17
-rw-RW-R-. UserB. 1 August 17 1.7K 21 is UserB : 26 is UserB.pub
[PC205 UserB @ ~] $ Exit
Zimbabwe Logout
[PC205 the root @ ~] # yum the install the vsftpd -Y
[PC205 the root @ ~] # CP /home/UserB/tools-1.2.3.tar.gz* / var / ftp /
[PC205 the root @ ~] # CP /home/UserB/UserB.pub / var / FTP /
[the root PC205 @ ~] # Start-Service vsftpd
start vsftpd vsftpd as: [OK]
2) on svr5, package download and verify official signature
download host pc205 release package UserB's signature, to verify the integrity of the package after a public key, import UserB's public key.
[SVR5 the root @ ~] # wget ftp://192.168.4.205/tools-1.2.3*
... ...
2013-08-17 21:29:46 (31.7 MB / S) - "Tools-1.2.3.tar. gz "saved [170.]
2013-08-17 21:29:46 (23.3 MB / S) -" Tools-1.2.3.tar.gz.sig "saved [287]
[SVR5 the root @ ~] # wget ftp://192.168.4.205/UserB.pub
... ...
2013-08-17 21:32:27 (208 MB / S) - "UserB.pub" saved [1719]
[SVR5 the root @ ~] # GPG - import UserB.pub // import author's public key information
... ...
[root @ SVR5 ~] # gpg --verify Tools-Tools-1.2.3.tar.gz 1.2.3.tar.gz.sig
gpg: on August 17, 2013 Saturday 21:22 CST signature created 15 seconds, using RSA, the key number 421C9354
gpg: Signature intact, from the "UserB (the User B) [email protected] "
... ...
3 .OpenSSL and certificate services
question
in this case require familiarity with basic tools using OpenSSL, do the following actions:
1) use OpenSSL to encrypt / decrypt files
2) build enterprise's own CA server environment to provide a basis for issuing digital certificates
program
use two RHEL6 virtual machine, which svr5 as CA digital certificate server, pc205 as a test client, as shown in Figure -4.
FIG -4
step
to achieve this case the following procedure is required.
Step 1: Using OpenSSL encryption / decryption file
1) an encrypted file
to create a text file f1.txt plaintext, encrypted using openssl, des3 selected encryption algorithm, the encrypted file is output f1.txt.enc.
[root @ svr5 ~] # rpm -qi openssl> f1.txt // establish expressly test file
[root @ SVR5 ~] # head -2 f1.txt
the Name: OpenSSL Relocations: (not relocatable)
Version: 1.0.0 Vendor : Red Hat, Inc.
[root @ SVR5 ~] # OpenSSL ENC-des3--e -IN f1.txt -out f1.txt.enc
the Enter EDE3-des-cbc Encryption password: // set a password
Verifying - enter des- ede3-cbc encryption password: // enter the password again
[root @ SVR5 ~] # * File f1.txt
f1.txt: UTF-8 Unicode English text
f1.txt.enc: // after the Data encryption become non-ASCII format
2) declassified documents
show garbled when viewing f1.txt.enc file is not decrypted, after must be decrypted to see.
[root@svr5 ~]# head -2 f1.txt.enc
Salted__▒▒▒▒C̏▒x▒6Q▒
.O▒l▒g▒)▒▒▒{▒▒G▒▒t▒▒!▒▒▒Cc0▒▒▒c쬂▒V▒Dp▒▒9▒▒▒[▒▒▒X▒f▒ڍ▒j@▒▒▒▒▒▒▒=@▒.ɮP▒1e▒▒▒"M`▒W▒=▒▒▒-a,▒▒j7▒M▒▒b▒+▒▒ 麋0▒▒▒k▒▒z▒Zʢ
[root@svr5 ~]# openssl enc -des3 -d -in f1.txt.enc -out f1-new.txt
enter des-ede3-cbc decryption password: //输入解密口令
[root@svr5 ~]# head -2 f1-new.txt //查看解密后的文本
Name : openssl Relocations: (not relocatable)
Version : 1.0.0 Vendor: Red Hat, Inc.
步骤二:搭建企业自有的CA服务器,为颁发数字证书提供基础
1)配置CA签署环境
修改OpenSSL的主配置文件位于/etc/pki/tls/openssl.cnf,为证书创建过程提供一些默认的设置:
[root@svr5 ~]# vim /etc/pki/tls/openssl.cnf
… …
[ CA_default ]
dir = /etc/pki/CA //CA相关文件的默认目录
certs = $dir/certs //为用户颁发证书的存放位置
crl_dir = $dir/crl //证书废止列表(CRL)文件的存放位置
database = $dir/index.txt //证书数据的索引文件,需手动建立
certificate = $dir/my-ca.crt //CA服务器根证书文件
serial = $dir/serial //序号记录文件,需手动建立
… …
private_key = $dir/private/my-ca.key //CA服务器私钥文件
[ req_distinguished_name ] //证书请求的识别信息
countryName = Country Name (2 letter code)
countryName_default = CN //国家名缩写
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing //所在省份
localityName = Locality Name (eg, city)
localityName_default = Beijing //所在城市
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Tarena Technology Ltd //所在单位/组织
默认CA配置目录位于/etc/pki/CA/,需要建立初始化序列文件、索引文件:
[root@svr5 ~]# cd /etc/pki/CA
[root@svr5 CA]# touch index.txt //建立数据索引文件
[root@svr5 CA]# echo 01 > serial //建立序号文件
2)为CA服务器创建私钥
此私钥在后续签发证书时都会用到,建议设置一个私钥口令进行保护。
[root@svr5 ~]# cd /etc/pki/CA/private
[root@svr5 private]# openssl genrsa -des3 2048 > my-ca.key
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Enter pass phrase: //设置一个私钥口令
Verifying - Enter pass phrase: //再次输入设置的私钥口令
[root@svr5 private]# chmod 600 my-ca.key
[root@svr5 private]# ls -l my-ca.key
-rw-------. 1 root root 1751 8月 6 14:12 my-ca.key
3)为CA服务器创建根证书
此根证书将提供给所有客户企业及个人,用来验证证书持有者的合法身份。证书请求识别信息会根据第1)步设置的自动读取,但通用名称、邮箱地址需要手动指定。
[root@svr5 private]# openssl req \
-new -x509 -key my-ca.key -days 365 > …/my-ca.crt
Enter pass phrase for my-ca.key: //验证私钥口令
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Tarena Technology Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:Tarena CA Server
Email Address []:[email protected]
4)发布根证书文件
本例中通过自带的httpd服务提供Web方式的下载。
[root@svr5 private]# mkdir /var/www/html/certs/
[root@svr5 private]# cp …/my-ca.crt /var/www/html/certs/TARENA-CA.CRT
[root@svr5 private]# service httpd start
正在启动 httpd:httpd: Could not reliably determine the server’s fully qualified domain name, using svr5.tarena.com for ServerName
[确定]
Confirmed that the client is able to download the root certificate.
[root @ PC205 ~] # wget http://192.168.4.5/certs/TARENA-CA.CRT
... ...
2013-08-17 23:36:51 (49.5 MB / S) - Saved "TARENA-CA.CRT "[1436/1436])
after completing these steps, we already have a certificate issued by the environment. When the receipt of business or individual submitting the certificate signing request (CSR) file, you can perform validation and issuance of the (follow-up to explain the content).