Apache 2.4 self-signed certificate and SSL client authentication

Others 2020-01-27 04:51:03 views: null

Recently the company projects with third-party docking, peer VPN requirements by docking with the IP network, but also to take the signed certificate HTTPS, the client asked to do by the way SSL authentication and authorization! !

Self-signed certificate

RSA key can be generated by the openssl command, and then use this key a self-signed certificate.
The main difference between the self-signed certificate and a CA-signed certificate is self-signed certificate installed, the client need to install a trusted certificate, otherwise the browser will still report https secure. 12306 certificate should be the self-signed, so there are home 为保障您顺畅购票,请下载安装根证书tips.
Note: generate a self-signed certificate would have been reported after Chrome 58 err_cert_common_name_invalidand is identified as not secure, online say configure openssl Subject Alt Name able to solve, to be verified
https://github.com/webpack/webpack-dev-server/ issues / 854

Certificate Format

SSL certificates have a variety of formats:

  1. Apache, Nginx, etc., using a password provided by the OpenSSL library, generate a certificate file pem, key, crt other formats.
  2. Tomcat, Weblogic, JBoss, etc., using a password provided by the Java library. By Keytool Java tool to generate the certificate file Java Keystore (jks) format.
    Common certificate format information:
  • *.der, *.cer, *.crtStored in binary form certificate, only the public key, the private key is not included.
  • *.csr Certificate request, the CA is required to issue an official certificate with the signature.
  • *.pemGeneral text format, you can put the certificate or private key, or both are included. * .PEM If only contains a private key, it is generally replaced by * .KEY.
  • *.pfx, *.p12It is a binary format, but with a certificate and private key, usually password protected.

Generate a self-signed certificate

  1. Key generation RAS: server.key
    Note: This command generates a certificate of Private Key to be kept in a safe place

$ openssl genrsa -out server.key 2048

If you add -des3parameters, will be asked to enter a password, certificate loaded Apache future start time to enter the password.

$ openssl genrsa -des3 -out server.key 2048

You can view the following command

openssl rsa -noout -text -in server.key

  1. Execute the following command to generate a self-signed certificate: server.crt

openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt -extensions usr_cert

-daysThe certificate is valid for the number of days, it can be for many years, for example, 1825 identifies five-year period

Implementation of the above command will ask for the following information, which will appear in the final certificate generated can be directly viewed in a browser.
Note: Comman Nameyou must be consistent with real access to the domain name

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:North
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test.com
Email Address []:[email protected]

  1. Apache configuration
    you need to add the following configuration in the Apache Virtual Host Configuration

SSLCertificateFile "/path/to/this/server.crt"
SSLCertificateKeyFile "/path/to/this/server.key"

After the configuration can be performed sudo apachectl configtestto check the configuration.
Via sudo httpd -SVirtual host information check the Apache.

SSL client authentication and authorization

We usually https certificates are generally one-way authentication, that is, the server certification. Client authentication can provide the ability for client authentication, only the certificated clients can access specified resources under Apache.
Configuration information as the Virtual the Host the Apache:
Note: Here SSLCACertificateFile root certificate can configure the client

SSLCACertificateFile "/etc/pki/tls/cert/root.crt"
SSLVerifyClient require
SSLVerifyDepth 10



Author: Tsun424
link: https: //www.jianshu.com/p/9c861b85c75a
Source: Jane books
are copyrighted by the author. Commercial reprint please contact the author authorized, non-commercial reprint please indicate the source.

Guess you like

Origin www.cnblogs.com/surplus/p/12235298.html
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com