Create Certificate and Configuring SSL in Redhat Linux 4.5
mkdir /sslcert
chmod 0700 sslcert
cd /sslcert
mkdir certs private
echo '100001' >serial
touch certindex.txt
touch openssl.conf
Edit openssl.cnf
Copy the bellow content of "###End openssl"
=====================================================================
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = /sslcert
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
#
###End openssl
#
=====================================================================
openssl req -x509 -newkey rsa:1024 -keyout private/cakey.pem -out cacert.pem -days 10000 -config openssl.cnf
openssl req -nodes -new -x509 -keyout apache.key -out apache_request.pem -days 3650 -config openssl.cnf
# Note : give common name your url name (for example sys43.doyen.in)
openssl x509 -x509toreq -in apache_request.pem -signkey apache.key -out apache.csr
openssl x509 -req -days 10 -in apache.csr -signkey apache.key -out apache.crt
/etc/httpd/conf
cp -f apache.crt /etc/httpd/conf/ssl.crt/server.crt
cp -f apache.key /etc/httpd/conf/ssl.key/server.key
cp -f cacert.pem /etc/httpd/conf/ca.crt
Restart Your Apache ....
==================================================
Check
openssl x509 -subject -in apache.crt
openssl x509 -noout -text -in apache.crt
openssl s_client -connect host.domain:sslport
Subscribe to:
Post Comments (Atom)
Post a Comment