SUSE LINUX Enterprise & openSUSE Community
มิถุนายน 17, 2019, 05:03:19 PM *
ยินดีต้อนรับคุณ, บุคคลทั่วไป กรุณา เข้าสู่ระบบ หรือ ลงทะเบียน
ส่งอีเมล์ยืนยันการใช้งาน?

เข้าสู่ระบบด้วยชื่อผู้ใช้ รหัสผ่าน และระยะเวลาในเซสชั่น
ข่าว:
 
   หน้าแรก   ช่วยเหลือ ค้นหา เข้าสู่ระบบ สมัครสมาชิก  

[Why we need your support] SUSE and openSUSE are trademarks of Attachmate Group, Inc. - WE ARE NOT IN ANY WAY ASSOCIATED WITH SUSE AND ATTACHMATE GROUP. SUSEThailand.com is a SUSE Linux user and community found in Thailand but not limited to other country suse linux user to join in. Currently active contents (How to's, Scripts, Tips, Tricks, Tutorials, Linux Command Line, and Troubleshooting) this suse linux how to's and expert support are SUSE Linux.
หน้า: [1]   ลงล่าง
  พิมพ์  
ผู้เขียน
หัวข้อ: Creating a Self-Signed Certificate with mkcert.sh  (อ่าน 3105 ครั้ง)
0 สมาชิก และ 1 บุคคลทั่วไป กำลังดูหัวข้อนี้
Sontaya
Administrator
Expert : ผู้เชี่ยวชาญ
*****

Karma: +1/-0
ออฟไลน์ ออฟไลน์

กระทู้: 1931


Administrator


เว็บไซต์
« เมื่อ: ตุลาคม 03, 2010, 03:01:51 AM »


node1:/usr/share/doc/packages/apache2 # ./mkcert.sh make --no-print-directory /usr/bin/openssl /usr/sbin/ custom
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved.

Generating custom certificate signed by own CA [CUSTOM]
______________________________________________________________________

STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]: R
______________________________________________________________________

STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
381038 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
.....++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:TH
2. State or Province Name   (full name)     [Snake Desert]:Bangkok
3. Locality Name            (eg, city)      [Snake Town]:Huaykwang
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:SUSE.IN.TH
5. Organizational Unit Name (eg, section)   [Certificate Authority]:Certificate Authority
6. Common Name              (eg, CA name)   [Snake Oil CA]:SUSE.IN.TH CA
7. Email Address            (eg, name@FQDN) [ca@snakeoil.dom]:ca@suse.in.th
______________________________________________________________________

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=TH/ST=Bangkok/L=Huaykwang/O=SUSE.IN.TH/OU=Certificate Authority/CN=SUSE.IN.TH CA/emailAddress=ca@suse.in.th
Getting Private key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/etc/apache2/ssl.crt/ca.crt: C = TH, ST = Bangkok, L = Huaykwang, O = SUSE.IN.TH, OU = Certificate Authority, CN = SUSE.IN.TH CA, emailAddress = ca@suse.in.th
error 18 at 0 depth lookup:self signed certificate
OK
______________________________________________________________________

STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
381038 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.........................++++++
.++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:TH
2. State or Province Name   (full name)     [Snake Desert]:Bangkok
3. Locality Name            (eg, city)      [Snake Town]:Huaykwang
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:SUSETHAILAND.COM
5. Organizational Unit Name (eg, section)   [Webserver Team]:Security Team
6. Common Name              (eg, FQDN)      [www.snakeoil.dom]:node1.domain.local
7. Email Address            (eg, name@fqdn) [www@snakeoil.dom]:it.support@node1.domain.local
______________________________________________________________________

STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=TH/ST=Bangkok/L=Huaykwang/O=SUSETHAILAND.COM/OU=Security Team/CN=node1.domain.local/emailAddress=it.support@node1.domain.local
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/etc/apache2/ssl.crt/server.crt: OK
______________________________________________________________________

STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: y
writing RSA key
Enter PEM pass phrase:*******
Verifying - Enter PEM pass phrase:*******
Fine, you're using an encrypted private key.
______________________________________________________________________

STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]

The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n ถ้าตอบ y คุณจะต้องใส่รหัสผ่านทุกครั้งเมื่อ Start Apache
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

RESULT: CA and Server Certification Files

o  conf/ssl.key/ca.key
   The PEM-encoded RSA private key file of the CA which you can
   use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/ca.crt
   The PEM-encoded X.509 certificate file of the CA which you use to
   sign other servers or clients. When you sign clients with it (for
   SSL client authentication) you can configure this file with the
   'SSLCACertificateFile' directive.

o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file of the server which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file of the server which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request of the server file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our own CA) which later can replace the conf/ssl.crt/server.crt
   file.

Congratulations that you establish your server with real certificates.

- Configuring Apache with SSL

$ vim /etc/sysconfig/apache2
ค้นหา "APACHE_MODULES"
เพิ่ม ssl (default ถูกเพิ่มแล้ว)
ค้นหา "APACHE_SERVER_FLAGS" เพิ่ม SSL
APACHE_SERVER_FLAGS="SSL"

*ถ้า STEP 8 ตอบ y (Server Certificate มีการเข้ารหัส) คุณจะต้องระบุ value "APACHE_TIMEOUT" ระบุเวลาเมื่อสตาร์ท และรีสตาร์ทเครื่องเซิร์ฟเวอร์

- Create Virtual Host Configuration

$ cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf

- Restart Web Server

$ rcapache2 restart

IMPORTANT: Self-Signed Certificates, Not recommended to use such a certificate on a public shop. We recommend use Officially Signed Certificate.
« แก้ไขครั้งสุดท้าย: มีนาคม 10, 2012, 01:20:21 PM โดย Sontaya » แจ้งลบกระทู้นี้หรือติดต่อผู้ดูแล   บันทึกการเข้า

ageLOC Technology
หน้า: [1]   ขึ้นบน
  พิมพ์  
 
กระโดดไป:  

(@)2007 SUSE Linux user community found in Thailand. This site is not an official openSUSE and SUSE website, and is not in any way affiliated with or endorsed by SUSE Linux GmbH or Novell. openSUSE and SUSE are trademarks of Novell, Inc. in the United States and other countries.
Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!
หน้านี้ถูกสร้างขึ้นภายในเวลา 0.068 วินาที กับ 21 คำสั่ง (Pretty URLs adds 0.013s, 2q)