Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Ubuntu Install OpenSSL     - Detailed installation OpenCV2.3.1 under CentOS 6.5 (Linux)

- Mac OS X 10.9 build Nginx + MySQL + php-fpm environment (Server)

- Linux systems use IP masquerading anti-hacker (Linux)

- libnet list of functions (Programming)

- GitLab installation configuration notes (Linux)

- Calling Qt libraries to implement functional processes of some summary (Programming)

- C ++ pointer of the (error-prone model) (Programming)

- Caffe + Ubuntu 14.04 64bit + CUDA 6.5 configuration instructions (Linux)

- Give your photos Instagram style filters plus program in ubuntu (Linux)

- Linux virtual machine settings network, hostname ssh access (Linux)

- Linux disk virtualization (Linux)

- The Definitive Guide to Linux NAT network connection (Linux)

- Ubuntu 15.04 / 14.04 install Ubuntu After Install 2.6 (Linux)

- C ++ Supplements - malloc free and new delete the same and different (Programming)

- Mounting kit under Fedora Linux (Linux)

- ORA-08102 errors (Database)

- DataGuard Standby backup error RMAN-06820 ORA-17629 to solve (Database)

- Ubuntu 15.10 15.04 14.10 14.04 Install Ubuntu Tweak (Linux)

- RedHat Linux 6 desktop installation (Linux)

- Linux iptables firewall settings to use (Linux)

  Ubuntu Install OpenSSL
  Add Date : 2016-04-17      
  First, OpenSSL brief

OpenSSL is a powerful Secure Sockets Layer library password, include major cryptographic algorithms, key and certificate common package management functions and SSL protocols and provides rich application for testing or other purposes.

SSL is the Secure Sockets Layer (Secure Sockets Layer protocol) acronym secrecy can provide transmission on the Internet. SSL communications enables client / server applications between being the attacker eavesdropping, and always to authenticate the server, you can also choose to authenticate the user. SSL protocol requires the establishment of reliable transport protocol (TCP) above.

Second, install the appropriate software package

$ Sudo apt-get install apache2 ## install Apache

$ Sudo apt-get install openssl ## installed openssl

$ Sudo apt-get install libssl-dev ## openssl installed development libraries

$ Sudo apt-get install bless ## Editor bless hex editor, to be pre-installed

Three, openssl.cnf simple interpretation

$ Vi /usr/lib/ssl/openssl.cnf
127 [req_distinguished_name]
128 countryName = Country Name (2 letter code) ## Country name, two-letter code referred to
129 countryName_default = CN ## is CN China
130 countryName_min = 2
131 countryName_max = 2
Name 133 stateOrProvinceName = State or Province Name (full name) ## states or provinces
134 stateOrProvinceName_default = beijing
136 localityName = Locality Name (eg, city) ## local city name
137 localityName_default = beijing
138 0.organizationName = Organization Name (eg, company) ## organization (company) name
139 0.organizationName_default = beijing www company
145 organizationalUnitName = Organizational Unit Name (eg, section) ## organizational units (departments) name
146 organizationalUnitName_default = www
148 commonName = Common Name (e.g.server FQDN or YOUR name) ## Domain Name Server
149 commonName = www.baidu.com
150 commonName_max = 64
152 #emailAddress = Email Address ## Email Address
153 emailAddress = admin@baidu.com
154 emailAddress_max = 64
156 # SET-ex3 = SET extension number 3
158 [req_attributes]
159 #challengePassword = A challenge password ## Change Password
160 challengePassword =
163 challengePassword_min = 4
164 challengePassword_max = 20

Fourth, a digital certificate authority (CA), and generates a certificate for that CA

1. Copy openssl.cnf configuration file to the current directory and create the following specified in the configuration file subfolders

$ Sudo ln /usr/lib/ssl/openssl.cnf.

$ Mkdir demoCA

$ Cd demoCA

$ Mkdir certs crl newcerts

$ Touch index.txt serial ## index.txt is empty;

## Serial must be written, and is formatted number string (such as 1111)

After these set, you can now create and publish a certificate

2. Generate a self-signed certificate for your CA, which means that the body is to be trusted, and its certificate as a root certificate will

$ Openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

NOTE: Be sure to remember your password entered, file storage command output: ca.key and ca.crt in. File ca.key including CA's private key, which contains a public key certificate ca.crt.

Fifth, for the customer to generate a certificate

Now, we are the root CA, and can provide customers with a signed digital certificate, the client is www.baidu.com.

1. Generate a public / private key pair

$ Openssl genrsa -des3 -out server.key 1024

Note: You need to provide a password to protect your key, which will be stored in the server.key file.

2. Generate a certificate signing request, once the company has a key file, which should generate a certificate signing request (CSR). CSR will be sent to the CA, CA will generate a certificate for the request (usually after the CSR matches the identity information in the confirmation).

$ Openssl req -new -key server.key -out server.csr -config openssl.cnf

Note: Please remember your input

3. Generate certificate. CSR file needs to have constituted the CA's signature certificate (in the real world, CSR files are often sent to a trusted CA-signed). Enter the CA key, using our own CA to generate the certificate:

$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Sixth, the use of PKI in the site

$ Sudo vi / etc / hosts www.baidu.com

2. Start a certificate has previously generated a simple web server

$ Cp server.key server.pem

$ Cat server.crt >> server.pem ## keys and certificates will be merged into one file

$ Openssl s_server -cert server.pem -www ## to start the server using server.pem

3. By default, the server listens on port 4433. Enter https://www.baidu.com:4433

NOTE: Tip This connection is not trusted because our CA is self-signed, like the case of VeriSign CA authorized, then there would not be the situation.

Here you can configure Firefox allows us to accept self-signed (other browsers similar), configured as follows:

Menu ---> Preferences ---> Advanced ---> Certificates ---> View Certificate (Certificate Manager) ---> Import ---> into your configuration openssl directory, select ca.crt-- -> open (download the certificate) ---> check the "trust this CA using the site identified by" ---> OK, and then refresh the Web
- JavaScript common functions summary (Programming)
- SSH service configuration to use a certificate login Linux server (Server)
- To install the iNode client on UbuntuKylin 13.10 (Linux)
- Python console achieve progress bar (Programming)
- Under Linux using Magent + Memcached cache server cluster deployment (Server)
- Top command: the Task Manager under linux (Linux)
- Port Telnet command to detect the remote host is turned on (Linux)
- Read and write files efficiently from Apache Kafka (Server)
- Python basis: os module on the file / directory using methods commonly used functions (Programming)
- Android gets the global process information and the memory used by the process (Programming)
- Linux System Getting Started Tutorial: How to change the default Java version in Linux (Linux)
- How to clear the DNS query cache under Linux / Unix / Mac (Linux)
- MySQL performance view and configure finishing Daquan (Database)
- Profile Linux users login shell and login to read (Linux)
- Nonstandard IMP-00010 error processing one case (Database)
- CentOS 6.5 using Virtualenv under development environment to build Python3 (Linux)
- Ansible installation configuration and simple to use (Server)
- Use Oracle Data Guard to complete cross-platform database migration cases (Database)
- Oracle set the timer task JOB scheduler to execute stored procedures or PL / SQL code block (Database)
- Java class HashSet (Programming)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.