Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Ubuntu Install OpenSSL     - Django 1.8 TEMPLATE_DIRS configuration and STATICFILES_DIRS (Server)

- Boost - Memory Management - smart pointers (Programming)

- Android Sets the system screen brightness (Programming)

- Java heap (Heap) and stack difference (Programming)

- Java JDK has been able to compile without warning (Programming)

- SSH configuration under Linux (Linux)

- xargs Detailed description (Linux)

- IBM Data Studio to create objects using ---- double quotes / sensitive issues and the table / column renaming (Database)

- Using Vagrant to build multi-platform environment (Server)

- C ++ Fundamentals study notes (Programming)

- Keepalived + HAProxy high availability load balancing (Server)

- Linux file compression and archiving (Linux)

- The Linux kernel and AVL tree in red-black tree (Programming)

- JavaScript file loader LABjs API Explanation (Programming)

- Build your own Web server under Ubuntu Linux system (Server)

- Shutdown - an advanced shutdown artifact (Linux)

- Du and df show disk space usage inconsistent Causes and Treatment (Linux)

- Use virt-manager to create and manage virtual machines (Linux)

- How Linux system password security guarantee (Linux)

- RHEL 6.5 KVM analytical use (Server)

 
         
  Ubuntu Install OpenSSL
     
  Add Date : 2016-04-17      
         
         
         
  First, OpenSSL brief

OpenSSL is a powerful Secure Sockets Layer library password, include major cryptographic algorithms, key and certificate common package management functions and SSL protocols and provides rich application for testing or other purposes.

SSL is the Secure Sockets Layer (Secure Sockets Layer protocol) acronym secrecy can provide transmission on the Internet. SSL communications enables client / server applications between being the attacker eavesdropping, and always to authenticate the server, you can also choose to authenticate the user. SSL protocol requires the establishment of reliable transport protocol (TCP) above.

Second, install the appropriate software package

$ Sudo apt-get install apache2 ## install Apache

$ Sudo apt-get install openssl ## installed openssl

$ Sudo apt-get install libssl-dev ## openssl installed development libraries

$ Sudo apt-get install bless ## Editor bless hex editor, to be pre-installed

Three, openssl.cnf simple interpretation

$ Vi /usr/lib/ssl/openssl.cnf
127 [req_distinguished_name]
128 countryName = Country Name (2 letter code) ## Country name, two-letter code referred to
129 countryName_default = CN ## is CN China
130 countryName_min = 2
131 countryName_max = 2
132
Name 133 stateOrProvinceName = State or Province Name (full name) ## states or provinces
134 stateOrProvinceName_default = beijing
135
136 localityName = Locality Name (eg, city) ## local city name
137 localityName_default = beijing
138 0.organizationName = Organization Name (eg, company) ## organization (company) name
139 0.organizationName_default = beijing www company
140
145 organizationalUnitName = Organizational Unit Name (eg, section) ## organizational units (departments) name
146 organizationalUnitName_default = www
147
148 commonName = Common Name (e.g.server FQDN or YOUR name) ## Domain Name Server
149 commonName = www.baidu.com
150 commonName_max = 64
151
152 #emailAddress = Email Address ## Email Address
153 emailAddress = admin@baidu.com
154 emailAddress_max = 64
155
156 # SET-ex3 = SET extension number 3
157
158 [req_attributes]
159 #challengePassword = A challenge password ## Change Password
160 challengePassword =
161
163 challengePassword_min = 4
164 challengePassword_max = 20

Fourth, a digital certificate authority (CA), and generates a certificate for that CA

1. Copy openssl.cnf configuration file to the current directory and create the following specified in the configuration file subfolders

$ Sudo ln /usr/lib/ssl/openssl.cnf.

$ Mkdir demoCA

$ Cd demoCA

$ Mkdir certs crl newcerts

$ Touch index.txt serial ## index.txt is empty;

## Serial must be written, and is formatted number string (such as 1111)

After these set, you can now create and publish a certificate

2. Generate a self-signed certificate for your CA, which means that the body is to be trusted, and its certificate as a root certificate will

$ Openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf


NOTE: Be sure to remember your password entered, file storage command output: ca.key and ca.crt in. File ca.key including CA's private key, which contains a public key certificate ca.crt.

Fifth, for the customer to generate a certificate

Now, we are the root CA, and can provide customers with a signed digital certificate, the client is www.baidu.com.

1. Generate a public / private key pair

$ Openssl genrsa -des3 -out server.key 1024


Note: You need to provide a password to protect your key, which will be stored in the server.key file.

2. Generate a certificate signing request, once the company has a key file, which should generate a certificate signing request (CSR). CSR will be sent to the CA, CA will generate a certificate for the request (usually after the CSR matches the identity information in the confirmation).

$ Openssl req -new -key server.key -out server.csr -config openssl.cnf

Note: Please remember your input

3. Generate certificate. CSR file needs to have constituted the CA's signature certificate (in the real world, CSR files are often sent to a trusted CA-signed). Enter the CA key, using our own CA to generate the certificate:

$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Sixth, the use of PKI in the site

1.
$ Sudo vi / etc / hosts

127.0.0.1 www.baidu.com

2. Start a certificate has previously generated a simple web server

$ Cp server.key server.pem

$ Cat server.crt >> server.pem ## keys and certificates will be merged into one file

$ Openssl s_server -cert server.pem -www ## to start the server using server.pem

3. By default, the server listens on port 4433. Enter https://www.baidu.com:4433

NOTE: Tip This connection is not trusted because our CA is self-signed, like the case of VeriSign CA authorized, then there would not be the situation.

Here you can configure Firefox allows us to accept self-signed (other browsers similar), configured as follows:

Menu ---> Preferences ---> Advanced ---> Certificates ---> View Certificate (Certificate Manager) ---> Import ---> into your configuration openssl directory, select ca.crt-- -> open (download the certificate) ---> check the "trust this CA using the site identified by" ---> OK, and then refresh the Web
     
         
         
         
  More:      
 
- Oracle 11g through SCN do incremental backup repair standby library detailed process (Database)
- MySQL how to export files with the date format (Database)
- MySQL partition summary (Database)
- DRBD-based installation and configuration of CentOS 6.5 (Server)
- How to install Ubuntu strategy game Wesnoth 1.12.0 (Linux)
- Notebook computer forget password solution (Linux)
- Command line tool Tmux (Linux)
- CentOS-based Kickstart automated installation practice (Linux)
- Installation Strongswan: on a Linux IPsec-based VPN tool (Linux)
- Easy to install Ubuntu 15.04 and Ubuntu 15.04 GNOME on Wayland trial (Linux)
- FreeRadius installation process record (Linux)
- Prevent security threats caused Rootkit (Linux)
- Nginx supports user multi-threaded downloads and resume broken (Server)
- Integrated security administrator Linux accident management (Linux)
- impdp error ORA-31631, ORA-39122 (Database)
- Udev: Device Manager for Linux Fundamentals (Linux)
- The Zabbix2.4.5 source compiler installation under Ubuntu 14.04 (Server)
- C ++ why we chose to use the smart pointer (Programming)
- To install Xen in Ubuntu 12.04 (Linux)
- to install the deployment of LVS under CentOS 7.0 (Server)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.