openssl certificate issuance under linxu

openssl components have been integrated in linux, so bloggers use examples to explain how to issue certificates under Linux system, because personal certificates are not recognized by Google Browser, so self-issued certificates can only be tested under Firefox browser!

1 openssl Certificate Generation Process

Once the certificate is generated, it needs to be converted into a certificate format that can be used by java, and then configured in tomcat.
This default configuration:

  • ca server certificate storage directory / src/ftp/cas
  • Server Host Certificate Storage Directory/src/ftp/cas/server
  • Client Host Certificate Storage Directory/src/ftp/cas/client
  • java certificate save directory / usr / local / tomcatcat/
  • Password when generating certificates: hejiejava
  • Virtual domain name:

Because in the process of generating certificates, the commands are more complex and the steps are more clear and simple. After creating the corresponding path folder, all you need to do is copy and paste the commands.

Start without saying much!

1.1 ca Server Certificate Generation (Root Certificate)

  • Create a ras-coded CA key to be stored under the / srv/ftp/cas directory with a byte length of 2048

openssl genrsa -out /srv/ftp/cas/cakey.pem 2048 RSA

  • Generate a root certificate application for issuance, The server domain name used here is Virtual domain names can also be set up at / etc/hosts / because certificates must be accessed in the form of domain names.

openssl req -new -key /srv/ftp/cas/cakey.pem -out /srv/ftp/cas/cacert.csr -subj /

  • Application for the issuance of a root certificate, valid for 10 years

openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey /srv/ftp/cas/cakey.pem -in /srv/ftp/cas/cacert.csr -out /srv/ftp/cas/ca.cer

1.2 Server-side Certificate

  • The generated server key is stored in the / srv/ftp/cas/server directory with the password hejiejava

openssl genrsa -aes256 -out /srv/ftp/cas/server/server-key.pem 2048

  • Generate the server-side signing application, and enter the password of the previous step when creating it

openssl req -new -key /srv/ftp/cas/server/server-key.pem -out /srv/ftp/cas/server/server.csr -subj /

- Generate a 10-year application for issuing server-side certificates (use commands under the cas folder)

openssl x509 -req -days 3650 -sha1 -extensions v3_req -CA /srv/ftp/cas/ca.cer -CAkey /srv/ftp/cas/cakey.pem -CAserial /srv/ftp/cas/server/ -CAcreateserial -in /srv/ftp/cas/server/server.csr -out /srv/ftp/cas/server/server.cer

1.3 Client Certificate

  • Client Certificate Application Operation

openssl genrsa -aes256 -out /srv/ftp/cas/client/client-key.pem 2048

  • Client application for certificate issuance

openssl req -new -key /srv/ftp/cas/client/client-key.pem -out /srv/ftp/cas/client/client.csr -subj /

  • Client's application for certificate issuance is valid for 10 years

openssl x509 -req -days 365 -sha1 -CA /srv/ftp/cas/ca.cer -CAkey /srv/ftp/cas/cakey.pem -CAserial /srv/ftp/cas/server/ -in /srv/ftp/cas/client/client.csr -out /srv/ftp/cas/client/client.cer

Note at this point that the certificate is valid only for

1.4 Generating Java Certificates

  • The certificate generated by the client is sent to the client browser. tomcat needs to be installed ahead of time with the password: hejiejava

openssl pkcs12 -export -clcerts -name cas-client -inkey /srv/ftp/cas/client/client-key.pem -in /srv/ftp/cas/client/client.cer -out /srv/ftp/cas/client/client.p12

  • Generate server certificates, mainly using tomcat

openssl pkcs12 -export -clcerts -name cas-server -inkey /srv/ftp/cas/server/server-key.pem -in /srv/ftp/cas/server/server.cer -out /srv/ftp/cas/server/server.p12

  • Import the trust certificate into the local system, and then generate the ca-trust.p12 certificate file in the tomcat folder. Attention should be paid to modifying the local tomcat path. After entering the command, you need to enter the password, and then enter yes in the pop-up verification. (Attention to the tomcat path of this command, you need to modify the tomcat path of your local machine.)

keytool -importcert -trustcacerts -alias -file /srv/ftp/cas/ca.cer -keystore /usr/local/tomcat/ca-trust.p12

  • Use keytool tool to view certificate information

keytool -list -keystore /srv/ftp/cas/client/client.p12 -storetype pkcs12 -v

1.5 Configure authentication under tomcat's conf file

Configure the following authentication for server under conf directory in tomcat:

  • Modify the port of server.xml in conf to 80 port
  • Paste a copy of the following single authentication or two-way authentication into server.xml. It is suggested that the single authentication be tested. The blogger will also give an example below.

1.5.1 One-way Authentication

Note that keystore files and keystore pass are paths and passwords, respectively.

<Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" 	scheme="https" secure="true"  clientAuth="false" sslProtocol="TLS"   keystoreFile="/srv/ftp/cas/server/server.p12"   keystoreType="pkcs12"  keystorePass="hejiejava" />

1.5.2 Bidirectional Authentication

<Connector port="443" protocol="HTTP/1.1"  
 maxThreads="150" SSLEnabled="true" 
 scheme="https" secure="true"  
 clientAuth="true" sslProtocol="TLS"   

2 Single Certification Tests

2.1 Restart tomcat

  • After configuring the Tomcat file, you need to restart Tomcat and enter the bin directory of tomcat.

./ stop
./ start

2.2 Setting up Virtual Domain Name in windows

Then the virtual domain name is set on the windows host:
Path: C: Windows System32 drivers etc
Modify the hosts file:

2.3 Setting up Certificate Authentication of Firefox Browser

  • Import the file generated by linux locally
  • Import Certificate Authentication to Firefox Browser

  • Check all options to trust!

Then you can go through it. Secure access to your own configured virtual machine!

After completing the above operation, the certificate has been issued successfully.

Keywords: Operation & Maintenance ftp Tomcat OpenSSL Linux

Added by chrispos on Tue, 14 May 2019 20:00:37 +0300