sh Manual-ssl-cert-config-in服务器
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sh Manual-ssl-cert-config-in服务器相关的知识,希望对你有一定的参考价值。
==========================
SETUP
==========================
// https://www.sslshopper.com/ssl-checker.html - to check whether the ssl is installed properly or not.
Pre-requisite - Apache(httpd)
// installs ssl module for apache
."yum install mod_ssl"
=============
Download your SSL certificates before you go further.(From where you bought your SSL for the domain name.)
============
// point the ip in the domain configuration from where you bought the domain.
."GO to DNS in the website where you bought the server and point the domain to the IP"
// place all the certificates in a directory in the server.
."mostly place it in /certs"(certs will not be available by default create it)"
// create a empty directories in the below path one for placing your index.html file and another for logs.
."first create a directory in /var/www/html/us-test" - this is an example replace your directory name insterd of "us-test"
."first create a directory in /var/www/html/logs" - create a log directory to store logs.
."create a dummy index.html file with some sample page in the newly created directory in the above path."
// now cd in to httpd/conf file to add a new <virtualhost>
."cd /etc/httpd/conf" - do ls after this which lists all the files in the directory
."nano httpd.conf" - open the filewith nano
// add the below vertualhost tag code to configure ip for your domain name
<VirtualHost test-upfront-security.com:80> // - replace with your domain name with out www.
DocumentRoot "/var/www/html/us-test" // - point to the root ditectory of the website.
ServerName test-upfront-security.com // - give the domain name again in the server name.
Redirect / https://www.test-upfront-security.com // - give this only if you have a ssl certificate installed.
<Directory "/var/www/html/us-test"> // - poinr to the website root directory created in the above step.
allow from all
Options None
Require all granted
</Directory>
</VirtualHost>
//
// Edit the below file.
."nano /etc/httpd/conf.d/ssl.conf"
// create a new vertualhost tag with the belo code
<VirtualHost test-upfront-security.com:443>
SSLEngine on
SSLCertificateFile /certs/test-upfront-security.com.crt - point to your ssl certificate file.
SSLCertificateKeyFile /certs/test-upfront-security-key.txt - point ot your ssl key file.
SSLCACertificateFile /certs/test-upfront-security.com.intreme.crt - point to your ssl bundle file.
SSLCertificateChainFile /certs/test-upfront-security.com.chain.crt - point to youe chain file.
ServerAdmin info@test-upfront-security.com
ServerName www.test-upfront-security.com
DocumentRoot /var/www/html/us-test
ErrorLog /var/www/html/logs/error.log
CustomLog /var/www/html/logs/access.log combined
</VirtualHost>
=====================================================================================
<VirtualHost test-upfront-security.com:443>
SSLEngine on
SSLCertificateFile /certs/test-upfront-security.com.crt
SSLCertificateKeyFile /certs/test-upfront-security-key.txt
SSLCACertificateFile /certs/test-upfront-security.com.intreme.crt
SSLCertificateChainFile /certs/test-upfront-security.com.chain.crt
ServerAdmin info@test-upfront-security.com
ServerName www.test-upfront-security.com
DocumentRoot /var/www/html/us-test
ErrorLog /var/www/html/logs/error.log
CustomLog /var/www/html/logs/access.log combined
</VirtualHost>
=====================================================================================
// open the https port in the firewall
."firewall-cmd --zone=public --permanent --add-service=https"
."firewall-cmd --reload" - reloades the firewall
3. Restart Apache to make available all the changes.
systemctl restart httpd
useful links:
https://www.linode.com/docs/security/ssl/ssl-apache2-centos/
https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7
==========================
TROUBLESHOOTING
==========================
PKCS #1
--BEGIN RSA PRIVATE KEY--
some large data chunk
--END RSA PRIVATE KEY--
PKCS #8
--BEGIN PRIVATE KEY--
some large data chunk
--END PRIVATE KEY--
# Convert PKCS #8 to PKCS #1 - Apache requires PKCS #1 key format
openssl rsa -in <some-name-key.txt> -out <some-name.pem>
Troubleshoot Unable to Load key Error:
- copy the txt file content and create new file and retry.
#convert PKCS #8 key & SSL Certicate to PFX format - required by Spring boot
cat <some-name.key> <some-name.crt> |openssl pkcs12 -export -out <some-name.pfx>
#Extract decrypted Private Key and certificate from PFX file
openssl pkcs12 -in file.pfx -out file.pem -nodes
#Extract only Decrypted Private Key from PFX file
openssl pkcs12 -in myfile.pfx -nocerts -out private-key.pem -nodes
#Extract only Certificate from PFX file
openssl pkcs12 -in myfile.pfx -nokeys -out certificate.crt
#Generate PFX File
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in certificate.pem -certfile ca-chain.pem
#Convert PFX to JKS File
keytool -importkeystore -srckeystore gen-cert.pfx -srcstoretype pkcs12 -srcstorepass Sagar123# -srcalias 1 -destkeystore gen-cert.jks -deststoretype jks -deststorepass Sagar123# -destalias sagar
#Add Cert to JKS File
keytool -import -trustcacerts -alias root -file ca-bundle.pem -keystore gen-cert.jks
keytool -importcert -alias digid -keystore gen-cert.jks -file digid-idp.cer
#Remove Cert from JKS File
keytool -delete -alias aliasToRemove -keystore keystoreCopy.jks以上是关于sh Manual-ssl-cert-config-in服务器的主要内容,如果未能解决你的问题,请参考以下文章
配置告警系统主脚本main.sh mon.sh load.sh 502.sh disk.sh