vim /etc/ssl/openssl.cnf

[ ca ]
default_ca = CA # The default ca section
[ CA ]
dir = /usr/abills/Certs/ # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/CA/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/CA/ca.crl # The current CRL
private_key = $dir/CA/ca.key # The private key
x509_extensions = usr_cert              
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = UA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = IF
localityName = Locality Name (eg, city)
localityName_default = city
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Org_name
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test
emailAddress_max = 64

[ server ]
basicConstraints=CA:FALSE
nsCertType                      = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ client ]
basicConstraints=CA:FALSE
nsCertType = client
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
nsCertType = sslCA

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

cd /usr/abills/Certs/ mkdir CA mkdir server mkdir user

echo «01» > serial touch index.txt

Стоврюємо сертифікат організації Стоврюємо ключ і самопідписаний СА сертифікат

openssl genrsa –rand /var/log/messages -out ./CA/ca.key -camellia256 2048

openssl req -new -key ./CA/ca.key -out ./CA/ca.csr

openssl x509 -req -signkey ./CA/ca.key -in ./CA/ca.csr -extfile /etc/ssl/openssl.cnf -out ./CA/ca.crt

Перевірка

openssl x509 -in ca.crt -text

Тепер стоврюємо сертифікат сервера

openssl genrsa -rand /var/log/messages -out ./server/freebsd.local.com.key -camellia256 2048

COMMON NAME вводимо ДНС ім'я серверу Пароль той самий що і для приватного ключа freebsd.local.com.key

openssl req -new -key ./server/freebsd.local.com.key -config /etc/ssl/openssl.cnf  -out ./server freebsd.local.com.csr

і підписуємо його сертифікатом організації

openssl ca -in ./server/freebsd.local.com.csr -cert ./CA/ca.crt -keyfile ./CA/ca.key -out ./server/freebsd.local.com.crt -config /etc/ssl/openssl.cnf -days 365

Стоврюємо сертифікат клієнта

openssl genrsa -rand /var/log/messages -out ./user/client.key -camellia256 2048

openssl req -new -key /user/client.key -out ./user/client.csr

і підписуємо його сертифікатом організації

openssl ca -in ./user/client.csr -cert ./CA/ca.crt -keyfile ./CA/ca.key -out ./user/client.crt -extensions client -config /etc/ssl/openssl.cnf

Експортуємо в формат читаємий IE, Mozilla ,…

openssl pkcs12 -export -clcerts -in ./user/client.crt -inkey ./user/client.key -out ./user/client.p12

або

openssl pkcs12 -export -clcerts -in ./user/certificates/client.crt -inkey ./user/keys/client.key -out ./user/certificates/client.p12 -name "test certificate"

Копіюємо файл client.p12 на комп'ютер клієнта

Редагуємо конфіг /usr/abills/misc/apache/abills_httpd.conf

Вставляємо між <IfModule ssl_module> </IfModule ssl_module>

<Location /admin>
SSLVerifyClient require
SSLVerifyDepth 10
</Location>

Змінюємо шлях до сертифікатів

SSLCertificateFile     /usr/abills/Certs/server/freebsd.local.com.crt
SSLCertificateKeyFile  /usr/abills/Certs/server/freebsd.local.com.key
SSLCACertificateFile    /usr/home/pigich/SSL/CA/ca.crt

Перезапускаємо веб-сервер

/usr/local/etc/rc.d/apache22 restar

дивимось лог помилок

Добавляємо сертифікат на стороні клієнта

Для для роботи в Internet Explorer, GoogleChrome запускаємо freebsd.local.com.p12

Для Mozilla FireFox