Giters

neenadthite / TLS

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TLS

Step 1: Generate CA files serverca.crt and servercakey.pem. This allows the signing of server and client keys

linux_commands/TLS_certificate$ openssl genrsa -out servercakey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................................+++++
.............................................................+++++
e is 65537 (0x010001)

linux_commands/TLS_certificate$ openssl req -new -x509 -key servercakey.pem -out serverca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Step 2: Create the server private key (server.crt) and public key (server.key) ##

linux_commands/TLS_certificate$ openssl genrsa -out server.key
Generating RSA private key, 2048 bit long modulus (2 primes)
...........+++++
...........+++++
e is 65537 (0x010001)

linux_commands/TLS_certificate$ openssl req -new -key server.key -out server_reqout.txt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
linux_commands/TLS_certificate$ openssl x509 -req -in server_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out server.crt Signature ok
subject=C = AU, ST = Some-State, O = test
Getting CA Private Key

Step 3: Create the client private key (client.crt) and public key (client.key) ##

linux_commands/TLS_certificate$ openssl genrsa -out client.key
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................................+++++
.......+++++
e is 65537 (0x010001)

linux_commands/TLS_certificate$ openssl req -new -key client.key -out client_reqout.txt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

linux_commands/TLS_certificate$ openssl x509 -req -in client_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out client.crt
Signature ok
subject=C = AU, ST = Some-State, O = test
Getting CA Private Key

Step 4: Set file permissions ##

linux_commands/TLS_certificate$ chmod 700 server.crt server.key
linux_commands/TLS_certificate$ chmod 700 client.crt client.key

Step 5: Crete .pfx file for browser ##

linux_commands/TLS_certificate$ openssl pkcs12 -export -in client.crt -inkey client.key -out myPrivateCert.pfx
Enter Export Password:
Verifying - Enter Export Password:

Step 6: Create .pem file to configure for webpage server ##

linux_commands/TLS_certificate$ cat server.key server.crt > server.pem
linux_commands/TLS_certificate$ cat client.key client.crt > client.pem
linux_commands/TLS_certificate$ ls
client.crt client.pem myPrivateCert.pfx servercakey.pem server.crt server.pem
client.key client_reqout.txt serverca.crt serverca.srl server.key server_reqout.txt

Step 7: Server and Client configuration ##

Server configuration: Add the path of the server.pem and client.pem on the server in the webpage hosting file i.e lighttpd.conf in our case as follows

SSL engine

ssl.engine = "enable"
ssl.pemfile = "/home/TLS_cert/server/server.pem"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
ssl.ca-file = "/home/TLS_cert/client/client.pem"
ssl.verifyclient.depth = 2
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"

Lighttpd.conf file is also uploaded in this repo.

Client configuration: Add the myPrivateCert.pfx file in the browser throught which we are going to access the webpage.

NOTE: Please make sure to use "https://" before the URL of server

About