SERVER.CRT
1. 修改X509v3 Extended Key Usage
vim /etc/ssl/dsa-prodisserver-ca/prodisserver.config
[ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth -> [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth
2. 备份旧证书
mkdir -p /root/certrequest/oldServercerts mkdir -p /root/certrequest/newCerts cd /root/certrequest/ rsync -avP --exclude=ssl.prm --exclude=ssl.crl /etc/apache2/ssl.* /root/certrequest/oldServercerts
3. 观察旧crt
openssl x509 -in /etc/apache2/ssl.crt/server.crt -noout -text | less
4. 生成csr
'/C=CN/ST=SH/L=YiZheng/O=CSVW/CN=UPS-YIZHENG1.csvw.com/emailAddress=wangjiashan@csvw.com'
部分需按上一步旧crt
create-server-cert -W -a -d 'anet:rsync:pki:pkipass' -s '/C=CN/ST=SH/L=YiZheng/O=CSVW/CN=UPS-YIZHENG1.csvw.com/emailAddress=wangjiashan@csvw.com' -k /root/certrequest/ -c /root/certrequest/
5. 检查csr并保存至/root/certrequest/
openssl req -text -in /etc/apache2/ssl.csr/server.csr --noout --text | less openssl req -modulus -in /etc/apache2/ssl.csr/server.csr --noout | openssl md5 openssl rsa -modulus -in /root/certrequest/server.key --noout | openssl md5 rsync -avP /etc/apache2/ssl.csr/server.csr /root/certrequest/
6. 取回csr&key
- [ ] /root/certrequest/server.csr
- [ ] /root/certrequest/server.key
7. 签发后证书转格式
客户发回后可能为xxxx.cer_
,需要进行转格式后放回。
openssl x509 -inform DER -in server.cer -out server.crt
8. 将server.crt复制回服务器
rsync -avP server.crt /root/certrequest/newCerts rsync -avP /root/certrequest/server.key /root/certrequest/newCerts
9. 验证证书是否正确
openssl x509 -modulus -in /root/certrequest/newCerts/server.crt --noout | openssl md5 openssl rsa -modulus -in /root/certrequest/newCerts/server.key --noout | openssl md5 openssl verify -CAfile /etc/apache2/ssl.crt/server-chain.crt /root/certrequest/newCerts/server.crt
10. 复制证书至目标路径
cp /root/certrequest/newCerts/server.crt /etc/apache2/ssl.crt/server.crt cp /root/certrequest/newCerts/server.key /etc/apache2/ssl.key/server.key
11. 修改server.key和server.crt文件权限
chmod 644 /etc/apache2/ssl.crt/server.crt chown root:root /etc/apache2/ssl.crt/server.crt chmod 644 /etc/apache2/ssl.key/server.key chmod root:root /etc/apache2/ssl.key/server.key
12. 修改/etc/ssl/prodis/haproxy.pem
找到属于用户终端证书的那一部分,并修改为现有的证书。
13. 重启组件
systemctl restart httpd systemctl restart haproxy-act
13. 测试
可试试使用
anetecho DATE
或咨询application同事使用情况。
14. 同步至hostb&hostc
rsync -avP /etc/apache2/ssl.crt/server.crt hostb:/etc/apache2/ssl.crt/server.crt rsync -avP /etc/apache2/ssl.crt/server.crt hostc:/etc/apache2/ssl.crt/server.crt rsync -avP /etc/apache2/ssl.key/server.key hostb:/etc/apache2/ssl.key/server.key rsync -avP /etc/apache2/ssl.key/server.key hostc:/etc/apache2/ssl.crt/server.crt rsync -avP /etc/ssl/prodis/haproxy.pem hostb:/etc/ssl/prodis/haproxy.pem rsync -avP /etc/ssl/prodis/haproxy.pem hostc:/etc/ssl/prodis/haproxy.pem
15. 重启hostb&hostc httpd
ssh hostb "systemctl restart httpd && echo ok" ssh hostc "systemctl restart httpd && echo ok"
16.最后验证
anetecho curl -vvv --cert /etc/ssl/clientcerts/client.crt --key /etc/ssl/private/client.key --cacert /export/boot/global/default/etc/ssl/certs/dsa-prodisserver-ca.pem --request POST --data-raw 'DATE' 'https://anet.CHA7.faw-vw.in' openssl s_client -connect anet.cha7.faw-vw.in:443 -key /etc/ssl/private/client.key -cert /etc/ssl/clientcerts/client.crt
EXTRA 1: 修改证书到期通知人
vim /etc/prodis/dsa-prodisserver-ca.ini
[mail] loglevel=0 mailaddress= subject="Ablaufendes Zertifikat gefunden" -> [mail] loglevel=1 mailaddress=.crt上的mail address subject="Ablaufendes Zertifikat gefunden"
EXTRA 2: 证书位置
server:
/etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.crt/server-chain.crt /etc/ssl/clientcerts/dsa-prodisserver-ca.pem /etc/pki/trust/anchors/dsa-prodisserver-ca.pem /export/boot/global/default/etc/ssl/certs/dsa-prodisserver-ca.pem
client:
/etc/ssl/clientcerts/client.crt /etc/ssl/private/client.key /etc/pki/trust/anchors/dsa-prodisserver-ca.pem /export/boot/global/default/etc/ssl/certs/client.crt /export/boot/global/default/etc/ssl/private/client.key /export/boot/global/default/etc/ssl/certs/dsa-prodisserver-ca.pem
rsync -avP /etc/ssl/prodis/haproxy.pem
创建svn证书
在HOSTC上
1. 创建CSR与自签证书公钥,私钥
create-client-cert -n <username>
2. 创建p12
Case 1: 客户签发
提交/etc/ssl/clientcerts/<username>.csr
拿到cer后拆分出终端证书,并以x509的形式存下crt文件并传回服务器/etc/ssl/clientcerts/
case 2: 自签发
/etc/ssl/clientcerts/<username>.crt
/etc/ssl/private/<username>.key
openssl pkcs12 -export -out /etc/ssl/clientcerts/<username>.p12 -inkey /etc/ssl/private/<username>.key -in /etc/ssl/clientcerts/<username>.crt
取出/etc/ssl/clientcerts/<username>.p12
rsync -avP /etc/ssl/clientcerts/*.p12 /data/tmp/
后续操作
vim /data/svn/conf/authz
[groups] svnusers = svnsync,<username>
/usr/bin/htpasswd2 -b /data/svn/conf/svnuser.conf <username> password
FAZIT CERTS
1. Copy private key and certificates
cp -p /etc/apache2/ssl.key/server.key /etc/ssl/prodis/fazitcon.key cp -p /etc/apache2/ssl.crt/server.crt /etc/ssl/prodis/fazitcon.crt
2. 保存根证书与中间证书
找到/etc/ssl/prodis/haproxy.pem
中有关根证书与中间证书的部分并单独保存。
e.g.:
VW-CA-ROOT-05.crt
VW-CA-PROC-09.crt
3. Keystore
/opt/mqm/bin/runmqakm -keydb -create -db fazitcon.kdb -pw dsa677 -stash chgrp ssl-cert fazitcon.{kdb,rdb,sth,crl} chmod 0640 fazitcon.{kdb,rdb,sth,crl}
import client-cert and private-key
openssl pkcs12 -export -inkey fazitcon.key -in fazitcon.crt -name fazitcon -out fazitcon.p12 -passout pass:dsa000 /opt/mqm/bin/runmqakm -cert -import -new_label ibmwebspheremqprodis -type pkcs12 -file fazitcon.p12 -pw dsa000 -target fazitcon.kdb -target_type cms -target_pw dsa677 rm -f fazitcon.p12
add CA-certs to keystore
/opt/mqm/bin/runmqakm -cert -add -db fazitcon.kdb -label VW-CA-PROC-09 -file VW-CA-PROC-09.crt -stashed /opt/mqm/bin/runmqakm -cert -add -db fazitcon.kdb -label VW-CA-ROOT-05 -file VW-CA-ROOT-05.crt -stashed
list keystore
/opt/mqm/bin/runmqakm -cert -list -db fazitcon.kdb -stashed
The content should look like.
Certificates found * default, - personal, ! trusted, # secret key ! VW-CA-PROC-08 ! VW-CA-ROOT-05 - ibmwebspheremqprodis
systemctl restart fazitcon-act
available logs:
- fazitrcvd.lg0
- /home/prodis/IBM/MQ/data/errors/AMQERR01.LOG
- fazitsndd.lg0
- fazitconshow -A
4 Transfer of configuration to passive server
- /etc/ssl/prodis/fazitcon.key
- /etc/ssl/prodis/fazitcon.crt
- /etc/ssl/prodis/fazitcon.kdb
- /etc/ssl/prodis/fazitcon.rdb
- /etc/ssl/prodis/fazitcon.sth
- /etc/ssl/prodis/fazitcon.crl
- /etc/prodis/mqsq.ini
- /etc/prodis/mqsq-notls.ini
- /etc/prodis/mqsq-tls.ini
- /home/prodis/IBM/MQ/data/mqclient.ini