SERVER.CRT

1. 修改X509v3 Extended Key Usage

vim /etc/ssl/dsa-prodisserver-ca/prodisserver.config

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
->
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth

2. 备份旧证书

mkdir -p /root/certrequest/oldServercerts
mkdir -p /root/certrequest/newCerts
cd /root/certrequest/
rsync -avP --exclude=ssl.prm --exclude=ssl.crl /etc/apache2/ssl.* /root/certrequest/oldServercerts

3. 观察旧crt

openssl x509 -in /etc/apache2/ssl.crt/server.crt -noout -text | less

4. 生成csr

'/C=CN/ST=SH/L=YiZheng/O=CSVW/CN=UPS-YIZHENG1.csvw.com/emailAddress=wangjiashan@csvw.com'部分需按上一步旧crt

create-server-cert -W -a -d 'anet:rsync:pki:pkipass' -s '/C=CN/ST=SH/L=YiZheng/O=CSVW/CN=UPS-YIZHENG1.csvw.com/emailAddress=wangjiashan@csvw.com' -k /root/certrequest/ -c /root/certrequest/

5. 检查csr并保存至`/root/certrequest/`

openssl req -text -in /etc/apache2/ssl.csr/server.csr --noout --text | less
openssl req -modulus -in /etc/apache2/ssl.csr/server.csr --noout | openssl md5
openssl rsa -modulus -in /root/certrequest/server.key --noout | openssl md5
rsync -avP /etc/apache2/ssl.csr/server.csr /root/certrequest/

6. 取回csr&key

[ ] /root/certrequest/server.csr
[ ] /root/certrequest/server.key

7. 签发后证书转格式

客户发回后可能为xxxx.cer_,需要进行转格式后放回。

openssl x509 -inform DER -in server.cer -out server.crt

8. 将server.crt复制回服务器

rsync -avP server.crt /root/certrequest/newCerts
rsync -avP /root/certrequest/server.key /root/certrequest/newCerts

9. 验证证书是否正确

openssl x509 -modulus -in /root/certrequest/newCerts/server.crt --noout | openssl md5
openssl rsa -modulus -in /root/certrequest/newCerts/server.key --noout | openssl md5
openssl verify -CAfile /etc/apache2/ssl.crt/server-chain.crt /root/certrequest/newCerts/server.crt

10. 复制证书至目标路径

cp /root/certrequest/newCerts/server.crt /etc/apache2/ssl.crt/server.crt
cp /root/certrequest/newCerts/server.key /etc/apache2/ssl.key/server.key

11. 修改server.key和server.crt文件权限

chmod 644 /etc/apache2/ssl.crt/server.crt
chown root:root /etc/apache2/ssl.crt/server.crt
chmod 644 /etc/apache2/ssl.key/server.key
chmod root:root /etc/apache2/ssl.key/server.key

12. 修改`/etc/ssl/prodis/haproxy.pem`

找到属于用户终端证书的那一部分，并修改为现有的证书。

13. 重启组件

systemctl restart httpd
systemctl restart haproxy-act

13. 测试

可试试使用

anetecho DATE

或咨询application同事使用情况。

14. 同步至hostb&hostc

rsync -avP /etc/apache2/ssl.crt/server.crt hostb:/etc/apache2/ssl.crt/server.crt
rsync -avP /etc/apache2/ssl.crt/server.crt hostc:/etc/apache2/ssl.crt/server.crt
rsync -avP /etc/apache2/ssl.key/server.key hostb:/etc/apache2/ssl.key/server.key
rsync -avP /etc/apache2/ssl.key/server.key hostc:/etc/apache2/ssl.crt/server.crt
rsync -avP /etc/ssl/prodis/haproxy.pem hostb:/etc/ssl/prodis/haproxy.pem
rsync -avP /etc/ssl/prodis/haproxy.pem hostc:/etc/ssl/prodis/haproxy.pem

15. 重启hostb&hostc httpd

ssh hostb "systemctl restart httpd && echo ok"
ssh hostc "systemctl restart httpd && echo ok"

16.最后验证

anetecho

curl -vvv --cert /etc/ssl/clientcerts/client.crt --key /etc/ssl/private/client.key --cacert /export/boot/global/default/etc/ssl/certs/dsa-prodisserver-ca.pem --request POST --data-raw 'DATE' 'https://anet.CHA7.faw-vw.in'

openssl s_client -connect anet.cha7.faw-vw.in:443 -key /etc/ssl/private/client.key -cert /etc/ssl/clientcerts/client.crt

EXTRA 1: 修改证书到期通知人

vim /etc/prodis/dsa-prodisserver-ca.ini

[mail]
loglevel=0
mailaddress=
subject="Ablaufendes Zertifikat gefunden"
->
[mail]
loglevel=1
mailaddress=.crt上的mail address
subject="Ablaufendes Zertifikat gefunden"

EXTRA 2: 证书位置

server:

/etc/apache2/ssl.crt/server.crt
/etc/apache2/ssl.crt/server-chain.crt
/etc/ssl/clientcerts/dsa-prodisserver-ca.pem
/etc/pki/trust/anchors/dsa-prodisserver-ca.pem
/export/boot/global/default/etc/ssl/certs/dsa-prodisserver-ca.pem

client:

/etc/ssl/clientcerts/client.crt
/etc/ssl/private/client.key
/etc/pki/trust/anchors/dsa-prodisserver-ca.pem

/export/boot/global/default/etc/ssl/certs/client.crt
/export/boot/global/default/etc/ssl/private/client.key
/export/boot/global/default/etc/ssl/certs/dsa-prodisserver-ca.pem

rsync -avP /etc/ssl/prodis/haproxy.pem

创建svn证书

在HOSTC上

1. 创建CSR与自签证书公钥，私钥

create-client-cert -n <username>

2. 创建p12

Case 1: 客户签发

提交/etc/ssl/clientcerts/<username>.csr
拿到cer后拆分出终端证书，并以x509的形式存下crt文件并传回服务器/etc/ssl/clientcerts/

case 2: 自签发

/etc/ssl/clientcerts/<username>.crt /etc/ssl/private/<username>.key

openssl pkcs12 -export -out /etc/ssl/clientcerts/<username>.p12 -inkey /etc/ssl/private/<username>.key -in /etc/ssl/clientcerts/<username>.crt

取出/etc/ssl/clientcerts/<username>.p12

rsync -avP /etc/ssl/clientcerts/*.p12 /data/tmp/

后续操作

vim /data/svn/conf/authz

[groups] 
svnusers = svnsync,<username>

/usr/bin/htpasswd2 -b /data/svn/conf/svnuser.conf <username> password

FAZIT CERTS

1. Copy private key and certificates

cp -p /etc/apache2/ssl.key/server.key /etc/ssl/prodis/fazitcon.key
cp -p /etc/apache2/ssl.crt/server.crt /etc/ssl/prodis/fazitcon.crt

2. 保存根证书与中间证书

找到/etc/ssl/prodis/haproxy.pem 中有关根证书与中间证书的部分并单独保存。
e.g.:
VW-CA-ROOT-05.crt

VW-CA-PROC-09.crt

3. Keystore

/opt/mqm/bin/runmqakm -keydb -create -db fazitcon.kdb -pw dsa677 -stash 
chgrp ssl-cert fazitcon.{kdb,rdb,sth,crl} 
chmod 0640 fazitcon.{kdb,rdb,sth,crl}

import client-cert and private-key

openssl pkcs12 -export -inkey fazitcon.key -in fazitcon.crt -name fazitcon -out fazitcon.p12 -passout pass:dsa000

/opt/mqm/bin/runmqakm -cert -import -new_label ibmwebspheremqprodis -type pkcs12 -file fazitcon.p12 -pw dsa000 -target fazitcon.kdb -target_type cms -target_pw dsa677

rm -f fazitcon.p12

add CA-certs to keystore

/opt/mqm/bin/runmqakm -cert -add -db fazitcon.kdb -label VW-CA-PROC-09 -file VW-CA-PROC-09.crt -stashed
/opt/mqm/bin/runmqakm -cert -add -db fazitcon.kdb -label VW-CA-ROOT-05 -file VW-CA-ROOT-05.crt -stashed

list keystore

/opt/mqm/bin/runmqakm -cert -list -db fazitcon.kdb -stashed

The content should look like.

Certificates found * default, - personal, ! trusted, # secret key 
!    VW-CA-PROC-08 
!    VW-CA-ROOT-05 
-    ibmwebspheremqprodis

systemctl restart fazitcon-act

available logs:

fazitrcvd.lg0
/home/prodis/IBM/MQ/data/errors/AMQERR01.LOG
fazitsndd.lg0
fazitconshow -A

4 Transfer of configuration to passive server

/etc/ssl/prodis/fazitcon.key
/etc/ssl/prodis/fazitcon.crt
/etc/ssl/prodis/fazitcon.kdb
/etc/ssl/prodis/fazitcon.rdb
/etc/ssl/prodis/fazitcon.sth
/etc/ssl/prodis/fazitcon.crl
/etc/prodis/mqsq.ini
/etc/prodis/mqsq-notls.ini
/etc/prodis/mqsq-tls.ini
/home/prodis/IBM/MQ/data/mqclient.ini

@lucaszhn.cn

DSA CRTs

SERVER.CRT

1. 修改X509v3 Extended Key Usage

2. 备份旧证书

3. 观察旧crt

4. 生成csr

5. 检查csr并保存至`/root/certrequest/`

6. 取回csr&key

7. 签发后证书转格式

8. 将server.crt复制回服务器

9. 验证证书是否正确

10. 复制证书至目标路径

11. 修改server.key和server.crt文件权限

12. 修改`/etc/ssl/prodis/haproxy.pem`

13. 重启组件

13. 测试

14. 同步至hostb&hostc

15. 重启hostb&hostc httpd

16.最后验证

EXTRA 1: 修改证书到期通知人

EXTRA 2: 证书位置

创建svn证书

1. 创建CSR与自签证书公钥，私钥

2. 创建p12

Case 1: 客户签发

case 2: 自签发

后续操作

FAZIT CERTS

1. Copy private key and certificates

2. 保存根证书与中间证书

3. Keystore

4 Transfer of configuration to passive server

DSA CRTs

SERVER.CRT

1. 修改X509v3 Extended Key Usage

2. 备份旧证书

3. 观察旧crt

4. 生成csr

5. 检查csr并保存至/root/certrequest/

6. 取回csr&key

7. 签发后证书转格式

8. 将server.crt复制回服务器

9. 验证证书是否正确

10. 复制证书至目标路径

11. 修改server.key和server.crt文件权限

12. 修改/etc/ssl/prodis/haproxy.pem

13. 重启组件

13. 测试

14. 同步至hostb&hostc

15. 重启hostb&hostc httpd

16.最后验证

EXTRA 1: 修改证书到期通知人

EXTRA 2: 证书位置

创建svn证书

1. 创建CSR与自签证书公钥，私钥

2. 创建p12

Case 1: 客户签发

case 2: 自签发

后续操作

FAZIT CERTS

1. Copy private key and certificates

2. 保存根证书与中间证书

3. Keystore

4 Transfer of configuration to passive server

Docker commands

Loop – pseudo device

5. 检查csr并保存至`/root/certrequest/`

12. 修改`/etc/ssl/prodis/haproxy.pem`