You have to generate the corresponding certificate, including the server, CA and client certificates, and upload them to the certificate management system of the Server Load Balancer service.
- Server certificate: used by the user browser to check whether the certificate sent by the server is signed by a trusted center. The server certificate must be uploaded to the certificate management system of the Server Load Balancer.
- Client certificate: used to prove the identity of the client user for communication with the server end.
- CA certificate: used to verify the client certificate. The server requires the client browser to send the client certificate and, once the certificate is received, a verification occurs. If the verification fails, the connection is denied. After two-way authentication is enabled, you must upload both the CA certificate and server certificate to the certificate management system of the Server Load Balancer service.
You can buy and generate the server certificate from
cafolder in the
/rootdirectory and create four subfolders under the
$ sudo mkdir ca
$ cd ca
$ sudo mkdir newcerts private conf server
newcertsfolder stores CA signed digital certificates (certificate backup directory);
privatefolder stores the CA private key;
conffolder stores some configuration files to simplify parameters;
serverfolder stores the server certificate file.
openssl.conffile under the
confdirectory and edit the content as follows.
Run the following command to generate the private key file.
$ cd /root/ca
$ sudo openssl genrsa -out private/ca.key
Generating RSA private key, 512 bit long modulus
e is 65537 (0x10001)
ca.keyfile is generated under the
privatefolder. The OpenSSL is 512 bits by default, but usually 2048 bits is used.
Run the following command and provide the required information according to the figure after the command. Press Enter to generate the certificate request
$ sudo openssl req -new -key private/ca.key -out private/ca.csr
Note: Enter xxx.xxx.cn as the common name if you do not have a domain name ready.
Run the following command to generate the
$ sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
The following is an output example on the console. A
ca.crtfile is generated under the
Run the following command to set a starting serial number for the key. The serial number can be any four characters.
$ sudo echo FACE > serial
Run the following command to create a CA key library.
$ sudo touch index.txt
Run the following command to create a certificate revocation list for removing User Certificates.
$ sudo openssl ca -gencrl -out /root/ca/private/ca.crl -crldays 7 -config "/root/ca/conf/openssl.conf"
Using configuration from /root/ca/conf/openssl.conf
ca.crlfile is generated under the
- Run the following command to create a
usersdirectory for storing the key.
$ sudo mkdir users
Run the following command to create a key for the user.
$ sudo openssl genrsa -des3 -out /root/ca/users/client.key 1024
The pass phrase is required. This is the password of the current key and acts to prevent the key from being stolen and used by others. Enter the same password for the two prompts. A
client.keyfile is generated under the
Run the following command to create a certificate signature request csr file for the key.
$ sudo openssl req -new -key /root/ca/users/client.key -out /root/ca/users/client.csr
The pass phrase is required, and is the current key password. It prevents the key from being stolen and used by others. Enter the same password for the two prompts. A
client.keyfile is generated under the
Run the following command to sign the key with your private CA key.
$ sudo openssl ca -in /root/ca/users/client.csr -cert /root/ca/private/ca.crt -keyfile /root/ca/private/ca.key -out /root/ca/users/client.crt -config "/root/ca/conf/openssl.conf"
Output on the console:
Enter y for both confirmation prompts. A
client.crtfile is generated under the
Run the following command to concert the certificate into the PKCS12 file that is recognizable by most browsers.
$ sudo openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12
Enter the pass phrase of the
client.keyfile when the following prompt is displayed.
Enter Export Password when the following prompt is displayed. This is the protection password of the client certificate. The password is required when the client installs a certificate.
client.p12file is generated under the