in previous part we were installing own local certificate authority
And now we will install web server and test secure connection:
ON NGINX WEB SERVER
yum -y install nginx mkdir /etc/nginx/pki # REMOVE PASSWORD FROM FILE openssl rsa -in intermediate/private/www.alexlinux.com.key \ -out /etc/nginx/pki/www.alexlinux.com.key
Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
writing RSA key
cp intermediate/certs/www.alexlinux.com.crt \ /etc/nginx/pki/www.alexlinux.com.crt cp intermediate/certs/intermediate.crt /etc/nginx/pki/intermediate.crt cat /etc/nginx/pki/www.alexlinux.com.crt /etc/nginx/pki/intermediate.crt \ > /etc/nginx/pki/bundle.crt # After that you should copy certs/ca.crt to remote host, # in my case it is another CentOS 7 server. scp certs/ca.crt some-remote-centos-host:/etc/pki/ca-trust/source/anchors/
# ADD SERVER BLOCK server { listen 443; ssl on; ssl_certificate /etc/nginx/pki/bundle.crt; ssl_certificate_key /etc/nginx/pki/www.alexlinux.com.key; server_name www.alexlinux.com; location / { root /usr/share/nginx/html; index index.html; } } # AND START WEB SERVER systemctl start nginx
LOGIN TO REMOTE HOST TO CHECK SECURE HANDSHAKE
# ADD RESOLVE ENTRY echo "192.168.0.205 www.alexlinux.com" >> /etc/hosts # CHECKING CONNECTION, YOU SHOULD SEE THIS ERROR openssl s_client -servername www.alexlinux.com -connect www.alexlinux.com:443
………………….
Start Time: 1483731000
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
# BY THESE TWO COMMANDS WE ADD CA CERTIFICATE TO OS CERTIFICATES STORE update-ca-trust force-enable update-ca-trust extract # AND NOW IT WILL BE OK openssl s_client -servername www.alexlinux.com -connect www.alexlinux.com:443
………………….
Start Time: 1483731073
Timeout : 300 (sec)
Verify return code: 0 (ok)
That’s it, now everything works fine )
If you will install that certificate on Windows, you will see this:
If something goes wrong, here is the page with check commands