CMX 10.5 SSL-certificeringsprocedure
Inhoud
Inleiding
Dit artikel zal een voorbeeld geven over hoe te om een vrij SSL certificaat en de manier te krijgen om het op CMX te installeren. De informatie in dit document is gebaseerd op de apparaten in een specifieke laboratoriumomgeving. Alle apparaten die in dit document worden beschreven, hadden een opgeschoonde (standaard)configuratie. Als uw netwerk live is, moet u de potentiële impact van elke opdracht begrijpen.
Voorwaarden
Vereisten
Cisco raadt kennis van de volgende onderwerpen aan:
- Een domeinnaam die extern kan worden opgelost
- Basisvaardigheden
- Basiskennis van PKI (openbare sleutelinfrastructuur)
Gebruikte componenten
De informatie in dit document is gebaseerd op de volgende software- en hardware-versies:
- CMX 10,5
Voorbereiden en back-up
Het webcertificaat bevindt zich in de volgende map:
[root@cmxtry ssl]# pwd /opt/haproxy/ssl
Back-up van het oude certificaat en de oude toets:
[cmxadmin@cmxtry ssl]$cd /opt/haproxy/ssl/ [cmxadmin@cmxtry ssl]$su root Password: (enter root password) [root@cmxtry ssl]# mkdir ./oldcert [root@cmxtry ssl]# mv host.* ./oldcert/ [root@cmxtry ssl]# ls ./oldcert/ host.key host.pem
Indien u niet erg vertrouwd bent met Linux, kunnen de bovenstaande opdrachten op de volgende manier worden geïnterpreteerd:
[cmxadmin@cmxtry ssl]$cd /opt/haproxy/ssl/ [cmxadmin@cmxtry ssl]$su root Password: (enter root password) [root@cmxtry ssl]# mkdir /opt/haproxy/ssl/oldcert [root@cmxtry ssl]# mv host.pem /opt/haproxy/ssl/oldcert/ [root@cmxtry ssl]# mv host.key /opt/haproxy/ssl/oldcert/ [root@cmxtry ssl]# ls /opt/haproxy/ssl/oldcert/ host.key host.pem
Configureren
Een privésleutel genereren:
openssl genrsa -out cmxtry.com.key 2048
[root@cmxtry ssl]# openssl genrsa -out cmxtry.com.key 2048 Generating RSA private key, 2048 bit long modulus ............ ............... e is 65537 (0x10001) [root@cmxtry ssl]# ls cmxtry.com.key oldcert
Generate een CSR (certificaataanvraag) met behulp van de privétoets die u in de vorige stap hebt gegenereerd.
[root@cmxtry ssl]# openssl req -new -sha256 -key cmxtry.com.key -out cmxtry.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:DIEGEM Organization Name (eg, company) [Internet Widgits Pty Ltd]:CMXTRY Organizational Unit Name (eg, section) []:CMXTRY Common Name (e.g. server FQDN or YOUR name) []:cmxtry.com Email Address []:avitosin@cisco.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Cisco123 An optional company name []:CMXTRY [root@cmxtry ssl]# ls cmxtry.com.csr cmxtry.com.key oldcert
CSR weergeven:
[root@cmxtry ssl]# cat cmxtry.com.csr -----BEGIN CERTIFICATE REQUEST----- MIIDZTCCAk0CAQAwgY0xCzAJBgNVBAYTAkJFMRMwEQYDVQQIDApTb21lLVN0YXRl MQ8wDQYDVQQHDAZESUVHRU0xDzANBgNVBAoMBkNNWFRSWTEPMA0GA1UECwwGQ01Y VFJZMRMwEQYDVQQDDApjbXh0cnkuY29tMSEwHwYJKoZIhvcNAQkBFhJhdml0b3Np bkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkEIg0 AxV/3HxAxUu7UI/LxkTP+DZJvvuua1WgyQ+tlD4r1+k1Wv1eINCJqywglCKt9vVg aiYp4JAKL28TV7rtSKqNFnWDMtTKoYRkYWI3L48r9Mu9Tt3zDCG09ygnQFi6SnmX VmKx7Ct/wIkkBXfkq1nq4vqosCry8SToS1PThX/KSuwIF6w2aKj1Fbrw3eW4XJxc 5hoQFrSsquqmbi5IZWgH/zMZUZTdWYvFc/h50PCBJsAa9HTY0sgUe/nyjHdt+V/l alNSh41jsrulhWiPzqbaPW/Fej9/5gtPG5LReWuS20ulAnso4tdcST1vVletoXJw F58S8AqeVrcOV9SnAgMBAAGggZEwFQYJKoZIhvcNAQkCMQgMBkNNWFRSWTAXBgkq hkiG9w0BCQcxCgwIQ2lzY28xMjMwXwYJKoZIhvcNAQkOMVIwUDAJBgNVHRMEAjAA MBcGA1UdEQQQMA6CDF9fSE9TVE5BTUVfXzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwCwYDVR0PBAQDAgOoMA0GCSqGSIb3DQEBCwUAA4IBAQCBslfRzbiw WBBBN74aWm6YwkO0YexpR2yCrQhcOsxWTujPVvzNP9WaDNxu1rw6o3iZclGi6D61 qFsKtchQhnclvOj7rNI8TInaxIorR2zMy0lF2vtJmvY4YQFso9qzmuaxkmttEMFU Fj0bxKh6SpvxePh6+BDcwt+kQExK5aF3Q6cRIMyKBS2+I5J5eddJ0cdIqTfwZOGD 5dMDWqHGd7IZyrend8AMPZvNKm3Sbx11Uq+A/fa7f9JZE0O2Q9h3sl3hj3QIPU6s w1Pyd66/OX04yYIvMyjJ8xpJGigNWBOvQ+GLvK0ce441h2u2oIoPe60sDOYldL+X JsnSbefiJ4Fe -----END CERTIFICATE REQUEST-----
Kopieert de CSR (inclusief het begin van de certificaataanvraag en het einde van de certificaataanvraag).
In het geval van mijn lab gebruikte ik het gratis certificaat van Comodo (https://www.instantssl.com/)
U plakt CSR in het venster en selecteert RedHat als software die wordt gebruikt om de CSR te genereren:
U moet het domein valideren met behulp van een e-mailadres of andere manieren om het domein te valideren, zoals de DNS-naam.
Nadat u het proces van validatie hebt voltooid, kunt u hier een certificaat downloaden:
Wanneer u het certificaat downloaden, moet u het naar CMX-vak uploaden:
[ avitosin > ~/Desktop/cmxtry_com ] ls cmxtry_com.ca-bundle cmxtry_com.crt [ avitosin > ~/Desktop/cmxtry_com ] scp ./* cmxadmin@cmxtry.com:/home/cmxadmin Warning: the ECDSA host key for 'cmxtry.com' differs from the key for the IP address '64.103.12.134' Offending key for IP in /Users/avitosin/.ssh/known_hosts:8 Matching host key in /Users/avitosin/.ssh/known_hosts:10 Are you sure you want to continue connecting (yes/no)? yes cmxadmin@cmxtry.com's password: /etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory cmxtry_com.ca-bundle 100% 4103 4.0KB/s 00:00 cmxtry_com.crt 100% 2236 2.2KB/s 00:00 [ avitosin > ~/Desktop/cmxtry_com ]
Controleer de certificaten
Controleer dat het certificaat met succes is gekopieerd naar CMX:
[root@cmxtry ssl]# cd /home/cmxadmin/ [root@cmxtry cmxadmin]# ls cmxtry_com.ca-bundle cmxtry_com.crt [root@cmxtry cmxadmin]#
Openbaar certificaat:
[root@cmxtry cmxadmin]# cat cmxtry_com.crt -----BEGIN CERTIFICATE----- MIIGRzCCBS+gAwIBAgIRALKbdelOe0O7sSYMBFBhFPwwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTgwODA4MDAwMDAwWhcNMTgxMTA2MjM1OTU5WjBLMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxETAPBgNVBAsTCEZyZWUgU1NMMRMwEQYD VQQDEwpjbXh0cnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA oVRQ9cBGBNbcIIiVovDXUw0TRXjrCplro9bx22kGAnJPNenymETTdJ4m+7Rs19BI ob09Wqo4CKWCxgdViJWQDohfGbElvdELcOD7+HgZroYHoY24wzU+q2WCFW9z3Dca RZMJagjsXPZ5XhACvlKb+lNoYTgTkf0xVAnNphTGgtOGNaQ/PHqX9ITC4iwTmFWD UEZR/SIwb5MjIQZsMGi5cW7q4STKrydFVDXmJzNySK2hq9s9yc8cBN2Lp2HJsaA4 qtQb1KWOLnzVxUaAMVN+sObVvYV/sOmJLtFvKKU9Pg2cuSo2LhPBVtTpdbHkSDuz NlWHhYC9Uxu2+wwvTwGjQQIDAQABo4IC3jCCAtowHwYDVR0jBBgwFoAUkK9qOpRa C9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFPvwN4lSs4oKd5AaG+j6xhDEtfL7MA4G A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUH AgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNV HR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FE b21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5 MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JT QURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREEHjAcggpjbXh0cnkuY29t gg53d3cuY214dHJ5LmNvbTCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AO5Lvbd1 zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABZRmIfAUAAAQDAEYwRAIgdU0n octPP7c7dR3MSMq2NQDA1rgP1hSGtB4qkectDp4CIBHBdS9cuu6Pwjb9OAHtKIDh BGFm51btA2NflzDLKmpVAHYA23Sv7ssp7LH+yj5xbSzluaq7NveEcYPHXZ1PN7Yf v2QAAAFlGYh7cwAABAMARzBFAiBDUjKNvINiwH1hgA+4Oipjhv7oGxLEsDiz+e7j /oa3qQIhAKoTXC41fbcAZSH3zWE/LBYthUkA4qaP3Q2en7QanEv7MA0GCSqGSIb3 DQEBCwUAA4IBAQAwoZfOdE1QuzJqssnAWxoI2uTc9R15clVq3X7qiYLv3ItijFUL stuKQXf7VqYqKHcjX8Ue5TMfcJYNlRc5Knj3r6fusLuaO33W++g3TDnQuN/CT5Y4 nrgor7UsquZHGoY6RHh2ZDA53Ep80YtsO36eLN8qkDB/OvxqJmYj9URTLfWRqfhh sGE1odIjW4lbSka+CR09DlBkhzOTqDCnWcKicn/kSfJexKVs0LRrNXfvUEdbPohl plPeiyKMXUtV2Q67UwiYpC9JzkG8a09q5JdUL4Le/xn0gvz4jq+2rtHnNctg6ShD laqU7wA5HRag2zJsIK/d2Agymk8u3AypzW4T -----END CERTIFICATE-----
Keten van vertrouwen:
[root@cmxtry cmxadmin]# cat cmxtry_com.ca-bundle -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0 Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6 ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51 UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/ e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4 HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf +AZxAeKCINT+b72x -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6 2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt 4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/ vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT 8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/ s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9 MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6 Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5 B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR pu/xO28QOG8= -----END CERTIFICATE-----
U kunt ook een kijkje nemen in het certificaat:
KETEN VAN VERTROUWEN:
[root@cmxtry cmxadmin]# openssl x509 -in cmxtry_com.ca-bundle -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07 Signature Algorithm: sha384WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Validity Not Before: Feb 12 00:00:00 2014 GMT Not After : Feb 11 23:59:59 2029 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd: 01:d0:d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0: c0:0c:02:7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86: f9:e3:06:9c:3e:0b:81:8a:9b:49:1b:ad:03:be:fa: 4b:db:8c:20:ed:d5:ce:5e:65:8e:3e:0d:af:4c:c2: b0:b7:45:5e:52:2f:34:de:48:24:64:b4:41:ae:00: 97:f7:be:67:de:9e:d0:7a:a7:53:80:3b:7c:ad:f5: 96:55:6f:97:47:0a:7c:85:8b:22:97:8d:b3:84:e0: 96:57:d0:70:18:60:96:8f:ee:2d:07:93:9d:a1:ba: ca:d1:cd:7b:e9:c4:2a:9a:28:21:91:4d:6f:92:4f: 25:a5:f2:7a:35:dd:26:dc:46:a5:d0:ac:59:35:8c: ff:4e:91:43:50:3f:59:93:1e:6c:51:21:ee:58:14: ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b:98:bc: e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27:51: 45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8: cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2: 41:0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85: 82:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 X509v3 Subject Key Identifier: 90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: X509v3 Any Policy Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt OCSP - URI:http://ocsp.comodoca.com Signature Algorithm: sha384WithRSAEncryption 4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c:d6:44: 9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2:35:bc:fa:f6: dd:95:8e:99:35:98:0e:36:18:75:b1:dd:dd:50:72:7c:ae:dc: 77:88:ce:0f:f7:90:20:ca:a3:67:2e:1f:56:7f:7b:e1:44:ea: 42:95:c4:5d:0d:01:50:46:15:f2:81:89:59:6c:8a:dd:8c:f1: 12:a1:8d:3a:42:8a:98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b: 72:9d:63:74:58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37: ef:10:45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c: 9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77:68:96: d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04:43:28:e9:16: fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b:6c:72:a2:94:f8:42: 1a:df:ed:6f:06:8c:45:c2:06:00:aa:e4:e8:dc:d9:b5:e1:73: 78:ec:f6:23:dc:d1:dd:6c:8e:1a:8f:a5:ea:54:7c:96:b7:c3: fe:55:8e:8d:49:5e:fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0: 48:f1:62:82:10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f: 94:05:96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8: a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a:fb:97: e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31:e5:0e:57:2d: 5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6:b5:39:c1:f5:98:43: ff:ee:f9:a7:a7:fd:ee:ca:24:3d:80:16:c4:17:8f:8a:c1:60: a1:0c:ae:5b:43:47:91:4b:d5:9a:17:5f:f9:d4:87:c1:c2:8c: b7:e7:e2:0f:30:19:37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae: fd:0f:24:51:94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed: 0e:dd:ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5: 1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66:24:37: 90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28:6a:44:70:26: 23:62:a9:9f:86:6f:bf:ba:90:70:d2:56:77:85:78:ef:ea:25: a9:17:ce:50:72:8c:00:3a:aa:e3:db:63:34:9f:f8:06:71:01: e2:82:20:d4:fe:6f:bd:b1 [root@cmxtry cmxadmin]#
PUBLIEK CERTIFICAAT:
[root@cmxtry cmxadmin]# openssl x509 -in cmxtry_com.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b2:9b:75:e9:4e:7b:43:bb:b1:26:0c:04:50:61:14:fc Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Aug 8 00:00:00 2018 GMT Not After : Nov 6 23:59:59 2018 GMT Subject: OU=Domain Control Validated, OU=Free SSL, CN=cmxtry.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a1:54:50:f5:c0:46:04:d6:dc:20:88:95:a2:f0: d7:53:0d:13:45:78:eb:0a:99:6b:a3:d6:f1:db:69: 06:02:72:4f:35:e9:f2:98:44:d3:74:9e:26:fb:b4: 6c:d7:d0:48:a1:bd:3d:5a:aa:38:08:a5:82:c6:07: 55:88:95:90:0e:88:5f:19:b1:25:bd:d1:0b:70:e0: fb:f8:78:19:ae:86:07:a1:8d:b8:c3:35:3e:ab:65: 82:15:6f:73:dc:37:1a:45:93:09:6a:08:ec:5c:f6: 79:5e:10:02:be:52:9b:fa:53:68:61:38:13:91:fd: 31:54:09:cd:a6:14:c6:82:d3:86:35:a4:3f:3c:7a: 97:f4:84:c2:e2:2c:13:98:55:83:50:46:51:fd:22: 30:6f:93:23:21:06:6c:30:68:b9:71:6e:ea:e1:24: ca:af:27:45:54:35:e6:27:33:72:48:ad:a1:ab:db: 3d:c9:cf:1c:04:dd:8b:a7:61:c9:b1:a0:38:aa:d4: 1b:d4:a5:8e:2e:7c:d5:c5:46:80:31:53:7e:b0:e6: d5:bd:85:7f:b0:e9:89:2e:d1:6f:28:a5:3d:3e:0d: 9c:b9:2a:36:2e:13:c1:56:d4:e9:75:b1:e4:48:3b: b3:36:55:87:85:80:bd:53:1b:b6:fb:0c:2f:4f:01: a3:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: FB:F0:37:89:52:B3:8A:0A:77:90:1A:1B:E8:FA:C6:10:C4:B5:F2:FB X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:cmxtry.com, DNS:www.cmxtry.com CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66: A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB Timestamp : Aug 8 12:34:59.717 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:75:4D:27:A1:CB:4F:3F:B7:3B:75:1D:CC: 48:CA:B6:35:00:C0:D6:B8:0F:D6:14:86:B4:1E:2A:91: E7:2D:0E:9E:02:20:11:C1:75:2F:5C:BA:EE:8F:C2:36: FD:38:01:ED:28:80:E1:04:61:66:E7:56:ED:03:63:5F: 97:30:CB:2A:6A:55 Signed Certificate Timestamp: Version : v1(0) Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9: AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64 Timestamp : Aug 8 12:34:59.571 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:43:52:32:8D:BC:83:62:C0:7D:61:80:0F: B8:3A:2A:63:86:FE:E8:1B:12:C4:B0:38:B3:F9:EE:E3: FE:86:B7:A9:02:21:00:AA:13:5C:2E:35:7D:B7:00:65: 21:F7:CD:61:3F:2C:16:2D:85:49:00:E2:A6:8F:DD:0D: 9E:9F:B4:1A:9C:4B:FB Signature Algorithm: sha256WithRSAEncryption 30:a1:97:ce:74:4d:50:bb:32:6a:b2:c9:c0:5b:1a:08:da:e4: dc:f5:1d:79:72:55:6a:dd:7e:ea:89:82:ef:dc:8b:62:8c:55: 0b:b2:db:8a:41:77:fb:56:a6:2a:28:77:23:5f:c5:1e:e5:33: 1f:70:96:0d:95:17:39:2a:78:f7:af:a7:ee:b0:bb:9a:3b:7d: d6:fb:e8:37:4c:39:d0:b8:df:c2:4f:96:38:9e:b8:28:af:b5: 2c:aa:e6:47:1a:86:3a:44:78:76:64:30:39:dc:4a:7c:d1:8b: 6c:3b:7e:9e:2c:df:2a:90:30:7f:3a:fc:6a:26:66:23:f5:44: 53:2d:f5:91:a9:f8:61:b0:61:35:a1:d2:23:5b:89:5b:4a:46: be:09:1d:3d:0e:50:64:87:33:93:a8:30:a7:59:c2:a2:72:7f: e4:49:f2:5e:c4:a5:6c:d0:b4:6b:35:77:ef:50:47:5b:3e:88: 65:a6:53:de:8b:22:8c:5d:4b:55:d9:0e:bb:53:08:98:a4:2f: 49:ce:41:bc:6b:4f:6a:e4:97:54:2f:82:de:ff:19:f4:82:fc: f8:8e:af:b6:ae:d1:e7:35:cb:60:e9:28:43:95:aa:94:ef:00: 39:1d:16:a0:db:32:6c:20:af:dd:d8:08:32:9a:4f:2e:dc:0c: a9:cd:6e:13 [root@cmxtry cmxadmin]#
Installeer de certificaten op CMX
CMX vereist het certificaat in de volgende indeling:
+++PRIVÉ-TOETS++
+++PUBLIEK CERTIFICAAT++
+++KETEN VAN HET TRUST-CERTIFICAAT++
De Private Key - your_domain_name.key
Primair certificaat - uw_domein_naam.crt
Intermediate Certificate - emittent-certificaat.crt
The Root Certificate - Trusted Root.crt
De situatie is als volgt:
cmxtry.com.key contains the Private Key cmxtry_com.crt contains the Primary Certificate cmxtry_com.ca-bundle - the Intermediate Certificate and the Root Certificate
Al deze moeten samen worden aaneengezet om een .PEM-certificaat te vormen:
[root@cmxtry cmxadmin]# cat cmxtry.com.key cmxtry_com.crt cmxtry_com.ca-bundle > cmxtry_com.pem
De volgende stap is het wijzigen van de eigendom van het certificaat:
[root@cmxtry cmxadmin]#chown cmx:cmx /opt/haproxy/ssl/cmxtry_com.pem [root@cmxtry cmxadmin]#chmod 744 /opt/haproxy/ssl/cmxtry_com.pem
Als dit gebeurt, kunt u het certificaat een andere naam geven dan host.pem (omdat u van tevoren een back-up van het certificaat hebt gemaakt):
[root@cmxtry cmxadmin]#mv ./cmxtry_com.pem ./host.pem
U activeert nu de modus SLIM:
[root@cmxtry ssl]# cmxctl node sslmode enable Enabling SSL SSL enabled Restarting Haproxy Verified SSL by restarting Haproxy. [root@cmxtry ssl]#
Problemen oplossen
Als u het COMODO (andere verkoper) certificaat in de CMX GUI niet ziet nadat u SSL met de bovenstaande opdracht hebt ingeschakeld, probeer dan het CMX-apparaat opnieuw op te starten.
FeedbackContact Cisco
- Een ondersteuningscase openen
- (Vereist een Cisco-servicecontract)