<p>When configuring HTTPS listener, you can use a self-signed CA certificate, and use the CA certificate as the sign of the client certificate/the CA certificate for full link encryption.</p> <p><strong><span style="font-size:18px">Use OpenSSL to Generate a CA Certificate</span></strong></p> <p><strong>Procedures</strong></p> <p>1. Execute the following command. Create a new ca folder under the /root directory and four subfolders under the ca folder.</p> <pre> <code>mkdir ca cd ca mkdir newcerts private conf server</code></pre> <p>&nbsp;</p> <ul> <li>The newcerts directory is used to store the digital certificates signed by CA.</li> <li>The private directory is used to store the private key of CA.</li> <li>The conf directory is used to store configuration files for simplifying parameters.</li> <li>The server directory stores the server certificate file.</li> </ul> <p>2. Create a new openssl.conf file containing the following information under the conf directory.</p> <pre> <code>[ ca ] default_ca = foo [ foo ] dir =/home/cert/ca database = /home/cert/ca/index.txt new_certs_dir = /home/cert/ca/newcerts certificate = /home/cert/ca/private/ca.crt serial = /home/cert/ca/serial private_key =/home/cert/ca/private/ca.key RANDFILE = /home/cert/ca/private/.rand default_ Days = 365 // the validity period of the issued certificate, on a daily basis. default_crl_days= 30 //The time interval from the release of the current CRL to the release of the next CRL on a daily basis. When generating a CRL, you need to configure this parameter of default_crl_hours parameter. default_md = sha256 //Centos does not support md5 encryption, it is set as sha256 to prevent unknown message digest algorithm error unique_subject = no policy = policy_any [ policy_any ] commonName = supplied </code></pre> <p>3. Execute the following command to generate the private key file.</p> <pre> <code>cd /home/cert/ca openssl genrsa -out private/ca.key </code></pre> <p>Result</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151041-195548b89134.png" style="height:74px; width:830px" /></p> <p>4. Execute the following command, enter the required information as prompted, and press enter to generate the certificate request csr file.</p> <pre> <code>openssl req -new -key private/ca.key -out private/ca.csr</code></pre> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151117-1eed22659f73.png" style="height:22px; margin:1px; width:50px" />: Common name is to fill the local domain name (127.0.0.1 can be filled in), and the rest options are filled with &quot;.&quot;.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151147-1a9824c89933.png" style="height:390px; width:689px" /></p> <p>5. Execute the following command to generate crt file.</p> <pre> <code>openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt</code></pre> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151258-14e2fcd8984f.png" style="height:66px; width:830px" /></p> <p>6. Execute the following command and set the starting sequence number for the key of CA, which can be any four characters.</p> <pre> <code>echo FACE &gt; serial</code></pre> <p>7. Execute the following command to create the CA key library.</p> <pre> <code>touch index.txt</code></pre> <p>8. Execute the following command to create a certificate revocation list for removing client certificates.</p> <pre> <code>openssl ca -gencrl -out /home/cert/ca/private/ca.crl -crldays 7 -config "/home/cert/ca/conf/openssl.conf"</code></pre> <p>Result</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151416-19972ad396b1.png" style="height:33px; width:830px" /></p> <p><strong><span style="font-size:18px">Sign the Client Certificate</span></strong></p> <p><strong>Procedures</strong></p> <p>1. Run the following command to create a directory users in the CA directory to store the server key.</p> <pre> <code>mkdir users</code></pre> <p>2. Run the following command to create a key for the server.</p> <pre> <code>openssl genrsa -des3 -out  /home/cert/ca/users/server.key 1024</code></pre> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151117-1eed22659f73.png" style="height:22px; margin:1px; width:50px" />: When creating a key, you need to enter pass phrase, which is the password of the current key, to prevent the key from being stolen after it is leaked.</p> <p>3. Enter the same password twice, and you can execute the command openssl rsa -in server.key -out server.key removed.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151549-1a70c8929afa.png" style="height:139px; width:740px" /><br /> <img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151614-166045bb941e.png" style="height:60px; width:627px" /></p> <p>4. Run the following command to create a certificate signing request CSR file for the client key.</p> <pre> <code>openssl req -new -key  /home/cert/ca/users/server.key -out  /home/cert/ca/users/server.csr</code></pre> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151117-1eed22659f73.png" style="height:22px; margin:1px; width:50px" />:</p> <p>After entering the command, enter the pass phrase which is entered in the previous step according to the prompt, and then enter the corresponding information according to the prompt.</p> <p>Set Common Name as the listener vip_vport, and set the other options as &quot;.&quot;. For example, the IP of ELB is 100.101.1.30 and that of the HTTPS port is 443, then the IP of Common Name should be 100.101.1.30_ 4433.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151711-1dfac9679e0c.png" style="height:302px; width:830px" /></p> <p>5. Run the following command to sign the client key with the key of the CA certificate.</p> <pre> <code>openssl ca -in /home/cert/ca/users/server.csr -cert /home/cert/ca/private/ca.crt -keyfile /home/cert/ca/private/ca.key -out /home/cert/ca/users/server.crt -config "/home/cert/ca/conf/openssl.conf"</code></pre> <p>When there are prompts to confirm whether to sign, enter y both times.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151755-187f7d239886.png" style="height:115px; width:830px" /></p>