*A main point that didn't reveal under AMI BIOS Setup menu.
If using selfsigned certificate file, the CN(Common Name) must different between RootCA and Server certificate.
*Another main point is the certificate file must combine from server-cert, server-key, and ca.crt + ca.key.
=====================================================================================
Create a openssl.cnf
--------------------------
[req]
default_bits = 2048
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
[req_distinguished_name]
C = TW
ST = City
L = Locality
O = Org
OU = OrgUnit
CN = pxe
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[v3_req]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:false
nsCertType = server
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = pxe
DNS.2 = qt.org
DNS.3 = pxe.qt.org
IP.1 = 192.168.0.5
IP.2 = ffff:1234:ffff:5678::5
--------------------------
http server
- hostname: pxe
- domain name: qt.org
- IP v4 address: 192.168.0.5
- IP v6 address: ffff:1234:ffff:5678::5
---------------------------------------------------------
$ openssl genrsa -out ca.key 2048
$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt -config openssl.cnf -extensions v3_ca -subj "/CN=Test CA"
-
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr -config openssl.cnf -extensions v3_req
-
$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile openssl.cnf -extensions v3_req
-
$ cat ca.crt ca.key > root.pem
$ cat server.crt server.key root.pem > server.pem
=====================================================================================
Modify httpd ssl config and set SSL CertificateFile and CertificateKey as below.
---------------------------------------------------------
SSLCertificateFile /{cert-path}/server.pem
SSLCertificateKeyFile /{cert-path}/server.pem
---------------------------------------------------------
留言列表
