Die Datei /etc/pki/tls/openssl.cnf bearbeiten
/etc/pki/tls/openssl.cnfAm Ende einfügen: [ alternate_names ] DNS.1 = acd-lb.domain.de DNS.2 = acd-lb.domain.local DNS.3 = acd-lb In diesen Abschnitt einfügen: [ v3_ca ] subjectAltName = @alternate_names In diesen Abschnitt einfügen bzw. verändern: [ v3_ca ] keyUsage = digitalSignature, keyEncipherment In diesen Abschnitt verändern bzw. einkommentieren: [ CA_default ] copy_extensions = copy
Verzeichnis für die Keys anlegen und Generierung des Private Keys und Zertifikats:
Prüfenmkdir /etc/ssl/newkey openssl genrsa -out /etc/ssl/newkey/cert.key 3072 openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730 Die Fragen wie folgt (beispielsweise) beantworten: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:DE State or Province Name (full name) []:Bavaria Locality Name (eg, city) [Default City]:Munich Organization Name (eg, company) [Default Company Ltd]:jtel GmbH Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:acd-lb.domain.de Email Address []:lewis.graham@jtel.de
Prüfen des generierten Zertifikats (prüfen ob die Alternative Namen eingetragen wurden):
Prüfenopenssl x509 -in certificate.pem -text -noout Prüfen ob bei diesen Eintrag alle DNS Namen stehen: X509v3 Subject Alternative Name:
Zertifikat in haproxy.cfg eintragen:
haproxy.cfgfrontend acdportal_http mode http bind :80 redirect scheme https if !{ ssl_fc } #--------------------------------------------------------------------- # this is the internal HTTPS dispatcher frontend for the acd portal #--------------------------------------------------------------------- frontend acdportal_https mode http bind :443 ssl crt /etc/ssl/newkey/comb.pem #verify optional acl soap_req url_reg ^\/CarrierPortal/AcdAgentClientService.* acl stat_req url_reg ^\/haproxy acl root_req path / acl admn_req path /admin acl mini_req path /miniclient acl icss_req path /PBX0/MY/mypbx.css # acl inno_req url_beg /PBX0/ timeout client 1d option forwardfor header X-JTEL reqadd X-Forwarded-Proto:\ https redirect location /CarrierPortal/sysadmin/login if admn_req redirect location /CarrierPortal/login/jtel/jtel if root_req redirect location /CarrierPortal/mclogin/jtel/jtel if mini_req # redirect location /CarrierPortal/ResourceDispatcher/system/skin/inno11/mypbx.css if icss_req use_backend stat_admin if stat_req use_backend jtel_soap if soap_req # use_backend inno11 if inno_req default_backend jtel_portal