[root@ipamaster1 /]# rpm -q mod_nss
mod_nss-1.0.14-3.el7.x86_64
[root@ipamaster1 /]#
[root@ipamaster1 /]# mkdir /var/www/snil
[root@ipamaster1 /]# cat << EOF > /var/www/snil/index.html
SNI Works!
EOF
[root@ipamaster1 /]# cat << EOF > /var/www/html/index.html
It Works!
EOF
[root@ipamaster1 /]# cat << EOF >> /etc/httpd/conf.d/nss.conf
NameVirtualHost *:8443
NSSSNI on
ServerName www1.`hostname`
DocumentRoot /var/www/snil
NSSEngine on
NSSFIPS off
NSSOCSP off
NSSRenegotiation on
NSSCipherSuite +rsa_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
NSSProtocol TLSv1.0,TLSv1.1
NSSNickname Server-Cert-www1.`hostname`
NSSVerifyClient none
EOF
[root@ipamaster1 /]# echo Secret123 > /tmp/password.txt
[root@ipamaster1 /]# echo $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) www1.`hostname` >> /etc/hosts
[root@ipamaster1 /]# echo $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) www2.`hostname` >> /etc/hosts
[root@ipamaster1 /]# cat /dev/urandom | certutil -d /etc/httpd/alias -f /tmp/password.txt -S -n "Server-Cert-www1.`hostname`" -s "CN=www1.`hostname`,O=`hostname`,C=US" -c "cacert" -t "u,u,u" --nsCertType sslServer --keyUsage keyEncipherment -8 www1.`hostname`
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
[root@ipamaster1 /]# cat /dev/urandom | certutil -d /etc/httpd/alias -f /tmp/password.txt -S -n "Server-Cert-www2.`hostname`" -s "CN=www2.`hostname`,O=`hostname`,C=US" -c "cacert" -t "u,u,u" --nsCertType sslServer --keyUsage keyEncipherment -8 www2.`hostname`
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
[root@ipamaster1 /]# certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
beta u,pu,u
alpha u,pu,u
Server-Cert u,u,u
Server-Cert-www1.ipamaster1.testrelm.test u,u,u
Server-Cert-www2.ipamaster1.testrelm.test u,u,u
[root@ipamaster1 /]# certutil -d /etc/httpd/alias -L -n cacert -a > /etc/httpd/alias/ca.pem
[root@ipamaster1 /]# systemctl restart httpd
[root@ipamaster1 /]# curl --cacert /etc/httpd/alias/ca.pem -v https://`hostname`:8443/
* About to connect() to ipamaster1.testrelm.test port 8443 (#0)
* Trying 192.168.121.76...
* Connected to ipamaster1.testrelm.test (192.168.121.76) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/httpd/alias/ca.pem
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=ipamaster1.testrelm.test,O=example.com,C=US
* start date: Aug 09 07:16:31 2016 GMT
* expire date: Aug 09 07:16:31 2020 GMT
* common name: ipamaster1.testrelm.test
* issuer: CN=Certificate Shack,O=example.com,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ipamaster1.testrelm.test:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 09 Aug 2016 08:18:23 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_nss/1.0.14 NSS/3.21 Basic ECC
< Last-Modified: Tue, 09 Aug 2016 07:57:38 GMT
< ETag: "31-5399ee2ed6b53"
< Accept-Ranges: bytes
< Content-Length: 49
< Content-Type: text/html; charset=UTF-8
<
It Works!
* Connection #0 to host ipamaster1.testrelm.test left intact
[root@ipamaster1 /]# curl --cacert /etc/httpd/alias/ca.pem -v https://www1.`hostname`:8443/
* About to connect() to www1.ipamaster1.testrelm.test port 8443 (#0)
* Trying 192.168.121.76...
* Connected to www1.ipamaster1.testrelm.test (192.168.121.76) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/httpd/alias/ca.pem
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=www1.ipamaster1.testrelm.test,O=ipamaster1.testrelm.test,C=US
* start date: Aug 09 08:15:04 2016 GMT
* expire date: Nov 09 08:15:04 2016 GMT
* common name: www1.ipamaster1.testrelm.test
* issuer: CN=Certificate Shack,O=example.com,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www1.ipamaster1.testrelm.test:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 09 Aug 2016 08:18:45 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_nss/1.0.14 NSS/3.21 Basic ECC
< Last-Modified: Tue, 09 Aug 2016 07:57:29 GMT
< ETag: "32-5399ee26b0c53"
< Accept-Ranges: bytes
< Content-Length: 50
< Content-Type: text/html; charset=UTF-8
<
SNI Works!
* Connection #0 to host www1.ipamaster1.testrelm.test left intact
[root@ipamaster1 /]# curl --cacert /etc/httpd/alias/ca.pem -v https://www1.`hostname`:8443/
* About to connect() to www1.ipamaster1.testrelm.test port 8443 (#0)
* Trying 192.168.121.76...
* Connected to www1.ipamaster1.testrelm.test (192.168.121.76) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/httpd/alias/ca.pem
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=www1.ipamaster1.testrelm.test,O=ipamaster1.testrelm.test,C=US
* start date: Aug 09 08:15:04 2016 GMT
* expire date: Nov 09 08:15:04 2016 GMT
* common name: www1.ipamaster1.testrelm.test
* issuer: CN=Certificate Shack,O=example.com,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www1.ipamaster1.testrelm.test:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 09 Aug 2016 08:18:52 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_nss/1.0.14 NSS/3.21 Basic ECC
< Last-Modified: Tue, 09 Aug 2016 07:57:29 GMT
< ETag: "32-5399ee26b0c53"
< Accept-Ranges: bytes
< Content-Length: 50
< Content-Type: text/html; charset=UTF-8
<
SNI Works!
* Connection #0 to host www1.ipamaster1.testrelm.test left intact
[root@ipamaster1 /]#