[root@ipamaster1 /]# rpm -q mod_nss mod_nss-1.0.14-3.el7.x86_64 [root@ipamaster1 /]# [root@ipamaster1 /]# mkdir /var/www/snil [root@ipamaster1 /]# cat << EOF > /var/www/snil/index.html

SNI Works!

EOF [root@ipamaster1 /]# cat << EOF > /var/www/html/index.html

It Works!

EOF [root@ipamaster1 /]# cat << EOF >> /etc/httpd/conf.d/nss.conf NameVirtualHost *:8443 NSSSNI on ServerName www1.`hostname` DocumentRoot /var/www/snil NSSEngine on NSSFIPS off NSSOCSP off NSSRenegotiation on NSSCipherSuite +rsa_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha NSSProtocol TLSv1.0,TLSv1.1 NSSNickname Server-Cert-www1.`hostname` NSSVerifyClient none EOF [root@ipamaster1 /]# echo Secret123 > /tmp/password.txt [root@ipamaster1 /]# echo $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) www1.`hostname` >> /etc/hosts [root@ipamaster1 /]# echo $(ip addr|grep "global"|cut -d " " -f6|cut -d "/" -f1|head -n 1) www2.`hostname` >> /etc/hosts [root@ipamaster1 /]# cat /dev/urandom | certutil -d /etc/httpd/alias -f /tmp/password.txt -S -n "Server-Cert-www1.`hostname`" -s "CN=www1.`hostname`,O=`hostname`,C=US" -c "cacert" -t "u,u,u" --nsCertType sslServer --keyUsage keyEncipherment -8 www1.`hostname` A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Notice: Trust flag u is set automatically if the private key is present. [root@ipamaster1 /]# cat /dev/urandom | certutil -d /etc/httpd/alias -f /tmp/password.txt -S -n "Server-Cert-www2.`hostname`" -s "CN=www2.`hostname`,O=`hostname`,C=US" -c "cacert" -t "u,u,u" --nsCertType sslServer --keyUsage keyEncipherment -8 www2.`hostname` A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Notice: Trust flag u is set automatically if the private key is present. [root@ipamaster1 /]# certutil -d /etc/httpd/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert CTu,Cu,Cu beta u,pu,u alpha u,pu,u Server-Cert u,u,u Server-Cert-www1.ipamaster1.testrelm.test u,u,u Server-Cert-www2.ipamaster1.testrelm.test u,u,u [root@ipamaster1 /]# certutil -d /etc/httpd/alias -L -n cacert -a > /etc/httpd/alias/ca.pem [root@ipamaster1 /]# systemctl restart httpd [root@ipamaster1 /]# curl --cacert /etc/httpd/alias/ca.pem -v https://`hostname`:8443/ * About to connect() to ipamaster1.testrelm.test port 8443 (#0) * Trying 192.168.121.76... * Connected to ipamaster1.testrelm.test (192.168.121.76) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/httpd/alias/ca.pem CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=ipamaster1.testrelm.test,O=example.com,C=US * start date: Aug 09 07:16:31 2016 GMT * expire date: Aug 09 07:16:31 2020 GMT * common name: ipamaster1.testrelm.test * issuer: CN=Certificate Shack,O=example.com,C=US > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: ipamaster1.testrelm.test:8443 > Accept: */* > < HTTP/1.1 200 OK < Date: Tue, 09 Aug 2016 08:18:23 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_nss/1.0.14 NSS/3.21 Basic ECC < Last-Modified: Tue, 09 Aug 2016 07:57:38 GMT < ETag: "31-5399ee2ed6b53" < Accept-Ranges: bytes < Content-Length: 49 < Content-Type: text/html; charset=UTF-8 <

It Works!

* Connection #0 to host ipamaster1.testrelm.test left intact [root@ipamaster1 /]# curl --cacert /etc/httpd/alias/ca.pem -v https://www1.`hostname`:8443/ * About to connect() to www1.ipamaster1.testrelm.test port 8443 (#0) * Trying 192.168.121.76... * Connected to www1.ipamaster1.testrelm.test (192.168.121.76) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/httpd/alias/ca.pem CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=www1.ipamaster1.testrelm.test,O=ipamaster1.testrelm.test,C=US * start date: Aug 09 08:15:04 2016 GMT * expire date: Nov 09 08:15:04 2016 GMT * common name: www1.ipamaster1.testrelm.test * issuer: CN=Certificate Shack,O=example.com,C=US > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www1.ipamaster1.testrelm.test:8443 > Accept: */* > < HTTP/1.1 200 OK < Date: Tue, 09 Aug 2016 08:18:45 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_nss/1.0.14 NSS/3.21 Basic ECC < Last-Modified: Tue, 09 Aug 2016 07:57:29 GMT < ETag: "32-5399ee26b0c53" < Accept-Ranges: bytes < Content-Length: 50 < Content-Type: text/html; charset=UTF-8 <

SNI Works!

* Connection #0 to host www1.ipamaster1.testrelm.test left intact [root@ipamaster1 /]# curl --cacert /etc/httpd/alias/ca.pem -v https://www1.`hostname`:8443/ * About to connect() to www1.ipamaster1.testrelm.test port 8443 (#0) * Trying 192.168.121.76... * Connected to www1.ipamaster1.testrelm.test (192.168.121.76) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/httpd/alias/ca.pem CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=www1.ipamaster1.testrelm.test,O=ipamaster1.testrelm.test,C=US * start date: Aug 09 08:15:04 2016 GMT * expire date: Nov 09 08:15:04 2016 GMT * common name: www1.ipamaster1.testrelm.test * issuer: CN=Certificate Shack,O=example.com,C=US > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www1.ipamaster1.testrelm.test:8443 > Accept: */* > < HTTP/1.1 200 OK < Date: Tue, 09 Aug 2016 08:18:52 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_nss/1.0.14 NSS/3.21 Basic ECC < Last-Modified: Tue, 09 Aug 2016 07:57:29 GMT < ETag: "32-5399ee26b0c53" < Accept-Ranges: bytes < Content-Length: 50 < Content-Type: text/html; charset=UTF-8 <

SNI Works!

* Connection #0 to host www1.ipamaster1.testrelm.test left intact [root@ipamaster1 /]#