気の向くままに書き綴る

勉強会参加したメモや日々の思ったことのメモ等

SSL自己証明書設定+mod_ssl設定

  • tar xzvf openssl-X.Y.Z.tar.gz cd openssl-X.Y.Z

 config スクリプト実行
 デフォルトでは、/usr/local/ssl にインストール。
 →変更する場合--openssldir 指定
 OpenSSL の実行ファイルを /usr/bin、
 ライブラリを /usr/lib の直下にインストールしたい場合は --prefix 指定。
 --prefix を指定した場合でも、そのほかのファイルは、--openssldir にインストールされます。
 sharedライブラリを作成する場合 shared オプションを指定します。

  • ./config --prefix=/usr --openssldir=/usr/local/openssl shared

 →makeコマンドがない場合 yum install make

  • make

 →gccがない場合 yum install gcc

 インストール前に、正常に動作するかテスト

  • make test
  • make install
  • cd /usr/local/openssl
  • sh CA.sh -newca

 CA certificate filename (or enter to create)
 
 Making CA certificate ...
 Generating a 1024 bit RSA private key
 ...++++++
 .....................................................++++++
 writing new private key to './demoCA/private/./cakey.pem'
 Enter PEM pass phrase:[password]
 Verifying - Enter PEM pass phrase:[password]
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:[JP]
 State or Province Name (full name) [Berkshire]:[Tokyo]
 Locality Name (eg, city) [Newbury]:[Shinjuku]
 Organization Name (eg, company) [My Company Ltd]:[My]
 Organizational Unit Name (eg, section) :[My]
 Common Name (eg, your name or your server's hostname)
:[localhost]
 Email Address :[test@test.com]

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password :[password]
 An optional company name []:[password]
 Using configuration from /etc/pki/tls/openssl.cnf
 Enter pass phrase for ./demoCA/private/./cakey.pem:
 Check that the request matches the signature
 Signature ok
 Certificate Details:
  Serial Number:
  00:00:00:00:00:00:00:00
  Validity
  Not Before: Oct 16 07:28:31 2012 GMT
  Not After : Oct 16 07:28:31 2015 GMT
  Subject:
  countryName = JP
  stateOrProvinceName = Tokyo
  organizationName = Shinjuku
  organizationalUnitName = My
  commonName = My
  emailAddress = test@test.com
X509v3 extensions:
X509v3 Subject Key Identifier:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
X509v3 Authority Key Identifier:
keyid:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
DirName:/C=JP/ST=Tokyo/O=My/OU=My/CN=localhost/emailAddress=test@test.com
serial:00:00:00:00:00:00:00:00

  X509v3 Basic Constraints:
  CA:TRUE
 Certificate is to be certified until Oct 16 07:28:31 2015 GMT (1095 days)

 Write out database with 1 new entries
 Data Base Updated

  • ll

 total 76
 -rwxr-xr-x 1 root root 5175 Oct 16 02:57 CA.sh
 drwxr-xr-x 2 root root 4096 Oct 16 02:57 bin
 -rw-r--r-- 1 root root 3444 Oct 16 03:16 cert.crt
 -rw-r--r-- 1 root root 2142 Oct 16 03:16 cert.req
 -rw-r--r-- 1 root root 963 Oct 16 03:16 certkey.pem
 -rw-r--r-- 1 root root 887 Oct 16 03:17 certnokey.pem
 drwxr-xr-x 2 root root 4096 Oct 16 02:57 certs
 drwxr-xr-x 6 root root 4096 Oct 16 03:28 demoCA  ←新しく作られた
 drwxr-xr-x 3 root root 4096 Oct 16 02:57 include
 drwxr-xr-x 4 root root 4096 Oct 16 02:57 lib
 drwxr-xr-x 6 root root 4096 Oct 16 02:57 man
 drwxr-xr-x 2 root root 4096 Oct 16 02:57 misc
 -rw-r--r-- 1 root root 10835 Oct 16 02:57 openssl.cnf
 drwxr-xr-x 2 root root 4096 Oct 16 02:57 private
 -rw-r--r-- 1 root root 773 Oct 16 03:10 server.csr
 -rw-r--r-- 1 root root 887 Oct 16 03:08 server.key

  • ll /usr/local/openssl/demoCA/private/cakey.pem

 -rw-r--r-- 1 root root 963 Oct 16 03:28 /usr/local/openssl/demoCA/private/cakey.pem

  • openssl genrsa -out server.key 1024

 Generating RSA private key, 1024 bit long modulus
 ...++++++
 ....++++++
 e is 65537 (0x10001)

  • openssl req -new -key server.key -out server.csr

 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:[JP]
 State or Province Name (full name) [Berkshire]:[Tokyo]
 Locality Name (eg, city) [Newbury]:[Shinjuku]
 Organization Name (eg, company) [My Company Ltd]:[My]
 Organizational Unit Name (eg, section) :[My]
 Common Name (eg, your name or your server's hostname)
:[localhost]
 Email Address :[test@test.com]

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password :[password]
 An optional company name []:[password]

  • openssl ca -out server.crt -infiles server.csr

 Using configuration from /etc/pki/tls/openssl.cnf
 Enter pass phrase for ./demoCA/private/cakey.pem:
 Check that the request matches the signature
 Signature ok
 Certificate Details:
  Serial Number:
  00:00:00:00:00:00:00:00
  Validity
  Not Before: Oct 16 07:32:20 2012 GMT
  Not After : Oct 16 07:32:20 2013 GMT
  Subject:
  countryName = JP
  stateOrProvinceName = Tokyo
  organizationName = My
  organizationalUnitName = My
  commonName = localhost
  emailAddress = test@test.com
  X509v3 extensions:
  X509v3 Basic Constraints:
  CA:FALSE
  Netscape Comment:
  OpenSSL Generated Certificate
  X509v3 Subject Key Identifier:
  00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
  X509v3 Authority Key Identifier:
  keyid:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00  
 Certificate is to be certified until Oct 16 07:32:20 2013 GMT (365 days)
 Sign the certificate? [y/n]:y

 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated

 httpd.confに記載するもの

  • ll /usr/local/openssl/server.crt

 -rw-r--r-- 1 root root 3236 Oct 16 03:32 /usr/local/openssl/server.crt

  • ll /usr/local/openssl/server.key

 -rw-r--r-- 1 root root 887 Oct 16 03:30 /usr/local/openssl/server.key

 あとはデフォルトで/etc/httpd/conf.d/ssl.confが存在するので、そこに先ほど作成したcrtとkeyのPATHをいれる
 →ない場合は、 yum install mod_sslで入れる

 # Point SSLCertificateFile at a PEM encoded certificate. If
 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 SSLCertificateFile /usr/local/openssl/server.crt
 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 SSLCertificateKeyFile /usr/local/openssl/server.key

 httpdを再起動すれば完了

  • /etc/init.d/httpd restart

【参考ページ】
[http://www.maruko2.com/mw/Apache/SSL%E8%87%AA%E5%B7%B1%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E4%BD%9C%E6%88%90%E3%81%A8mod_ssl%E3%81%AE%E8%A8%AD%E5%AE%9A:title=Apache/SSL自己証明書の作成とmod sslの設定
]