Apache+mod_SSL構築

2016-11-29

WEBサーバとの通信を暗号化してアクセスできるようにmod_ssl をApacheに導入する

mod_ssl のインストール

(1)mod_ssl インストール

# yum -y install mod_ssl

自前の認証局(CA)で証明書(CACERT)を作成

(1)ディレクトリに移動

# cd /etc/pki/tls/misc/

(2)スクリプトを利用し証明書(CACERT)を作成
# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
........++++++
....................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Nara
Locality Name (eg, city) [Newbury]:Yamatokoriya
Organization Name (eg, company) [My Company Ltd]:example1,Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example1.jp
Email Address []:webmaster@example1.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:

秘密鍵(Key)と証明書署名要求(CSR)を作成

秘密鍵は、パスフレーズなしで設定する

(1)鍵を保存するディレクトリを作成する

# mkdir /etc/httpd/ssl_key

(2)ディレクトリに移動
# cd /etc/httpd/ssl_key

(3)秘密鍵(Key)の作成(パスフレーズなし)
# openssl genrsa -out ./key.pem 1024
Generating RSA private key, 1024 bit long modulus
...++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for ./key.pem:
Verifying - Enter pass phrase for ./key.pem:

(4)証明書署名要求(CSR)の作成
# openssl req -new -key ./key.pem -out ./csr.pem

Enter pass phrase for ./key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Nara
Locality Name (eg, city) [Newbury]:Yamatokoriya
Organization Name (eg, company) [My Company Ltd]:example1,Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.example1.jp
Email Address []:webmaster@example1.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(5)秘密鍵(Key)と証明書署名要求(CSR)が作成されているか確認する
# ls -l
合計 8
-rw-r--r-- 1 root root 688 10月 8 21:08 csr.pem
-rw-r--r-- 1 root root 963 10月 8 21:05 key.pem

自前の認証局で証明書署名要求(CSR)に署名し証明書(CERT, certificate)を作成

(1)ディレクトリ移動

# cd /etc/pki/tls/misc

(2)署名済み証明書(CERT)作成
# openssl ca -out /etc/pki/CA/certs/cert.pem -infiles /etc/httpd/ssl_key/csr.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 8 12:31:47 2009 GMT
Not After : Oct 8 12:31:47 2010 GMT
Subject:
countryName = JP
stateOrProvinceName = Nara
organizationName = example1,Inc.
commonName = example1.jp
emailAddress = webmaster@example1.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
42:A4:94:99:99:E5:5F:B5:7E:76:2C:D2:B2:70:B5:E9:89:B2:0A:B7
X509v3 Authority Key Identifier:
keyid:7C:95:30:AC:C7:1B:56:F4:C4:B4:7F:34:EE:C4:43:61:EA:B9:BD:7B

証明書(CERT)と秘密鍵(Key)をApacheにインストール

(1)作成した証明書をコピー

# cp -p /etc/pki/CA/certs/cert.pem /etc/httpd/ssl_key

(2)ssl.conf の編集
# cd /etc/httpd/conf.d/
# vi ssl.conf

SSLCertificateFile /etc/httpd/ssl_key/cert.pem
SSLCertificateKeyFile /etc/httpd/ssl_key/key.pem

Apache の再起動

(1)構文チェック

# /etc/init.d/httpd configtest
Syntax OK

(2)Apache再起動
# /etc/init.d/httpd restart
httpd を停止中: [ OK ]
httpd を起動中: [ OK ]

スポンサーリンク