Apache+mod_SSL構築
WEBサーバとの通信を暗号化してアクセスできるようにmod_ssl をApacheに導入する
Contents
mod_ssl のインストール
(1)mod_ssl インストール
# yum -y install mod_ssl
自前の認証局(CA)で証明書(CACERT)を作成
(1)ディレクトリに移動
# cd /etc/pki/tls/misc/
(2)スクリプトを利用し証明書(CACERT)を作成
# ./CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ........++++++ ....................++++++ writing new private key to '../../CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Nara Locality Name (eg, city) [Newbury]:Yamatokoriya Organization Name (eg, company) [My Company Ltd]:example1,Inc. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:example1.jp Email Address []:webmaster@example1.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem:
秘密鍵(Key)と証明書署名要求(CSR)を作成
秘密鍵は、パスフレーズなしで設定する
(1)鍵を保存するディレクトリを作成する
# mkdir /etc/httpd/ssl_key
(2)ディレクトリに移動
# cd /etc/httpd/ssl_key
(3)秘密鍵(Key)の作成(パスフレーズなし)
# openssl genrsa -out ./key.pem 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ............++++++ e is 65537 (0x10001) Enter pass phrase for ./key.pem: Verifying - Enter pass phrase for ./key.pem:
(4)証明書署名要求(CSR)の作成
# openssl req -new -key ./key.pem -out ./csr.pem Enter pass phrase for ./key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Nara Locality Name (eg, city) [Newbury]:Yamatokoriya Organization Name (eg, company) [My Company Ltd]:example1,Inc. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.example1.jp Email Address []:webmaster@example1.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
(5)秘密鍵(Key)と証明書署名要求(CSR)が作成されているか確認する
# ls -l 合計 8 -rw-r--r-- 1 root root 688 10月 8 21:08 csr.pem -rw-r--r-- 1 root root 963 10月 8 21:05 key.pem
自前の認証局で証明書署名要求(CSR)に署名し証明書(CERT, certificate)を作成
(1)ディレクトリ移動
# cd /etc/pki/tls/misc
(2)署名済み証明書(CERT)作成
# openssl ca -out /etc/pki/CA/certs/cert.pem -infiles /etc/httpd/ssl_key/csr.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 8 12:31:47 2009 GMT Not After : Oct 8 12:31:47 2010 GMT Subject: countryName = JP stateOrProvinceName = Nara organizationName = example1,Inc. commonName = example1.jp emailAddress = webmaster@example1.jp X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 42:A4:94:99:99:E5:5F:B5:7E:76:2C:D2:B2:70:B5:E9:89:B2:0A:B7 X509v3 Authority Key Identifier: keyid:7C:95:30:AC:C7:1B:56:F4:C4:B4:7F:34:EE:C4:43:61:EA:B9:BD:7B
証明書(CERT)と秘密鍵(Key)をApacheにインストール
(1)作成した証明書をコピー
# cp -p /etc/pki/CA/certs/cert.pem /etc/httpd/ssl_key
(2)ssl.conf の編集
# cd /etc/httpd/conf.d/ # vi ssl.conf SSLCertificateFile /etc/httpd/ssl_key/cert.pem SSLCertificateKeyFile /etc/httpd/ssl_key/key.pem
Apache の再起動
(1)構文チェック
# /etc/init.d/httpd configtest Syntax OK
(2)Apache再起動
# /etc/init.d/httpd restart httpd を停止中: [ OK ] httpd を起動中: [ OK ]