Apache + OpenSSL
1.openssl-perl のインストール
# yum -y install openssl-perl
事前に以下のパッケージを導入しておくこと。
# yum -y install httpd # yum -y install mod_ssl
CA.pl を利用して設定する場合は以下のパッケージも導入しておくこと。
# yum -y install openssl-perl
1.秘密鍵の作成
# openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus .............++++++ .....++++++ e is 65537 (0x10001) Enter pass phrase for server.key:★パスフレーズの入力 Verifying - Enter pass phrase for server.key:★上記とパスフレーズの入力 #
※上記は DES/1024 bit で作成
※最近は、genrsa から genpkey に置き換わりつつあるらしい
https://access.redhat.com/documentation/ja-JP/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_OpenSSL.html
2.CSR (証明書署名要求) の作成
# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]::Shinagawa-Ku Organization Name (eg, company) [Default Company Ltd]:★エンターキー Organizational Unit Name (eg, section) []:★エンターキー Common Name (eg, your name or your server's hostname) []:192.168.xxx.xxx★実際の接続先を指定 Email Address []:★エンターキー Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:★エンターキー An optional company name []:★エンターキー #
3.自署証明書の作成
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=JP/ST=Tokyo/L=:Shinagawa-Ku/O=Default Company Ltd/CN=192.168.xxx.xxx Getting Private key Enter pass phrase for server.key:★「1」のパスフレーズを入力 #
# cp server.key server.key.org # openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org:★「1」のパスフレーズを入力 writing RSA key #
※これをしないと httpd 起動時にパスフレーズを質問される
5./etc/httpd/conf.d/ssl.conf の編集
以下を追加してサービス再起動。
SSLCertificateFile /openssl/server.crt SSLCertificateKeyFile /openssl/server.key
※おまけ
キーペアの確認は以下の方法で可能
https://cspssl.jp/support/apache/config-keypairs.php#
※参考 URL
http://knowledge.sakura.ad.jp/beginner/2813/
http://www.maruko2.com/mw/Apache/SSL%E8%87%AA%E5%B7%B1%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E4%BD%9C%E6%88%90%E3%81%A8mod_ssl%E3%81%AE%E8%A8%AD%E5%AE%9A
http://lpi.universe-network.net/doku.php?id=wiki:certification:lpic303
http://archive.linux.or.jp/JF/JFdocs/SSL-RedHat-HOWTO-3.html#ss3.1
https://access.redhat.com/documentation/ja-JP/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html
http://dotnsf.blog.jp/archives/3181024.html
http://qiita.com/cs_sonar/items/81b30c7a1d86d729c7fc
http://qiita.com/a_yasui/items/2e81b0fe77e1a62f2272
http://www.aconus.com/~oyaji/centos/apache_ssl_centos.htm