Network/SSL/SSLサイトを構築する
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
単語検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
// 下階層用テンプレート
#topicpath
----
//ここにコンテンツを記述します。
#contents
以下、実際にSSLサイトを構築したときの手順です。
**mod_sslのインストール [#t253c13c]
yum -y install mod_ssl
でOKです。
**CA用秘密鍵を作成する [#t1a7cc90]
[root@www conf]# pwd
/etc/httpd/conf.d/ssl/ <-つくっときましょう
[root@www conf]# openssl genrsa -des3 -rand /var/log/mai...
441467 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[root@www conf]#
**CA用証明書を作成する [#z3bedacf]
先の秘密鍵から、CA用の証明書を作成します
[root@www conf]# openssl req -new -x509 -days 365 -key ...
Enter pass phrase for ca.key:
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Hogehoge
Organization Name (eg, company) [My Company Ltd]:Private...
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, your name or your server's hostname) []...
Email Address []:admin@hogehoge.com
[root@www conf]#
**サーバの秘密鍵を作成 [#z00f6538]
[root@www conf]# openssl genrsa -des3 -rand /var/log/mai...
441467 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.............++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@www conf]#
**証明書要求(CSR)の作成 [#r96bbae5]
先のサーバの秘密鍵から、証明書要求(CSR)を作成します。CAに...
[root@www conf]# openssl req -new -key server.key -out s...
Enter pass phrase for server.key:
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Hogehoge
Organization Name (eg, company) [My Company Ltd]:Masatom...
Organizational Unit Name (eg, section) []:self
Common Name (eg, your name or your server's hostname) []...
Email Address []:admin@hogehoge.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //入力しない
An optional company name []://入力しない
[root@www conf]#
**バックアップ [#gfb329ef]
[root@www conf]# cp -pfr server.key server.key.org
**パスフレーズの削除 [#d33d3d07]
[root@www conf]# openssl rsa -in server.key.org -out ser...
Enter pass phrase for server.key.org:
writing RSA key
[root@www conf]#
**CSRにCAとして署名する。 [#l429375b]
***サイン用shを取得 [#tf98f6ad]
[root@www conf]# cd /tmp/
[root@www tmp]# wget http://www.modssl.org/source/mod_ss...
--23:33:36-- http://www.modssl.org/source/mod_ssl-2.8.3...
=> `mod_ssl-2.8.30-1.3.39.tar.gz'
www.modssl.org をDNSに問いあわせています... 195.30.6.168
www.modssl.org|195.30.6.168|:80 に接続しています... 接続...
HTTP による接続要求を送信しました、応答を待っています......
長さ: 820,416 (801K) [application/x-gzip]
100%[===================================================...
23:33:47 (79.45 KB/s) - `mod_ssl-2.8.30-1.3.39.tar.gz' ...
[root@www tmp]# tar xvzf mod_ssl-2.8.30-1.3.39.tar.gz
***サインする [#o49b7239]
[root@www conf]# pwd
/etc/httpd/conf.d/ssl/
[root@www conf]# /tmp/mod_ssl-2.8.30-1.3.39/pkg.contrib/...
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Tokyo'
localityName :PRINTABLE:'Hogehoge'
organizationName :PRINTABLE:'Masatom in'
organizationalUnitName:PRINTABLE:'self'
commonName :PRINTABLE:'www.hogehoge.com'
emailAddress :IA5STRING:'admin@hogehoge.com'
Certificate is to be certified until Mar 1 14:35:46 200...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
[root@www conf]#
CSRから証明書が作成されました。
[root@www conf]# ls -lrt
合計 308
-rw-r--r-- 1 root root 887 2008-03-01 23:18 ca.key
-rw-r--r-- 1 root root 1314 2008-03-01 23:20 ca.crt
-rw-r--r-- 1 root root 887 2008-03-01 23:21 server.key...
-rw-r--r-- 1 root root 708 2008-03-01 23:27 server.csr
-rw-r--r-- 1 root root 887 2008-03-01 23:28 server.key
-rw-r--r-- 1 root root 2706 2008-03-01 23:36 server.crt...
-rw-r--r-- 1 root root 3 2008-03-01 23:36 ca.db.serial
-rw-r--r-- 1 root root 21 2008-03-01 23:36 ca.db.inde...
-rw-r--r-- 1 root root 125 2008-03-01 23:36 ca.db.index
drwxr-xr-x 2 root root 4096 2008-03-01 23:36 ca.db.certs
[root@www conf]#
**Apacheへの設定追加 [#j66ab80a]
[root@www conf]# cp -pfr /etc/httpd/conf.d/ssl.conf /etc...
SSLCertificateFile /etc/httpd/conf.d/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/server.key
あとはApacheを再起動すればOKですね。
-[[通信内容暗号化(OpenSSL & mod_SSL) 〜 Webページ編 〜 - ...
-[[ベリサイン サーバID ヘルプデスク - サーバIDのインスト...
-[[ベリサイン サーバID ヘルプデスク - CSRの生成>http://ww...
-[[ベリサイン リポジトリ - PKI認証局運用>https://www.veri...
-[[更新申込手順|SSLサーバ証明書【セコム】>http://www.seco...
----
この記事は
#vote(おもしろかった,そうでもない)
#comment
#topicpath
SIZE(10){現在のアクセス:&counter;}
終了行:
// 下階層用テンプレート
#topicpath
----
//ここにコンテンツを記述します。
#contents
以下、実際にSSLサイトを構築したときの手順です。
**mod_sslのインストール [#t253c13c]
yum -y install mod_ssl
でOKです。
**CA用秘密鍵を作成する [#t1a7cc90]
[root@www conf]# pwd
/etc/httpd/conf.d/ssl/ <-つくっときましょう
[root@www conf]# openssl genrsa -des3 -rand /var/log/mai...
441467 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[root@www conf]#
**CA用証明書を作成する [#z3bedacf]
先の秘密鍵から、CA用の証明書を作成します
[root@www conf]# openssl req -new -x509 -days 365 -key ...
Enter pass phrase for ca.key:
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Hogehoge
Organization Name (eg, company) [My Company Ltd]:Private...
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, your name or your server's hostname) []...
Email Address []:admin@hogehoge.com
[root@www conf]#
**サーバの秘密鍵を作成 [#z00f6538]
[root@www conf]# openssl genrsa -des3 -rand /var/log/mai...
441467 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.............++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@www conf]#
**証明書要求(CSR)の作成 [#r96bbae5]
先のサーバの秘密鍵から、証明書要求(CSR)を作成します。CAに...
[root@www conf]# openssl req -new -key server.key -out s...
Enter pass phrase for server.key:
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Hogehoge
Organization Name (eg, company) [My Company Ltd]:Masatom...
Organizational Unit Name (eg, section) []:self
Common Name (eg, your name or your server's hostname) []...
Email Address []:admin@hogehoge.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //入力しない
An optional company name []://入力しない
[root@www conf]#
**バックアップ [#gfb329ef]
[root@www conf]# cp -pfr server.key server.key.org
**パスフレーズの削除 [#d33d3d07]
[root@www conf]# openssl rsa -in server.key.org -out ser...
Enter pass phrase for server.key.org:
writing RSA key
[root@www conf]#
**CSRにCAとして署名する。 [#l429375b]
***サイン用shを取得 [#tf98f6ad]
[root@www conf]# cd /tmp/
[root@www tmp]# wget http://www.modssl.org/source/mod_ss...
--23:33:36-- http://www.modssl.org/source/mod_ssl-2.8.3...
=> `mod_ssl-2.8.30-1.3.39.tar.gz'
www.modssl.org をDNSに問いあわせています... 195.30.6.168
www.modssl.org|195.30.6.168|:80 に接続しています... 接続...
HTTP による接続要求を送信しました、応答を待っています......
長さ: 820,416 (801K) [application/x-gzip]
100%[===================================================...
23:33:47 (79.45 KB/s) - `mod_ssl-2.8.30-1.3.39.tar.gz' ...
[root@www tmp]# tar xvzf mod_ssl-2.8.30-1.3.39.tar.gz
***サインする [#o49b7239]
[root@www conf]# pwd
/etc/httpd/conf.d/ssl/
[root@www conf]# /tmp/mod_ssl-2.8.30-1.3.39/pkg.contrib/...
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Tokyo'
localityName :PRINTABLE:'Hogehoge'
organizationName :PRINTABLE:'Masatom in'
organizationalUnitName:PRINTABLE:'self'
commonName :PRINTABLE:'www.hogehoge.com'
emailAddress :IA5STRING:'admin@hogehoge.com'
Certificate is to be certified until Mar 1 14:35:46 200...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
[root@www conf]#
CSRから証明書が作成されました。
[root@www conf]# ls -lrt
合計 308
-rw-r--r-- 1 root root 887 2008-03-01 23:18 ca.key
-rw-r--r-- 1 root root 1314 2008-03-01 23:20 ca.crt
-rw-r--r-- 1 root root 887 2008-03-01 23:21 server.key...
-rw-r--r-- 1 root root 708 2008-03-01 23:27 server.csr
-rw-r--r-- 1 root root 887 2008-03-01 23:28 server.key
-rw-r--r-- 1 root root 2706 2008-03-01 23:36 server.crt...
-rw-r--r-- 1 root root 3 2008-03-01 23:36 ca.db.serial
-rw-r--r-- 1 root root 21 2008-03-01 23:36 ca.db.inde...
-rw-r--r-- 1 root root 125 2008-03-01 23:36 ca.db.index
drwxr-xr-x 2 root root 4096 2008-03-01 23:36 ca.db.certs
[root@www conf]#
**Apacheへの設定追加 [#j66ab80a]
[root@www conf]# cp -pfr /etc/httpd/conf.d/ssl.conf /etc...
SSLCertificateFile /etc/httpd/conf.d/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/server.key
あとはApacheを再起動すればOKですね。
-[[通信内容暗号化(OpenSSL & mod_SSL) 〜 Webページ編 〜 - ...
-[[ベリサイン サーバID ヘルプデスク - サーバIDのインスト...
-[[ベリサイン サーバID ヘルプデスク - CSRの生成>http://ww...
-[[ベリサイン リポジトリ - PKI認証局運用>https://www.veri...
-[[更新申込手順|SSLサーバ証明書【セコム】>http://www.seco...
----
この記事は
#vote(おもしろかった,そうでもない)
#comment
#topicpath
SIZE(10){現在のアクセス:&counter;}
ページ名: