![[PukiWiki]](https://www.masatom.in/pukiwiki/image/kinosite.png "[PukiWiki]"){kind=small}
|
以下、実際にSSLサイトを構築したときの手順です。 mod_sslのインストール †yum -y install mod_ssl でOKです。 CA用秘密鍵を作成する †[root@www conf]# pwd /etc/httpd/conf.d/ssl/ <-つくっときましょう [root@www conf]# openssl genrsa -des3 -rand /var/log/maillog -out ca.key 1024 441467 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ......++++++ .........................++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: [root@www conf]# CA用証明書を作成する †先の秘密鍵から、CA用の証明書を作成します [root@www conf]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Tokyo Locality Name (eg, city) [Newbury]:Hogehoge Organization Name (eg, company) [My Company Ltd]:Private CA Organizational Unit Name (eg, section) []:Admin Common Name (eg, your name or your server's hostname) []:www.hogehoge.com Email Address []:admin@hogehoge.com [root@www conf]# サーバの秘密鍵を作成 †[root@www conf]# openssl genrsa -des3 -rand /var/log/maillog -out server.key 1024 441467 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .............++++++ .........++++++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: [root@www conf]# 証明書要求(CSR)の作成 †先のサーバの秘密鍵から、証明書要求(CSR)を作成します。CAに送って署名してもらうためのファイルですね。 [root@www conf]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Tokyo Locality Name (eg, city) [Newbury]:Hogehoge Organization Name (eg, company) [My Company Ltd]:Masatom in Organizational Unit Name (eg, section) []:self Common Name (eg, your name or your server's hostname) []:www.hogehoge.com Email Address []:admin@hogehoge.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: //入力しない An optional company name []://入力しない [root@www conf]# バックアップ †[root@www conf]# cp -pfr server.key server.key.org パスフレーズの削除 †[root@www conf]# openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key [root@www conf]# CSRにCAとして署名する。 †サイン用shを取得 †[root@www conf]# cd /tmp/
[root@www tmp]# wget http://www.modssl.org/source/mod_ssl-2.8.30-1.3.39.tar.gz
--23:33:36-- http://www.modssl.org/source/mod_ssl-2.8.30-1.3.39.tar.gz
=> `mod_ssl-2.8.30-1.3.39.tar.gz'
www.modssl.org をDNSに問いあわせています... 195.30.6.168
www.modssl.org|195.30.6.168|:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 820,416 (801K) [application/x-gzip]
100%[============================================================================>] 820,416 80.34K/s ETA 00:00
23:33:47 (79.45 KB/s) - `mod_ssl-2.8.30-1.3.39.tar.gz' を保存しました [820416/820416]
[root@www tmp]# tar xvzf mod_ssl-2.8.30-1.3.39.tar.gz
サインする †[root@www conf]# pwd /etc/httpd/conf.d/ssl/ [root@www conf]# /tmp/mod_ssl-2.8.30-1.3.39/pkg.contrib/sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config Enter pass phrase for ./ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Tokyo' localityName :PRINTABLE:'Hogehoge' organizationName :PRINTABLE:'Masatom in' organizationalUnitName:PRINTABLE:'self' commonName :PRINTABLE:'www.hogehoge.com' emailAddress :IA5STRING:'admin@hogehoge.com' Certificate is to be certified until Mar 1 14:35:46 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK [root@www conf]# CSRから証明書が作成されました。 [root@www conf]# ls -lrt 合計 308 -rw-r--r-- 1 root root 887 2008-03-01 23:18 ca.key -rw-r--r-- 1 root root 1314 2008-03-01 23:20 ca.crt -rw-r--r-- 1 root root 887 2008-03-01 23:21 server.key.org -rw-r--r-- 1 root root 708 2008-03-01 23:27 server.csr -rw-r--r-- 1 root root 887 2008-03-01 23:28 server.key -rw-r--r-- 1 root root 2706 2008-03-01 23:36 server.crt <-これ -rw-r--r-- 1 root root 3 2008-03-01 23:36 ca.db.serial -rw-r--r-- 1 root root 21 2008-03-01 23:36 ca.db.index.attr -rw-r--r-- 1 root root 125 2008-03-01 23:36 ca.db.index drwxr-xr-x 2 root root 4096 2008-03-01 23:36 ca.db.certs [root@www conf]# Apacheへの設定追加 †[root@www conf]# cp -pfr /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.20080301 SSLCertificateFile /etc/httpd/conf.d/ssl/server.crt SSLCertificateKeyFile /etc/httpd/conf.d/ssl/server.key あとはApacheを再起動すればOKですね。
この記事は 現在のアクセス:3647 |
