Top / Network / SSL / SSLサイトを構築する

以下、実際にSSLサイトを構築したときの手順です。

mod_sslのインストール

yum -y install mod_ssl

でOKです。

CA用秘密鍵を作成する

[root@www conf]# pwd
/etc/httpd/conf.d/ssl/ <-つくっときましょう
[root@www conf]# openssl genrsa -des3 -rand /var/log/maillog -out ca.key 1024
441467 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[root@www conf]#

CA用証明書を作成する

先の秘密鍵から、CA用の証明書を作成します

[root@www conf]#  openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Hogehoge
Organization Name (eg, company) [My Company Ltd]:Private CA
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, your name or your server's hostname) []:www.hogehoge.com
Email Address []:admin@hogehoge.com
[root@www conf]#

サーバの秘密鍵を作成

[root@www conf]# openssl genrsa -des3 -rand /var/log/maillog -out server.key 1024
441467 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.............++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@www conf]#

証明書要求(CSR)の作成

先のサーバの秘密鍵から、証明書要求(CSR)を作成します。CAに送って署名してもらうためのファイルですね。

[root@www conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Hogehoge
Organization Name (eg, company) [My Company Ltd]:Masatom in
Organizational Unit Name (eg, section) []:self
Common Name (eg, your name or your server's hostname) []:www.hogehoge.com
Email Address []:admin@hogehoge.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //入力しない
An optional company name []://入力しない
[root@www conf]#

バックアップ

[root@www conf]# cp -pfr server.key server.key.org

パスフレーズの削除

[root@www conf]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
[root@www conf]#

CSRにCAとして署名する。

サイン用shを取得

[root@www conf]# cd /tmp/
[root@www tmp]# wget http://www.modssl.org/source/mod_ssl-2.8.30-1.3.39.tar.gz
--23:33:36--  http://www.modssl.org/source/mod_ssl-2.8.30-1.3.39.tar.gz
           => `mod_ssl-2.8.30-1.3.39.tar.gz'
www.modssl.org をDNSに問いあわせています... 195.30.6.168
www.modssl.org|195.30.6.168|:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 820,416 (801K) [application/x-gzip]

100%[============================================================================>] 820,416       80.34K/s    ETA 00:00

23:33:47 (79.45 KB/s) - `mod_ssl-2.8.30-1.3.39.tar.gz' を保存しました [820416/820416]
[root@www tmp]# tar xvzf mod_ssl-2.8.30-1.3.39.tar.gz

サインする

[root@www conf]# pwd
/etc/httpd/conf.d/ssl/
[root@www conf]# /tmp/mod_ssl-2.8.30-1.3.39/pkg.contrib/sign.sh  server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Tokyo'
localityName          :PRINTABLE:'Hogehoge'
organizationName      :PRINTABLE:'Masatom in'
organizationalUnitName:PRINTABLE:'self'
commonName            :PRINTABLE:'www.hogehoge.com'
emailAddress          :IA5STRING:'admin@hogehoge.com'
Certificate is to be certified until Mar  1 14:35:46 2009 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
[root@www conf]#

CSRから証明書が作成されました。

[root@www conf]# ls -lrt
合計 308
-rw-r--r-- 1 root root   887 2008-03-01 23:18 ca.key
-rw-r--r-- 1 root root  1314 2008-03-01 23:20 ca.crt
-rw-r--r-- 1 root root   887 2008-03-01 23:21 server.key.org
-rw-r--r-- 1 root root   708 2008-03-01 23:27 server.csr
-rw-r--r-- 1 root root   887 2008-03-01 23:28 server.key
-rw-r--r-- 1 root root  2706 2008-03-01 23:36 server.crt <-これ
-rw-r--r-- 1 root root     3 2008-03-01 23:36 ca.db.serial
-rw-r--r-- 1 root root    21 2008-03-01 23:36 ca.db.index.attr
-rw-r--r-- 1 root root   125 2008-03-01 23:36 ca.db.index
drwxr-xr-x 2 root root  4096 2008-03-01 23:36 ca.db.certs
[root@www conf]#

Apacheへの設定追加

[root@www conf]# cp -pfr /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.20080301
SSLCertificateFile /etc/httpd/conf.d/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/server.key

あとはApacheを再起動すればOKですね。


この記事は

選択肢 投票
おもしろかった 0  
そうでもない 0  

Top / Network / SSL / SSLサイトを構築する

現在のアクセス:3829


トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2008-10-23 (木) 22:16:54 (5889d)