最終更新:
triplexsys 2016年11月08日(火) 21:38:32履歴
- ApacheをSSL対応にする
# yum install mod_ssl
- 必要なディレクトリの作成
# mkdir /etc/httpd/ssl
# mkdir /etc/httpd/ssl/ssl.crl
# touch /etc/httpd/ssl/ssl.crl/cert.crl
- プログラムのコピー
# cp -p /etc/pki/tls/misc/CA /etc/httpd/ssl/
# cp -p /etc/pki/tls/openssl.cnf /etc/httpd/ssl/
- /etc/httpd/ssl/CAを編集
DAYS="-days 365" → DAYS="-days 1825"
CATOP=../../CA → CATOP=/etc/httpd/ssl/selfCA
- /etc/httpd/ssl/openssl.cnfを編集
dir = ../../CA → dir = ./selfCA
basicConstraints=CA:FALSE → basicConstraints=CA:TRUE
# cd /etc/httpd/ssl
# ./CA -newca
CA certificate filename (or enter to create) ← Enter
Enter PEM pass phrase: ←CAのパスワード
Verifying - Enter PEM pass phrase: ←CAのパスワード(確認)
Country Name (2 letter code) [GB]: ←国名(JP)
State or Province Name (full name) [Berkshire]: ←都道府県名
Locality Name (eg, city) [Newbury]: ←市町村名
Organization Name (eg, company) [My Company Ltd]: ←組織名・会社名
Organizational Unit Name (eg, section) []: ←部署名
Common Name (eg, your name or your server's hostname) []: ←サーバのホスト名
Email Address []: ←メールアドレス
A challenge password []: ← Enter
An optional company name []: ← Enter
Enter pass phrase for /etc/httpd/ssl/selfCA/private/./cakey.pem: ←CAのパスワード(確認)
# openssl rsa -in ./selfCA/private/cakey.pem -out ./selfCA/private/cakey.pem
Enter pass phrase for ./selfCA/private/cakey.pem: ←CAのパスワード(確認)
# echo '00' > ./selfCA/crlnumber
# openssl ca -config openssl.cnf -gencrl -out ./selfCA/crl.pem
# cd /etc/httpd/ssl
# vi /etc/pki/tls/openssl.cnf
basicConstraints=CA:TRUE → basicConstraints=CA:FALSE
# openssl genrsa -out ./server.key 2048
# openssl req -sha256 -new -days 1825 -key ./server.key -out ./server.csr
Enter pass phrase for ./server.key: ←サーバ証明書のパスワード(確認)
Country Name (2 letter code) [GB]: ←国名(JP)
State or Province Name (full name) [Berkshire]: ←都道府県名
Locality Name (eg, city) [Newbury]: ←市町村名
Organization Name (eg, company) [My Company Ltd]: ←組織名・会社名
Organizational Unit Name (eg, section) []: ←部署名
Common Name (eg, your name or your server's hostname) []: ←サーバのホスト名
Email Address []: ←メールアドレス
A challenge password []: ← Enter
An optional company name []: ← Enter
# openssl ca -days 1825 -in server.csr -keyfile ./selfCA/private/cakey.pem \
-cert ./selfCA/cacert.pem -out server.crt
Sign the certificate? [y/n]: ← y
1 out of 1 certificate requests certified, commit? [y/n] ← y
# cd /etc/httpd/ssl
# ./CA -newreq
# ./CA -sign
# openssl genrsa -des3 -out ./client.key 1024
Enter pass phrase for client.key: ←クライアント証明書のパスワード
Verifying - Enter pass phrase for client.key: ←クライアント証明書のパスワード(確認)
# openssl rsa -in ./client.key -out ./client.key
Enter pass phrase for client.key: ←クライアント証明書のパスワード(確認)
# openssl req -new -days 1825 -key ./client.key -out ./client.csr
Enter pass phrase for ./server.key: ←サーバ証明書のパスワード(確認)
Country Name (2 letter code) [GB]: ←国名(JP)
State or Province Name (full name) [Berkshire]: ←都道府県名
Locality Name (eg, city) [Newbury]: ←市町村名
Organization Name (eg, company) [My Company Ltd]: ←組織名・会社名
Organizational Unit Name (eg, section) []: ←部署名
Common Name (eg, your name or your server's hostname) []: ←クライアント名
Email Address []: ←メールアドレス
A challenge password []: ← Enter
An optional company name []: ← Enter
# openssl ca -days 1825 -in ./client.csr -out ./client.crt
Sign the certificate? [y/n]: ← y
1 out of 1 certificate requests certified, commit? [y/n] ← y
# openssl pkcs12 -export -in ./client.crt -inkey ./client.key \
-certfile ./selfCA/cacert.pem -out ./client.p12
Enter Export Password: ← Enter
Verifying - Enter Export Password: ← Enter
- /etc/httpd/conf.d/ssl.conf を編集
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
→ SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
→ SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
←SSLCACertificateFile /etc/httpd/ssl/selfCA/cacert.pem
#SSLVerifyClient require
→ SSLVerifyClient require
#SSLVerifyDepth 10
→ SSLVerifyDepth 1
このページへのコメント
jtfgfU I truly appreciate this article post.Really thank you! Really Great.
BtzQ8h Thanks again for the blog.Much thanks again. Want more.
aBjdim wow, awesome article post.Really looking forward to read more.
F1Iubi Say, you got a nice article.Really thank you! Awesome.
kCGYLa <a href="http://ocehyzhudwgo.com/">ocehyzhudwgo</a>, [url=http://guonjuuyyfvd.com/]guonjuuyyfvd[/url], [link=http://dpqmegjichwn.com/]dpqmegjichwn[/link], http://ststpseedfna.com/