Triplex Systems★開発メモ

• ApacheをSSL対応にする

# yum install mod_ssl

• 必要なディレクトリの作成

# mkdir /etc/httpd/ssl
# mkdir /etc/httpd/ssl/ssl.crl
# touch /etc/httpd/ssl/ssl.crl/cert.crl

• プログラムのコピー

# cp -p /etc/pki/tls/misc/CA /etc/httpd/ssl/
# cp -p /etc/pki/tls/openssl.cnf /etc/httpd/ssl/

• /etc/httpd/ssl/CAを編集

DAYS="-days 365" → DAYS="-days 1825"
CATOP=../../CA → CATOP=/etc/httpd/ssl/selfCA

• /etc/httpd/ssl/openssl.cnfを編集

dir = ../../CA → dir = ./selfCA
basicConstraints=CA:FALSE → basicConstraints=CA:TRUE

# cd /etc/httpd/ssl
# ./CA -newca
CA certificate filename (or enter to create) ← Enter
Enter PEM pass phrase: ←CAのパスワード
Verifying - Enter PEM pass phrase: ←CAのパスワード（確認）
Country Name (2 letter code) [GB]: ←国名（JP）
State or Province Name (full name) [Berkshire]: ←都道府県名
Locality Name (eg, city) [Newbury]: ←市町村名
Organization Name (eg, company) [My Company Ltd]: ←組織名・会社名
Organizational Unit Name (eg, section) []: ←部署名
Common Name (eg, your name or your server's hostname) []: ←サーバのホスト名
Email Address []: ←メールアドレス
A challenge password []: ← Enter
An optional company name []: ← Enter
Enter pass phrase for /etc/httpd/ssl/selfCA/private/./cakey.pem: ←CAのパスワード（確認）
# openssl rsa -in ./selfCA/private/cakey.pem -out ./selfCA/private/cakey.pem
Enter pass phrase for ./selfCA/private/cakey.pem: ←CAのパスワード（確認）
# echo '00' > ./selfCA/crlnumber
# openssl ca -config openssl.cnf -gencrl -out ./selfCA/crl.pem

# cd /etc/httpd/ssl
# vi /etc/pki/tls/openssl.cnf
basicConstraints=CA:TRUE → basicConstraints=CA:FALSE
# openssl genrsa -out ./server.key 2048
# openssl req -sha256 -new -days 1825 -key ./server.key -out ./server.csr
Enter pass phrase for ./server.key: ←サーバ証明書のパスワード（確認）
Country Name (2 letter code) [GB]: ←国名（JP）
State or Province Name (full name) [Berkshire]: ←都道府県名
Locality Name (eg, city) [Newbury]: ←市町村名
Organization Name (eg, company) [My Company Ltd]: ←組織名・会社名
Organizational Unit Name (eg, section) []: ←部署名
Common Name (eg, your name or your server's hostname) []: ←サーバのホスト名
Email Address []: ←メールアドレス
A challenge password []: ← Enter
An optional company name []: ← Enter
# openssl ca -days 1825 -in server.csr -keyfile ./selfCA/private/cakey.pem \
-cert ./selfCA/cacert.pem -out server.crt
Sign the certificate? [y/n]: ← y
1 out of 1 certificate requests certified, commit? [y/n] ← y

# cd /etc/httpd/ssl
# ./CA -newreq
# ./CA -sign

# openssl genrsa -des3 -out ./client.key 1024
Enter pass phrase for client.key: ←クライアント証明書のパスワード
Verifying - Enter pass phrase for client.key: ←クライアント証明書のパスワード（確認）
# openssl rsa -in ./client.key -out ./client.key
Enter pass phrase for client.key: ←クライアント証明書のパスワード（確認）
# openssl req -new -days 1825 -key ./client.key -out ./client.csr
Enter pass phrase for ./server.key: ←サーバ証明書のパスワード（確認）
Country Name (2 letter code) [GB]: ←国名（JP）
State or Province Name (full name) [Berkshire]: ←都道府県名
Locality Name (eg, city) [Newbury]: ←市町村名
Organization Name (eg, company) [My Company Ltd]: ←組織名・会社名
Organizational Unit Name (eg, section) []: ←部署名
Common Name (eg, your name or your server's hostname) []: ←クライアント名
Email Address []: ←メールアドレス
A challenge password []: ← Enter
An optional company name []: ← Enter
# openssl ca -days 1825 -in ./client.csr -out ./client.crt
Sign the certificate? [y/n]: ← y
1 out of 1 certificate requests certified, commit? [y/n] ← y
# openssl pkcs12 -export -in ./client.crt -inkey ./client.key \
-certfile ./selfCA/cacert.pem -out ./client.p12
Enter Export Password: ← Enter
Verifying - Enter Export Password: ← Enter

• /etc/httpd/conf.d/ssl.conf を編集

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
→ SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
→ SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
←SSLCACertificateFile /etc/httpd/ssl/selfCA/cacert.pem
#SSLVerifyClient require
→ SSLVerifyClient require
#SSLVerifyDepth 10
→ SSLVerifyDepth 1