icon SSL自己証明書作成とApache設定 (2015/03/18)
最近やたらOpenSSL祭りになってますが、SSLの設定メモ

自己認証局(CA)の構築

openssl.cnfの設定

# vi /etc/ssl/openssl.cnfdir = /etc/ssl/CA

出力ディレクトリ作成

# mkdir -p /etc/ssl/CA/private# mkdir -p /etc/ssl/CA/newcerts
# chmod 700 /etc/ssl/CA/private

CA作成時の必要ファイル作成

# echo "01" > /etc/ssl/CA/serial# touch /etc/ssl/CA/index.txt

CA作成

・CA用証明書:CA/cacert.pem
・CA用秘密鍵:CA/private/cakey.pem
※10年、2048ビットで作成

# openssl req -new -x509 -newkey rsa:2048 -out cacert.pem -keyout private/cakey.pem -days 3652
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Shinjuku-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yoo
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:debian
Email Address []:


秘密鍵は権限を変更しておく

# chmod 600 cakey.pem

証明書の確認

# openssl x509 -in /etc/ssl/CA/cacert.pem -text

サーバ証明書の作成

サーバ秘密鍵の作成

# openssl genrsa -des3 -out server.key 2048

パスフレーズ削除

※Apache再起動時にパスワード要求を回避する場合

# openssl rsa -in server.key -out server.key

署名要求書(CSR)の作成

# cd /etc/ssl/# openssl req -nodes -new -newkey rsa:2048 -keyout private/debian.key -out certs/debian.csr

Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Shinjuku-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yoo
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:debian
Email Address []:

A challenge password []:(空欄)
An optional company name []:(空欄)


CSRの確認

# openssl req -in certs/debian.csr -text || less

サーバ証明書(CRT)の作成

# openssl ca -config openssl.cnf -in certs/debian.csr -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out certs/debian.crt -days 3652
Enter pass phrase for CA/private/cakey.pem:
...............
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 18 12:00:27 2015 GMT
Not After : Mar 17 12:00:27 2025 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = yoo
commonName = debian
...............

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

csrは不要なので読み込み不可にしておく。

Apache SSLの有効化

mod-sslの有効化

# a2enmod ssl

Apache SSLの設定・有効化

サーバ名、作成した証明書・証明書鍵のパスを設定

# vi /etc/apache2/sites-available/default-ssl
ServerName debian
.......
SSLCertificateFile /etc/ssl/debian.crt
SSLCertificateKeyFile /etc/ssl/debian.key
.......

設定を有効化し再起動

# a2ensite default-ssl# /etc/init.d/apache2 restart