SSL自己証明書作成とApache設定

2015/03/18

最近やたらOpenSSL祭りになってますが、SSLの設定メモ

自己認証局(CA)の構築

openssl.cnfの設定

# vi /etc/ssl/openssl.cnf dir = /etc/ssl/CA

出力ディレクトリ作成

# mkdir -p /etc/ssl/CA/private # mkdir -p /etc/ssl/CA/newcerts # chmod 700 /etc/ssl/CA/private

CA作成時の必要ファイル作成

# echo "01" > /etc/ssl/CA/serial # touch /etc/ssl/CA/index.txt

CA作成

・CA用証明書:CA/cacert.pem ・CA用秘密鍵:CA/private/cakey.pem ※10年、2048ビットで作成

# openssl req -new -x509 -newkey rsa:2048 -out cacert.pem -keyout private/cakey.pem -days 3652 writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []:Shinjuku-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]:yoo Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:debian Email Address []:

秘密鍵は権限を変更しておく

# chmod 600 cakey.pem

証明書の確認

# openssl x509 -in /etc/ssl/CA/cacert.pem -text

サーバ証明書の作成

サーバ秘密鍵の作成

# openssl genrsa -des3 -out server.key 2048

パスフレーズ削除

※Apache再起動時にパスワード要求を回避する場合

# openssl rsa -in server.key -out server.key

署名要求書(CSR)の作成

# cd /etc/ssl/ # openssl req -nodes -new -newkey rsa:2048 -keyout private/debian.key -out certs/debian.csr Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []:Shinjuku-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]:yoo Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:debian Email Address []: A challenge password []:(空欄) An optional company name []:(空欄)

CSRの確認

# openssl req -in certs/debian.csr -text || less

サーバ証明書(CRT)の作成

# openssl ca -config openssl.cnf -in certs/debian.csr -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out certs/debian.crt -days 3652 Enter pass phrase for CA/private/cakey.pem: ............... Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 18 12:00:27 2015 GMT Not After : Mar 17 12:00:27 2025 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = yoo commonName = debian ............... Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y

csrは不要なので読み込み不可にしておく。

Apache SSLの有効化

mod-sslの有効化

# a2enmod ssl

Apache SSLの設定・有効化

サーバ名、作成した証明書・証明書鍵のパスを設定

# vi /etc/apache2/sites-available/default-ssl ServerName debian ....... SSLCertificateFile /etc/ssl/debian.crt SSLCertificateKeyFile /etc/ssl/debian.key .......

設定を有効化し再起動

# a2ensite default-ssl # /etc/init.d/apache2 restart