SSL自己証明書作成とApache設定
最近やたらOpenSSL祭りになってますが、SSLの設定メモ
自己認証局(CA)の構築
openssl.cnfの設定
# vi /etc/ssl/openssl.cnf dir = /etc/ssl/CA
出力ディレクトリ作成
# mkdir -p /etc/ssl/CA/private # mkdir -p /etc/ssl/CA/newcerts # chmod 700 /etc/ssl/CA/private
CA作成時の必要ファイル作成
# echo "01" > /etc/ssl/CA/serial # touch /etc/ssl/CA/index.txt
CA作成
・CA用証明書:CA/cacert.pem ・CA用秘密鍵:CA/private/cakey.pem ※10年、2048ビットで作成
# openssl req -new -x509 -newkey rsa:2048 -out cacert.pem -keyout private/cakey.pem -days 3652 writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []:Shinjuku-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]:yoo Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:debian Email Address []:
秘密鍵は権限を変更しておく
# chmod 600 cakey.pem
証明書の確認
# openssl x509 -in /etc/ssl/CA/cacert.pem -text
サーバ証明書の作成
サーバ秘密鍵の作成
# openssl genrsa -des3 -out server.key 2048
パスフレーズ削除
※Apache再起動時にパスワード要求を回避する場合
# openssl rsa -in server.key -out server.key
署名要求書(CSR)の作成
# cd /etc/ssl/ # openssl req -nodes -new -newkey rsa:2048 -keyout private/debian.key -out certs/debian.csr Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []:Shinjuku-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]:yoo Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:debian Email Address []: A challenge password []:(空欄) An optional company name []:(空欄)
CSRの確認
# openssl req -in certs/debian.csr -text || less
サーバ証明書(CRT)の作成
# openssl ca -config openssl.cnf -in certs/debian.csr -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out certs/debian.crt -days 3652 Enter pass phrase for CA/private/cakey.pem: ............... Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 18 12:00:27 2015 GMT Not After : Mar 17 12:00:27 2025 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = yoo commonName = debian ............... Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
csrは不要なので読み込み不可にしておく。
Apache SSLの有効化
mod-sslの有効化
# a2enmod ssl
Apache SSLの設定・有効化
サーバ名、作成した証明書・証明書鍵のパスを設定
# vi /etc/apache2/sites-available/default-ssl ServerName debian ....... SSLCertificateFile /etc/ssl/debian.crt SSLCertificateKeyFile /etc/ssl/debian.key .......
設定を有効化し再起動
# a2ensite default-ssl # /etc/init.d/apache2 restart