まず OpenSSL をインストールし, 鍵の作成とサイト証明書の発行作業を行う.
インストール
# apt-get update # apt-get install openssl
関連パッケージであるca-certificates, ssl-cert の有無も確認し, 存在しない 場合はインストールする.
鍵の作成とサイト証明書の発行: /usr/lib/ssl/misc/CA.sh を用いる.
# cd /usr/lib/ssl/misc # ./CA -newca (オプションの説明はスクリプト内部を参照) CA certificate filename (or enter to create) [enter] Making CA certificate ... Generating a 1024 bit RSA private key .................++++++ ....++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: XXXXX # パスフレーズ設定 Verifying - Enter PEM pass phrase: XXXXX # 再確認入力 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: JP # 国 State or Province Name (full name) [Some-State]: Hokkaido # 地域(都道府県) Locality Name (eg, city) []: Sapporo # 市町村 Organization Name (eg, company) [Internet Widgits Pty Ltd]: Department of Science, Hokkaido Univ. # 組織名 Organizational Unit Name (eg, section) []: Division of Earth and Planetary Sciences # 部署名 Common Name (eg, YOUR name) []:rainbow.ep.sci.hokudai.ac.jp # サーバの FQDN Email Address []: root@rainbow.ep.sci.hokudai.ac.jp # 管理者アドレス Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: [enter] An optional company name []: [enter] Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: XXXXX # パスフレーズを入力 Check that the request matches the signature Signature ok Certificate Details: Serial Number: a7:b4:2d:62:f9:91:4b:43 Validity Not Before: Sep 5 04:18:15 2011 GMT Not After : Sep 4 04:18:15 2014 GMT Subject: countryName = JP stateOrProvinceName = Hokkaido organizationName = Department of Science, Hokkaido Univ. organizationalUnitName = DIvision of Earth and Planetary Sciences commonName = rainbow@ep.sci.hokudai.ac.jp emailAddress = root@rainbow.ep.sci.hokudai.ac.jp X509v3 extensions: X509v3 Subject Key Identifier: DA:41:C0:7F:AF:6E:5F:2A:E5:54:B6:F9:95:22:8F:FF:57:56:F5:90 X509v3 Authority Key Identifier: keyid:DA:41:C0:7F:AF:6E:5F:2A:E5:54:B6:F9:95:22:8F:FF:57:56:F5:90 DirName:/C=JP/ST=Hokkaido/O=Department of Science, Hokkaido Univ./OU=DIvision of Earth and Planetary Sciences/CN=rainbow@ep.sci.hokudai.ac.jp/emailAddress=root@rainbow.ep.sci.hokudai.ac.jp serial:A7:B4:2D:62:F9:91:4B:43 X509v3 Basic Constraints: CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA Certificate is to be certified until Sep 4 04:18:15 2014 GMT (1095 days) Write out database with 1 new entries Data Base Updated
パスフレーズの消去
このままだと apache の起動時に毎回パスフレーズの入力を求められるので, 作成した鍵からパスフレーズを消去する.
# openssl rsa -in ./demoCA/private/cakey.pem -out ./demoCA/private/cakey.pem Enter pass phrase for ./demoCA/private/cakey.pem: XXXXX # パスフレーズを入力 writing RSA key
ここまでの作業で作成されるファイルは /usr/lib/ssl/misc/demoCA 以下に 格納される.
鍵とサイト証明書を /etc/apache 以下にコピー
# cd /etc/apache2 # mkdir ssl # cd ssl # cp /usr/lib/ssl/misc/demoCA/cacert.pem . # mkdir private # cd private # cp /usr/lib/ssl/misc/demoCA/private/cakey.pem .
apache2 用モジュールの設定
# cd /etc/apache2/site-available/ # vi default-ssl
編集項目は以下の通り
モジュールの有効化
# a2ensite default-ssl # a2enmod ssl
apache 再起動
# /etc/init.d/apache2 restart
Firefox 6.0.1 では
Certificate type not approved for application. (エラーコード: sec_error_inadequate_cert_type)
と表示される. オプションで例外登録しようとするも同じエラーが表示されてしまう.