まず OpenSSL をインストールし, 鍵の作成とサイト証明書の発行作業を行う.
インストール
# apt-get update # apt-get install openssl
関連パッケージであるca-certificates, ssl-cert の有無も確認し, 存在しない 場合はインストールする.
鍵の作成とサイト証明書の発行: /usr/lib/ssl/misc/CA.sh を用いる.
# cd /usr/lib/ssl/misc
# ./CA -newca (オプションの説明はスクリプト内部を参照)
CA certificate filename (or enter to create) [enter]
Making CA certificate ...
Generating a 1024 bit RSA private key
.................++++++
....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: XXXXX # パスフレーズ設定
Verifying - Enter PEM pass phrase: XXXXX # 再確認入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: JP # 国
State or Province Name (full name) [Some-State]: Hokkaido # 地域(都道府県)
Locality Name (eg, city) []: Sapporo # 市町村
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Department of Science, Hokkaido Univ. # 組織名
Organizational Unit Name (eg, section) []: Division of Earth and Planetary Sciences # 部署名
Common Name (eg, YOUR name) []:rainbow.ep.sci.hokudai.ac.jp # サーバの FQDN
Email Address []: root@rainbow.ep.sci.hokudai.ac.jp # 管理者アドレス
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [enter]
An optional company name []: [enter]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: XXXXX # パスフレーズを入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
a7:b4:2d:62:f9:91:4b:43
Validity
Not Before: Sep 5 04:18:15 2011 GMT
Not After : Sep 4 04:18:15 2014 GMT
Subject:
countryName = JP
stateOrProvinceName = Hokkaido
organizationName = Department of Science, Hokkaido Univ.
organizationalUnitName = DIvision of Earth and Planetary Sciences
commonName = rainbow@ep.sci.hokudai.ac.jp
emailAddress = root@rainbow.ep.sci.hokudai.ac.jp
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:41:C0:7F:AF:6E:5F:2A:E5:54:B6:F9:95:22:8F:FF:57:56:F5:90
X509v3 Authority Key Identifier:
keyid:DA:41:C0:7F:AF:6E:5F:2A:E5:54:B6:F9:95:22:8F:FF:57:56:F5:90
DirName:/C=JP/ST=Hokkaido/O=Department of Science, Hokkaido Univ./OU=DIvision of Earth and Planetary Sciences/CN=rainbow@ep.sci.hokudai.ac.jp/emailAddress=root@rainbow.ep.sci.hokudai.ac.jp
serial:A7:B4:2D:62:F9:91:4B:43
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until Sep 4 04:18:15 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updatedパスフレーズの消去
このままだと apache の起動時に毎回パスフレーズの入力を求められるので, 作成した鍵からパスフレーズを消去する.
# openssl rsa -in ./demoCA/private/cakey.pem -out ./demoCA/private/cakey.pem Enter pass phrase for ./demoCA/private/cakey.pem: XXXXX # パスフレーズを入力 writing RSA key
ここまでの作業で作成されるファイルは /usr/lib/ssl/misc/demoCA 以下に 格納される.
鍵とサイト証明書を /etc/apache 以下にコピー
# cd /etc/apache2 # mkdir ssl # cd ssl # cp /usr/lib/ssl/misc/demoCA/cacert.pem . # mkdir private # cd private # cp /usr/lib/ssl/misc/demoCA/private/cakey.pem .
apache2 用モジュールの設定
# cd /etc/apache2/site-available/ # vi default-ssl
編集項目は以下の通り
モジュールの有効化
# a2ensite default-ssl # a2enmod ssl
apache 再起動
# /etc/init.d/apache2 restart
Firefox 6.0.1 では
Certificate type not approved for application. (エラーコード: sec_error_inadequate_cert_type)
と表示される. オプションで例外登録しようとするも同じエラーが表示されてしまう.