# aptitude update
# aptitude install openssl
# emacs /etc/ssl/openssl.cnf
--------
* [ CA_default ]
default_days = 400 # how long to certify for
* [usr_cert]
nsCertType=server のコメントアウトを外す
* [v3_ca]
nsCertType=sslCA, emailCA のコメントアウトを外す
* [ req_distinguished_name ]
countryName_default = JA
stateOrProvinceName_default = Hokkaido
organizationName_default = Department of Science
organizationalUnitName_default = Earth and Planetaly science
# cd /usr/lib/ssl/misc
# ./CA.sh -newca
----------------------------------------------------
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...............+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JA stateOrProvinceName_default = Hokkaido]:JA
State or Province Name (full name) [Hokkaido]:Hokkaido
Locality Name (eg, city) []:Sapporo
Organization Name (eg, company) [Department of Science]:Department of
Science
Organizational Unit Name (eg, section) []:Earth and Planetary Science
Common Name (e.g. server FQDN or YOUR name) []:www.ep.sci.hokudai.ac.jp
Email Address []:epwww.ep.sci.hokudai.ac.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16574434081669068930 (0xe60437fb6f033882)
Validity
Not Before: Jul 14 09:09:56 2013 GMT
Not After : Jul 13 09:09:56 2016 GMT
Subject:
countryName = JA
stateOrProvinceName = Hokkaido
organizationName = Department of Science
organizationalUnitName = Earth and Planetary Science
commonName = www.ep.sci.hokudai.ac.jp
emailAddress = epwww.ep.sci.hokudai.ac.jp
X509v3 extensions:
X509v3 Subject Key Identifier:
66:B7:8D:68:5F:B8:CC:EE:61:78:31:14:FE:6D:70:18:EA:F4:51:6A
X509v3 Authority Key Identifier:
keyid:66:B7:8D:68:5F:B8:CC:EE:61:78:31:14:FE:6D:70:18:EA:F4:51:6A
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until Jul 13 09:09:56 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
もし,間違えてしまったら以下を実行.(たぶん大丈夫)
# rm /usr/lib/ssl/misc/demoCA/private/cakey.pem # rm /usr/lib/ssl/misc/demoCA/newcerts/*.pem
このままだと apache の起動時に毎回パスフレーズの入力を求められるので 作成した鍵からパスフレーズを消去する
# openssl rsa -in ./demoCA/private/cakey.pem -out ./demoCA/private/cakey.pem
# /usr/sbin/make-ssl-cert (の実行)
Usage: /usr/sbin/make-ssl-cert template output [--force-overwrite]
Usage: /usr/sbin/make-ssl-cert generate-default-snakeoil [--force-overwrite]
# openssl x509 -in ./demoCA/cacert.pem -out ./demoCA/cacert.crt
# openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
# mkdir /etc/apache2/ssl # cp ./demoCA/cacert.crt /etc/apache2/ssl # mkdir /etc/apache2/ssl/private # cp ./demoCA/private/cakey.pem /etc/apache2/ssl/private/ # cd /etc/apache2/sites-available/ # cp /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz . # gzip -d httpd-ssl.conf.gz # mv httpd-ssl.conf ssl .
# cd /etc/apache2/sites-available # emacs default-ssl SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.pem #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# emacs ssl
/etc/apache2/ssl/cacert.crt を登録
SSLCertificateFile /etc/apache2/ssl/cacert.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/cakey.pem
DocumentRoot "/var/www/"
ServerName sango.ep.sci.hokudai.ac.jp
ServerAdmin epwww@ep.sci.hokudai.ac.jp
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
ホスト名をきかれるので
sango.ep.sci.hokudai.ac.jp
と記入
# emacs /etc/apache2/sites-available/ssl
#SSLCertificateFile "/etc/apache2/ssl/cacert.crt"
SSLCertificateFile "/etc/apache2/ssl/apache.pem"
#SSLCertificateKeyFile "/etc/apache2/ssl/private/cakey.pem
SSLCertificateKeyFile "/etc/apache2/ssl/apache.pem"
# apache2ctl -t Syntax OK
# a2ensite default-ssl # a2enmod ssl
# /etc/init.d/apache2 restartもし,apache2 をrestart したとき,以下のようなエラーが出た時の対処.
[Fri Sep 21 14:00:22 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence ..... ++++++ =====>>>> /etc/apache2/sites-available/ssl を修正 Listen 443 をコメントアウト ※Listen 443 というのを config の中(.conf ファイル)で複数書くと, 下記のメッセージが出るので, ssl(httpd-ssl.conf) のListen 443 をコメントアウト 参考URL: http://blog.paz-para.com/?p=584
https://sango.ep.sci.hokudai.ac.jp/とブラウザ上で打ち込み(もしくは上記のURL をクリックして),通信すると,「このサイトは自己署名です」と言われる.
| 最終更新日: 2014/05/22 (渡辺 健介) | Copyright © 2013 epcore |