openssl のインストール
# apt-get update # apt-get install openssl
/etc/ssl/openssl.cnf の以下の項目を編集
[ CA_default ] default_days = 400 # how long to certify for [usr_cert] nsCertType=server のコメントアウトを外す [v3_ca] nsCertType=sslCA, emailCA のコメントアウトを外す
/usr/lib/ssl/misc/CA.sh を用いる
# cd /usr/lib/ssl/misc # ./CA.sh -newca 適宜必要事項に答える CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .++++++ ..............++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JA]: State or Province Name (full name) [Hokkaido]: Locality Name (eg, city) []:Sapporo Organization Name (eg, company) [Department of Science]: Organizational Unit Name (eg, section) [Earth and Planetary science]: Common Name (eg, YOUR name) []:www.ep.sci.hokudai.ac.jp Email Address []:epwww.ep.sci.hokudai.ac.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: 10797:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:850:You must type in 4 to 8191 characters Enter pass phrase for ./demoCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f1:44:1b:72:4d:69:8d:0a Validity Not Before: Sep 25 11:21:49 2011 GMT Not After : Sep 24 11:21:49 2014 GMT Subject: countryName = JA stateOrProvinceName = Hokkaido organizationName = Department of Science organizationalUnitName = Earth and Planetary science commonName = www.ep.sci.hokudai.ac.jp emailAddress = epwww.ep.sci.hokudai.ac.jp X509v3 extensions: X509v3 Subject Key Identifier: 0A:D6:3A:35:F0:2A:08:0A:15:99:8F:5D:36:24:E2:72:0C:8D:63:F1 X509v3 Authority Key Identifier: keyid:0A:D6:3A:35:F0:2A:08:0A:15:99:8F:5D:36:24:E2:72:0C:8D:63:F1 DirName:/C=JA/ST=Hokkaido/O=Department of Science/OU=Earth and Planetary science/CN=www.ep.sci.hokudai.ac.jp/emailAddress=epwww.ep.sci.hokudai.ac.jp serial:F1:44:1B:72:4D:69:8D:0A X509v3 Basic Constraints: CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA Certificate is to be certified until Sep 24 11:21:49 2014 GMT (1095 days) Write out database with 1 new entries Data Base Updated ...
このままだと apache の起動時に毎回パスフレーズの入力を求められるので 作成した鍵からパスフレーズを消去する
# openssl rsa -in ./demoCA/private/cakey.pem -out ./demoCA/private/cakey.pem /usr/sbin/make-ssl-cert の実行 Usage: /usr/sbin/make-ssl-cert template output [--force-overwrite] Usage: /usr/sbin/make-ssl-cert generate-default-snakeoil [--force-overwrite] というメッセージが出た.
証明書の作成
# openssl x509 -in ./demoCA/cacert.pem -out ./demoCA/cacert.crt
ブラウザに import する der の作成
# openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
apache2 の ssl の設定
# mkdir /etc/apache2/ssl # cp ./demoCA/cacert.crt /etc/apache2/ssl # mkdir /etc/apache2/ssl/private # cp ./demoCA/private/cakey.pem /etc/apache2/ssl/private/ # cd /etc/apache2/sites-available/ # cp /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz . # gzip -d httpd-ssl.conf.gz # mv httpd-ssl.conf ssl .
apache2 用のモジュールの設定
# cd /etc/apache2/sites-available # vi default-ssl SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.pem #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
ssl の設定
# vi ssl /etc/apache2/ssl/cacert.crt を登録 SSLCertificateFile /etc/apache2/ssl/cacert.crt
/etc/apache2/ssl/private/cakey.pem を登録
SSLCertificateKeyFile /etc/apache2/ssl/private/cakey.pem
VirtualHost や ServerName 等を設定
DocumentRoot "/var/www/" ServerName sango.ep.sci.hokudai.ac.jp ServerAdmin epwww@ep.sci.hokudai.ac.jp
/etc/apache2/sites-available/ssl の修正
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apa che.pem ホスト名をきかれるので sango.ep.sci.hokudai.ac.jp と記入 # vi /etc/apache2/sites-available/ssl #SSLCertificateFile "/etc/apache2/ssl/cacert.crt" SSLCertificateFile "/etc/apache2/ssl/apache.pem" #SSLCertificateKeyFile "/etc/apache2/ssl/private/cakey.pem SSLCertificateKeyFile "/etc/apache2/ssl/apache.pem"
設定のチェック
# apache2ctl -t Syntax OK
モジュールの有効化
# a2ensite default-ssl # a2enmod ssl
モジュールを有効化したため, apache2 を再起動
# /etc/init.d/apache2 restart
エラー発生
root@sango:/etc/apache2/sites-available# /etc/init.d/apache2 restart Syntax error on line 102 of /etc/apache2/sites-enabled/ssl: SSLCertificateFile: file '/etc/apache2/ssl/apache.pem' does not exist or is empty Action 'configtest' failed. The Apache error log may have more information. failed!
エラー発生2
# /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apa che.pem となっていたので # /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem とするとOK.
[Fri Sep 21 14:00:22 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence =====>>>> /etc/apache2/sites-available/ssl を修正 Listen 443 をコメントアウト ※Listen 443 というのを config の中(.conf ファイル)で複数書くと, 下記のメッセージが出るので, ssl(httpd-ssl.conf) のListen 443 をコメントアウト 参考URL: http://blog.paz-para.com/?p=584
最終更新: 2013/01/28 (古田 裕規), 作成日: 2012/11/28 (古田 裕規) | epwww © 2012 |