18 January 2008

Apache初期設定 (SSL追加) on Fedora 8

ApacheにSSL設定を追加する。

ApacheにSSLモジュールをインストール

[root@localhost ~]# yum install mod_ssl

認証機関の鍵ではなく、サーバで作成した鍵を用いるので、公開鍵・秘密鍵・証明書を作成する。

[root@localhost ~]# cd /etc/pki/tls/certs ← 鍵ファイルのフォルダに移動 [root@localhost certs]# ll -a ← 鍵作成前のフォルダの状況 -rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile -rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt -rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt -rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert [root@localhost certs]# make server.key ← 秘密鍵作成 umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > server.key Generating RSA private key, 1024 bit long modulus ........++++++ ....++++++ e is 65537 (0x10001) Enter pass phrase: ← 適当な鍵用のパスワードを決めて入力 Verifying - Enter pass phrase: ↓ 秘密鍵の暗号化解除 [root@localhost certs]# openssl rsa -in server.key -out server.key Enter pass phrase for server.key: ← 先程入力したパスワードを再入力 writing RSA key [root@localhost certs]# make server.csr ← 公開鍵の作成 umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Tokyo Locality Name (eg, city) [Newbury]:Tiyodaku Organization Name (eg, company) [My Company Ltd]:No Name Company Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:localhost.localdomain Email Address []:webmaster@localhost.localdomain Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ← 何も入力しない An optional company name []: ← 何も入力しない ↓ (自己署名)証明書の作成 [root@localhost certs]# openssl x509 -in server.csr -out server.pem -req -signkey server.k ey -days 1095 Signature ok subject=/C=JP/ST=Tokyo/L=Tiyodaku/O=No Name Company/CN=oasis.homelinux.net/emailAddress=webmaster@oasis.homelinux.net Getting Private key [root@localhost certs]# ll -a ← 鍵作成後のフォルダの状況 -rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile -rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt -rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt -rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert -rw------- 1 root root 716 2008-01-18 21:01 server.csr -rw------- 1 root root 887 2008-01-18 21:00 server.key -rw-r--r-- 1 root root 977 2008-01-18 21:03 server.pem [root@localhost certs]# chmod 400 ./server.* ← rootの読み込み権限のみに変更

SSL設定ファイルの編集

/etc/httpd/conf.d/ssl.conf
# General setup for the virtual host, inherited from global configuration DocumentRoot "/var/www/html" ← 今回はhttpと同じフォルダを使う。コメントアウト #ServerName www.example.com:443 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/pki/tls/certs/server.pem ← 証明書ファイル #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/pki/tls/certs/server.key ← 秘密鍵ファイル