ApacheにSSL設定を追加する。
ApacheにSSLモジュールをインストール
[root@localhost ~]# yum install mod_ssl
認証機関の鍵ではなく、サーバで作成した鍵を用いるので、公開鍵・秘密鍵・証明書を作成する。
[root@localhost ~]# cd /etc/pki/tls/certs ← 鍵ファイルのフォルダに移動
[root@localhost certs]# ll -a ← 鍵作成前のフォルダの状況
-rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile
-rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt
-rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt
-rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert
[root@localhost certs]# make server.key ← 秘密鍵作成
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
........++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase: ← 適当な鍵用のパスワードを決めて入力
Verifying - Enter pass phrase:
↓ 秘密鍵の暗号化解除
[root@localhost certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: ← 先程入力したパスワードを再入力
writing RSA key
[root@localhost certs]# make server.csr ← 公開鍵の作成
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Tiyodaku
Organization Name (eg, company) [My Company Ltd]:No Name Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:webmaster@localhost.localdomain
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ← 何も入力しない
An optional company name []: ← 何も入力しない
↓ (自己署名)証明書の作成
[root@localhost certs]# openssl x509 -in server.csr -out server.pem -req -signkey server.k
ey -days 1095
Signature ok
subject=/C=JP/ST=Tokyo/L=Tiyodaku/O=No Name Company/CN=oasis.homelinux.net/emailAddress=webmaster@oasis.homelinux.net
Getting Private key
[root@localhost certs]# ll -a ← 鍵作成後のフォルダの状況
-rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile
-rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt
-rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt
-rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert
-rw------- 1 root root 716 2008-01-18 21:01 server.csr
-rw------- 1 root root 887 2008-01-18 21:00 server.key
-rw-r--r-- 1 root root 977 2008-01-18 21:03 server.pem
[root@localhost certs]# chmod 400 ./server.* ← rootの読み込み権限のみに変更
SSL設定ファイルの編集
/etc/httpd/conf.d/ssl.conf
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html" ← 今回はhttpと同じフォルダを使う。コメントアウト
#ServerName www.example.com:443
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/server.pem ← 証明書ファイル
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/certs/server.key ← 秘密鍵ファイル
