FrontPage

opensslのインストール 

# apt-get update
# apt-get install openssl

ca証明書の作成 

# cd /usr/lib/ssl
# mkdir fujita-lab_CA
# cp misc/CA.sh fujita-lab_CA
# cd fujita-lab_CA
# vi CA.sh
DAYS="-days 3650"
CADAYS="-days 3650"
CATOP=/usr/lib/ssl/fujita-lab_CA
あたりを編集
# vi ../openssl.conf
[ CA_default ]
dir             = /usr/lib/ssl/fujita-lab_CA            # Where everything is kept

#x509_extensions        = usr_cert              # The extentions to add to the cert
x509_extensions = v3_ca                 # The extentions to add to the cert
# ./CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...++++++
.....++++++
writing new private key to '/usr/lib/ssl/fujita-lab_CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Hachioji
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fujita-lab
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:fujita-lab CA
Email Address []:root@fujita-lab.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /usr/lib/ssl/fujita-lab_CA/private/./cakey.pem
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Nov 28 07:08:36 2008 GMT
            Not After : Nov 26 07:08:36 2018 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = fujita-lab
            commonName                = fujita-lab CA
            emailAddress              = root@fujita-lab.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                77:FC:D6:29:E3:D3:4D:3F:F3:DA:65:45:F7:4B:6F:67:BA:CC:80:34
            X509v3 Authority Key Identifier:
                keyid:77:FC:D6:29:E3:D3:4D:3F:F3:DA:65:45:F7:4B:6F:67:BA:CC:80:34
                DirName:/C=JP/ST=Tokyo/O=fujita-lab/CN=fujita-lab CA/emailAddress=root@fujita-lab.com
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov 26 07:08:36 2018 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

秘密鍵はみられてはまずいのでアクセス権をきちんと設定する

# chmod 600 private/cakey.pem
# chmod 700 private/

ブラウザ用CA証明書を作成

# openssl x509 -inform pem -in ./CA/cacert.pem -outform der -out ./CA/ca.der

ブラウザ用CA証明書

apache用サーバ証明書の作成

サーバ証明書への署名用のcnfを作成

# cp ../openssl.cnf ../openssl-server.cnf
# vi ../openssl-server.cnf
[ CA_default ]
x509_extensions = usr_cert              # The extentions to add to the cert
[ usr_cert ]
nsCertType                      = server

まずは鍵ファイルを作成

# mkdir -p /etc/apache2/ssl/private
# openssl genrsa -rand /var/log/apache2/access.log -des3 -out /etc/apache2/ssl/private/serverkey.pem 1024
66342 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
....................++++++
.............................................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/apache2/ssl/serverkey.pem:
Verifying - Enter pass phrase for /etc/apache2/ssl/serverkey.pem:

apache起動時に毎回パスフレーズを聞かれるのはうっとおしいのでパスフレーズを消す

# openssl rsa -in /etc/apache2/ssl/private/serverkey.pem -out /etc/apache2/ssl/private/serverkey.pem
Enter pass phrase for /etc/apache2/ssl/private/serverkey.pem:
writing RSA key

証明書作成のためのCSRを生成する

# openssl req -new -days 3650 -key /etc/apache2/ssl/private/serverkey.pem -out /etc/apache2/ssl/csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Hachioji
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fujita-lab
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.fujita-lab.com
Email Address []:root@fujita-lab.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:********
An optional company name []:

サーバ証明書を作成

# openssl ca -config ../openssl-server.cnf -in /etc/apache2/ssl/csr.pem -keyfile private/cakey.pem -cert cacert.pem -out /etc/apache2/ssl/cert.pem
Using configuration from ../openssl-server.cnf
Enter pass phrase for private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Nov 28 07:18:52 2008 GMT
            Not After : Nov 26 07:18:52 2018 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = fujita-lab
            commonName                = www.fujita-lab.com
            emailAddress              = root@fujita-lab.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F4:8F:42:5C:53:71:79:BA:91:A5:CC:C7:E9:B2:B2:B1:3C:0B:3E:94
            X509v3 Authority Key Identifier:
                keyid:77:FC:D6:29:E3:D3:4D:3F:F3:DA:65:45:F7:4B:6F:67:BA:CC:80:34

Certificate is to be certified until Nov 26 07:18:52 2018 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

apacheに証明書を登録

SSL用site configを準備

# gzip -dc /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz /etc/apache2/sites-available/fujita-lab-ssl
# vi /etc/apache2/sites-available/fujita-lab-ssl
以下を適宜修正
NameVirtualHost *:443

<VirtualHost *:443>
DocumentRoot "/var/www"
ServerName www.fujita-lab.com
ServerAdmin root@fujita-lab.com
ErrorLog /var/log/apache2/ssl_error_log
TransferLog /var/log/apache2/ssl_access_log
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/serverkey.pem

mod_sslを有効化

# a2enmod ssl

SSLサイトを有効化

# a2ensite fujita-lab-ssl

再起動して確認

# /etc/init.d/apache2 force-reload
#

参考

Debian orz.hm : Apache2 で OpenSSL + mod_ssl

OpenSSLでの自己認証局(CA)と自己証明書の作成
トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2008-11-28 (金) 22:56:02 (651d)