httpd.conf 〜 その1 基本設定〜


-- 「mod_ssl」と「openssl」を追加インストールする
# yum install mod_ssl
# yum install openssl

-- 秘密鍵を作成する
-- 1024ビットでは認証局が受け付けないみたい。2048以上を指定する
# openssl genrsa -des3 -out wwwgrot3com.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for wwwgrot3com.key:			←パスフレーズ
Verifying - Enter pass phrase for wwwgrot3com.key:	←再度パスフレーズ

-- CSR(Certificate Signing Request 証明書署名要求)ファイルを作成する
# openssl req -new -key wwwgrot3com.key -out wwwgrot3com.csr
Enter pass phrase for wwwgrot3com.key:		←秘密鍵で設定したパスフレーズ
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:JP				←国
State or Province Name (full name) []:Aichi			←都道府県
Locality Name (eg, city) [Default City]:Kasugai City		←市町村
Organization Name (eg, company) [Default Company Ltd]:grot3	←組織名
Organizational Unit Name (eg, section) []:			←部署
Common Name (eg, your name or your server's hostname) []	←ドメイン名
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

-- 作成した秘密鍵を他人が見れないようにする
# chmod 400 wwwgrot3com.key
-- 作成したCSRを他人が見れないようにする
# chmod 400 wwwgrot3com.csr

-- 作成したCSRを認証局に署名を依頼する

-- 認証局ではなく、自分で署名する
# openssl x509 -in wwwgrot3com.csr -out wwwgrot3com.crt -req -signkey wwwgrot3com.key -days 365
Signature ok
subject=/C=JP/ST=Aichi/L=Kasugai City/O=grot3/
Getting Private key
Enter pass phrase for wwwgrot3com.key:		←秘密鍵で設定したパスフレーズ


-- ssl.confを編集する
# vi ssl.conf

-- 秘密鍵・公開鍵を明記する
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/wwwgrot3com.crt

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/wwwgrot3com.key

-- httpdを再起動する
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: [Fri Feb 14 23:30:57 2014] [error] VirtualHost _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server (RSA)
Enter pass phrase:				←秘密鍵で設定したパスフレーズ

OK: Pass Phrase Dialog successful.
                                                           [  OK  ]


-- 以下コマンドでキーの中身をデコードして確認可能です。
# openssl req -noout -text -in wwwgrot3com.csr
# openssl rsa -noout -text -in wwwgrot3com.key
# openssl x509 -noout -text -in wwwgrot3com.crt