CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(SSLサーバ構築まで)

CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(認証局構築まで) - 4丁目よりの続き

CSR(Certificate Signing Request)作成

cd /etc/pki/tls/misc/
./CA -newreq
Generating a 2048 bit RSA private key
........+++
...+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:【パスワード入力】
Verifying - Enter PEM pass phrase:【パスワード入力】
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:【enter】
State or Province Name (full name) [Osaka]:【enter】
Locality Name (eg, city) [Chuo-ku]:【enter】
Organization Name (eg, company) [localhost Inc.]:【enter】
Organizational Unit Name (eg, section) []:【enter】
Common Name (eg, your name or your server's hostname) []:192.168.0.133【ドメイン入力】
Email Address []:【enter】

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:【enter】
An optional company name []:【enter】
Request is in newreq.pem, private key is in newkey.pem

認証局でサーバー証明書の作成を行う。

CSR(Certificate Signing Request)にサインするといった感じでしょうか。

 ./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 15 08:16:11 2010 GMT
            Not After : Aug 15 08:16:11 2011 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            localityName              = Chuo-ku
            organizationName          = localhost Inc.
            commonName                = 192.168.0.133
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                67:A1:C1:47:08:42:CD:9E:A7:B7:96:F6:1B:4A:C6:CB:5C:97:7D:F2
            X509v3 Authority Key Identifier: 
                keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F

Certificate is to be certified until Aug 15 08:16:11 2011 GMT (365 days)
Sign the certificate? [y/n]:y【enter】


1 out of 1 certificate requests certified, commit? [y/n]y【enter】
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Osaka, O=localhost Inc., CN=privateCA
        Validity
            Not Before: Aug 15 08:16:11 2010 GMT
            Not After : Aug 15 08:16:11 2011 GMT
        Subject: C=JP, ST=Osaka, L=Chuo-ku, O=localhost Inc., CN=192.168.0.133
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:fc:79:c3:ec:d7:e1:1d:09:0d:0d:2a:85:43:53:
                    89:7f:c7:ad:72:c6:e2:da:42:08:4d:da:62:57:74:
                    ea:37:65:4a:89:43:76:db:0c:3f:1d:77:76:d0:a1:
                    b0:33:60:c4:0a:7c:64:77:02:43:68:88:98:f0:95:
                    80:94:3d:a8:0e:52:fb:c7:b2:5d:28:1f:f3:fd:a1:
                    2e:c8:57:96:99:97:91:e0:1a:56:51:07:99:e9:25:
                    26:8e:29:e7:81:da:5a:b9:17:0b:81:d6:4e:dd:a5:
                    1e:1b:1e:9c:47:f1:58:a8:a1:cd:5d:74:9f:fb:f9:
                    66:35:c1:31:12:41:4e:fc:8f:40:e7:ee:cd:50:12:
                    9a:27:87:7c:bf:f6:51:73:9b:3f:34:c5:11:7c:83:
                    d0:7d:70:e2:6f:7e:55:0a:3b:31:4f:65:68:2a:2d:
                    0e:9b:93:07:39:ca:f6:18:da:9b:4e:8d:40:89:a3:
                    fc:80:c3:ee:6f:bc:56:9b:d5:45:f2:a0:ab:ca:21:
                    0b:9a:4f:f8:12:fe:b3:72:49:a7:23:d6:79:a6:ea:
                    34:4b:41:ca:dd:8d:84:a2:42:26:d3:db:0e:08:60:
                    d9:af:cd:23:19:56:b0:4a:be:22:cb:55:7a:2f:ad:
                    fa:4f:8e:de:0a:f2:52:fb:c4:0f:4c:67:d4:43:7b:
                    c5:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                67:A1:C1:47:08:42:CD:9E:A7:B7:96:F6:1B:4A:C6:CB:5C:97:7D:F2
            X509v3 Authority Key Identifier: 
                keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F

    Signature Algorithm: sha1WithRSAEncryption
        92:b5:ff:8b:78:51:37:5c:cc:52:07:ff:e5:f8:43:1f:3f:f1:
        ae:72:ae:bb:6d:d0:b7:d8:22:92:b8:7d:37:c4:44:ed:82:9a:
        07:15:6b:de:aa:45:8a:42:15:b9:d2:9a:4d:27:f8:91:89:c9:
        cb:2d:cb:43:70:e3:b0:96:ea:e6:99:26:45:9b:36:4a:61:07:
        9a:ce:8c:ac:bc:da:b7:24:e3:9e:01:ee:5d:51:ad:34:a2:d7:
        c5:40:c8:ff:69:b8:c5:df:b4:9d:a3:36:99:7b:0f:5d:b1:47:
        47:73:04:ea:a5:9d:6c:f8:1e:0e:6e:7f:88:e3:af:bf:26:2d:
        85:fc:b9:5a:d3:19:88:04:94:73:93:e8:89:30:4e:5b:cb:a3:
        ad:3d:68:80:10:06:8f:55:00:d9:c9:2f:32:56:be:b7:f2:07:
        af:4e:40:05:39:17:f3:b7:22:84:6f:c8:c1:d0:b5:86:4a:15:
        11:cb:87:4d:8b:80:fc:18:1a:1f:4a:e6:e7:9d:be:78:bd:af:
        40:c3:f8:e6:73:25:fe:6e:17:13:7d:f4:4c:0f:8b:c0:03:cd:
        81:f0:86:f4:ff:bd:b8:27:70:5e:03:d3:8b:78:a1:08:1d:2b:
        9e:b3:f0:4f:1d:8d:7a:78:3b:bb:a7:70:c5:07:fd:a9:a0:3b:
        0c:d7:f3:02
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJKUDEO
MAwGA1UECBMFT3Nha2ExFzAVBgNVBAoTDmxvY2FsaG9zdCBJbmMuMRIwEAYDVQQD
Ewlwcml2YXRlQ0EwHhcNMTAwODE1MDgxNjExWhcNMTEwODE1MDgxNjExWjBgMQsw
CQYDVQQGEwJKUDEOMAwGA1UECBMFT3Nha2ExEDAOBgNVBAcTB0NodW8ta3UxFzAV
BgNVBAoTDmxvY2FsaG9zdCBJbmMuMRYwFAYDVQQDEw0xOTIuMTY4LjAuMTMzMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/HnD7NfhHQkNDSqFQ1OJf8et
csbi2kIITdpiV3TqN2VKiUN22ww/HXd20KGwM2DECnxkdwJDaIiY8JWAlD2oDlL7
x7JdKB/z/aEuyFeWmZeR4BpWUQeZ6SUmjinngdpauRcLgdZO3aUeGx6cR/FYqKHN
XXSf+/lmNcExEkFO/I9A5+7NUBKaJ4d8v/ZRc5s/NMURfIPQfXDib35VCjsxT2Vo
Ki0Om5MHOcr2GNqbTo1AiaP8gMPub7xWm9VF8qCryiELmk/4Ev6zckmnI9Z5puo0
S0HK3Y2EokIm09sOCGDZr80jGVawSr4iy1V6L636T47eCvJS+8QPTGfUQ3vFCwID
AQABo34wfDAMBgNVHRMEBTADAQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl
bmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUZ6HBRwhCzZ6nt5b2G0rGy1yX
ffIwHwYDVR0jBBgwFoAUH9VpExAIlNw8v4RvrLEosNQbk38wDQYJKoZIhvcNAQEF
BQADggEBAJK1/4t4UTdczFIH/+X4Qx8/8a5yrrtt0LfYIpK4fTfERO2CmgcVa96q
RYpCFbnSmk0n+JGJycsty0Nw47CW6uaZJkWbNkphB5rOjKy82rck454B7l1RrTSi
18VAyP9puMXftJ2jNpl7D12xR0dzBOqlnWz4Hg5uf4jjr78mLYX8uVrTGYgElHOT
6IkwTlvLo609aIAQBo9VANnJLzJWvrfyB69OQAU5F/O3IoRvyMHQtYZKFRHLh02L
gPwYGh9K5uedvni9r0DD+OZzJf5uFxN99EwPi8ADzYHwhvT/vbgncF4D04t4oQgd
K56z8E8djXp4O7uncMUH/amgOwzX8wI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

サーバの証明書をwebサーバ用に変換

openssl x509 -in /etc/pki/tls/misc/newcert.pem -out /etc/pki/tls/misc/newcert.crt

作成した証明書関係のパーミッションを変更

chmod 0400 /etc/pki/tls/misc/newkey.pem #秘密鍵
chmod 0400 /etc/pki/tls/misc/newreq.pem #CSR(Certificate Signing Request)
chmod 0400 /etc/pki/tls/misc/newcert.pem #CAの署名入り公開鍵(pem形式)
chmod 0400 /etc/pki/tls/misc/newcert.crt #CAの署名入り公開鍵(crt形式)

作成した証明書関係をrootディレクトリに移動

mkdir -p /root/pki/webserver
mv new* /root/pki/webserver/

作成した証明書関係をWEBサーバの設定ディレクトリに移動

mkdir -p /etc/httpd/conf.d/pki
chmod 0700 /etc/httpd/conf.d/pki
cp /root/pki/webserver/newkey.pem /etc/httpd/conf.d/pki/privatekey.httpd.pem
cp /root/pki/webserver/newcert.crt /etc/httpd/conf.d/pki/httpd.crt

証明書をwebサーバに取り込む

/etc/httpd/conf.d/ssl.confをバックアップ
cp -p /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org
/etc/httpd/conf.d/ssl.confを修正
 *** /etc/httpd/conf.d/ssl.conf.org      2010-04-05 06:22:02.000000000 +0900
 --- /etc/httpd/conf.d/ssl.conf  2010-08-15 21:37:52.000000000 +0900
***************
*** 109,122 ****
  # the certificate is encrypted, then you will be prompted for a
  # pass phrase.  Note that a kill -HUP will prompt again.  A new
  # certificate can be generated using the genkey(1) command.
! SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  
  #   Server Private Key:
  #   If the key is not combined with the certificate, use this
  #   directive to point at the key file.  Keep in mind that if
  #   you've both a RSA and a DSA private key you can configure
  #   both in parallel (to also allow the use of DSA ciphers, etc.)
! SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  
  #   Server Certificate Chain:
  #   Point SSLCertificateChainFile at a file containing the
--- 109,122 ----
  # the certificate is encrypted, then you will be prompted for a
  # pass phrase.  Note that a kill -HUP will prompt again.  A new
  # certificate can be generated using the genkey(1) command.
! SSLCertificateFile /etc/httpd/conf.d/pki/httpd.crt
  
  #   Server Private Key:
  #   If the key is not combined with the certificate, use this
  #   directive to point at the key file.  Keep in mind that if
  #   you've both a RSA and a DSA private key you can configure
  #   both in parallel (to also allow the use of DSA ciphers, etc.)
! SSLCertificateKeyFile /etc/httpd/conf.d/pki/privatekey.httpd.pem
  
  #   Server Certificate Chain:
  #   Point SSLCertificateChainFile at a file containing the
webサーバ用の秘密鍵をパスフレーズ付き秘密鍵に変更
openssl rsa -in /etc/httpd/conf.d/pki/privatekey.httpd.pem -out /etc/httpd/conf.d/pki/privatekey.httpd.pem
【パスワード入力】
httpdの再起動
/etc/init.d/httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中:                                            [  OK  ]
ブラウザでアクセスして確認する。

f:id:mitsugi-bb:20100815124124p:image
f:id:mitsugi-bb:20100815125941p:image
鍵マークが問題なく表示されていることを確認。

/var/www/html/index.php

<?php
foreach($_SERVER as $key => $value){
  echo '$_SERVER["'.$key.'"]=>'.$value."<br />";
}