CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(SSLサーバ構築まで)
CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(認証局構築まで) - 4丁目よりの続き
CSR(Certificate Signing Request)作成
cd /etc/pki/tls/misc/ ./CA -newreq Generating a 2048 bit RSA private key ........+++ ...+++ writing new private key to 'newkey.pem' Enter PEM pass phrase:【パスワード入力】 Verifying - Enter PEM pass phrase:【パスワード入力】 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:【enter】 State or Province Name (full name) [Osaka]:【enter】 Locality Name (eg, city) [Chuo-ku]:【enter】 Organization Name (eg, company) [localhost Inc.]:【enter】 Organizational Unit Name (eg, section) []:【enter】 Common Name (eg, your name or your server's hostname) []:192.168.0.133【ドメイン入力】 Email Address []:【enter】 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:【enter】 An optional company name []:【enter】 Request is in newreq.pem, private key is in newkey.pem
認証局でサーバー証明書の作成を行う。
CSR(Certificate Signing Request)にサインするといった感じでしょうか。
./CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 15 08:16:11 2010 GMT Not After : Aug 15 08:16:11 2011 GMT Subject: countryName = JP stateOrProvinceName = Osaka localityName = Chuo-ku organizationName = localhost Inc. commonName = 192.168.0.133 X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 67:A1:C1:47:08:42:CD:9E:A7:B7:96:F6:1B:4A:C6:CB:5C:97:7D:F2 X509v3 Authority Key Identifier: keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F Certificate is to be certified until Aug 15 08:16:11 2011 GMT (365 days) Sign the certificate? [y/n]:y【enter】 1 out of 1 certificate requests certified, commit? [y/n]y【enter】 Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=Osaka, O=localhost Inc., CN=privateCA Validity Not Before: Aug 15 08:16:11 2010 GMT Not After : Aug 15 08:16:11 2011 GMT Subject: C=JP, ST=Osaka, L=Chuo-ku, O=localhost Inc., CN=192.168.0.133 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:fc:79:c3:ec:d7:e1:1d:09:0d:0d:2a:85:43:53: 89:7f:c7:ad:72:c6:e2:da:42:08:4d:da:62:57:74: ea:37:65:4a:89:43:76:db:0c:3f:1d:77:76:d0:a1: b0:33:60:c4:0a:7c:64:77:02:43:68:88:98:f0:95: 80:94:3d:a8:0e:52:fb:c7:b2:5d:28:1f:f3:fd:a1: 2e:c8:57:96:99:97:91:e0:1a:56:51:07:99:e9:25: 26:8e:29:e7:81:da:5a:b9:17:0b:81:d6:4e:dd:a5: 1e:1b:1e:9c:47:f1:58:a8:a1:cd:5d:74:9f:fb:f9: 66:35:c1:31:12:41:4e:fc:8f:40:e7:ee:cd:50:12: 9a:27:87:7c:bf:f6:51:73:9b:3f:34:c5:11:7c:83: d0:7d:70:e2:6f:7e:55:0a:3b:31:4f:65:68:2a:2d: 0e:9b:93:07:39:ca:f6:18:da:9b:4e:8d:40:89:a3: fc:80:c3:ee:6f:bc:56:9b:d5:45:f2:a0:ab:ca:21: 0b:9a:4f:f8:12:fe:b3:72:49:a7:23:d6:79:a6:ea: 34:4b:41:ca:dd:8d:84:a2:42:26:d3:db:0e:08:60: d9:af:cd:23:19:56:b0:4a:be:22:cb:55:7a:2f:ad: fa:4f:8e:de:0a:f2:52:fb:c4:0f:4c:67:d4:43:7b: c5:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 67:A1:C1:47:08:42:CD:9E:A7:B7:96:F6:1B:4A:C6:CB:5C:97:7D:F2 X509v3 Authority Key Identifier: keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F Signature Algorithm: sha1WithRSAEncryption 92:b5:ff:8b:78:51:37:5c:cc:52:07:ff:e5:f8:43:1f:3f:f1: ae:72:ae:bb:6d:d0:b7:d8:22:92:b8:7d:37:c4:44:ed:82:9a: 07:15:6b:de:aa:45:8a:42:15:b9:d2:9a:4d:27:f8:91:89:c9: cb:2d:cb:43:70:e3:b0:96:ea:e6:99:26:45:9b:36:4a:61:07: 9a:ce:8c:ac:bc:da:b7:24:e3:9e:01:ee:5d:51:ad:34:a2:d7: c5:40:c8:ff:69:b8:c5:df:b4:9d:a3:36:99:7b:0f:5d:b1:47: 47:73:04:ea:a5:9d:6c:f8:1e:0e:6e:7f:88:e3:af:bf:26:2d: 85:fc:b9:5a:d3:19:88:04:94:73:93:e8:89:30:4e:5b:cb:a3: ad:3d:68:80:10:06:8f:55:00:d9:c9:2f:32:56:be:b7:f2:07: af:4e:40:05:39:17:f3:b7:22:84:6f:c8:c1:d0:b5:86:4a:15: 11:cb:87:4d:8b:80:fc:18:1a:1f:4a:e6:e7:9d:be:78:bd:af: 40:c3:f8:e6:73:25:fe:6e:17:13:7d:f4:4c:0f:8b:c0:03:cd: 81:f0:86:f4:ff:bd:b8:27:70:5e:03:d3:8b:78:a1:08:1d:2b: 9e:b3:f0:4f:1d:8d:7a:78:3b:bb:a7:70:c5:07:fd:a9:a0:3b: 0c:d7:f3:02 -----BEGIN CERTIFICATE----- MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJKUDEO MAwGA1UECBMFT3Nha2ExFzAVBgNVBAoTDmxvY2FsaG9zdCBJbmMuMRIwEAYDVQQD Ewlwcml2YXRlQ0EwHhcNMTAwODE1MDgxNjExWhcNMTEwODE1MDgxNjExWjBgMQsw CQYDVQQGEwJKUDEOMAwGA1UECBMFT3Nha2ExEDAOBgNVBAcTB0NodW8ta3UxFzAV BgNVBAoTDmxvY2FsaG9zdCBJbmMuMRYwFAYDVQQDEw0xOTIuMTY4LjAuMTMzMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/HnD7NfhHQkNDSqFQ1OJf8et csbi2kIITdpiV3TqN2VKiUN22ww/HXd20KGwM2DECnxkdwJDaIiY8JWAlD2oDlL7 x7JdKB/z/aEuyFeWmZeR4BpWUQeZ6SUmjinngdpauRcLgdZO3aUeGx6cR/FYqKHN XXSf+/lmNcExEkFO/I9A5+7NUBKaJ4d8v/ZRc5s/NMURfIPQfXDib35VCjsxT2Vo Ki0Om5MHOcr2GNqbTo1AiaP8gMPub7xWm9VF8qCryiELmk/4Ev6zckmnI9Z5puo0 S0HK3Y2EokIm09sOCGDZr80jGVawSr4iy1V6L636T47eCvJS+8QPTGfUQ3vFCwID AQABo34wfDAMBgNVHRMEBTADAQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl bmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUZ6HBRwhCzZ6nt5b2G0rGy1yX ffIwHwYDVR0jBBgwFoAUH9VpExAIlNw8v4RvrLEosNQbk38wDQYJKoZIhvcNAQEF BQADggEBAJK1/4t4UTdczFIH/+X4Qx8/8a5yrrtt0LfYIpK4fTfERO2CmgcVa96q RYpCFbnSmk0n+JGJycsty0Nw47CW6uaZJkWbNkphB5rOjKy82rck454B7l1RrTSi 18VAyP9puMXftJ2jNpl7D12xR0dzBOqlnWz4Hg5uf4jjr78mLYX8uVrTGYgElHOT 6IkwTlvLo609aIAQBo9VANnJLzJWvrfyB69OQAU5F/O3IoRvyMHQtYZKFRHLh02L gPwYGh9K5uedvni9r0DD+OZzJf5uFxN99EwPi8ADzYHwhvT/vbgncF4D04t4oQgd K56z8E8djXp4O7uncMUH/amgOwzX8wI= -----END CERTIFICATE----- Signed certificate is in newcert.pem
サーバの証明書をwebサーバ用に変換
openssl x509 -in /etc/pki/tls/misc/newcert.pem -out /etc/pki/tls/misc/newcert.crt
作成した証明書関係のパーミッションを変更
chmod 0400 /etc/pki/tls/misc/newkey.pem #秘密鍵 chmod 0400 /etc/pki/tls/misc/newreq.pem #CSR(Certificate Signing Request) chmod 0400 /etc/pki/tls/misc/newcert.pem #CAの署名入り公開鍵(pem形式) chmod 0400 /etc/pki/tls/misc/newcert.crt #CAの署名入り公開鍵(crt形式)
作成した証明書関係をrootディレクトリに移動
mkdir -p /root/pki/webserver mv new* /root/pki/webserver/
作成した証明書関係をWEBサーバの設定ディレクトリに移動
mkdir -p /etc/httpd/conf.d/pki chmod 0700 /etc/httpd/conf.d/pki cp /root/pki/webserver/newkey.pem /etc/httpd/conf.d/pki/privatekey.httpd.pem cp /root/pki/webserver/newcert.crt /etc/httpd/conf.d/pki/httpd.crt
証明書をwebサーバに取り込む
/etc/httpd/conf.d/ssl.confをバックアップ
cp -p /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org
/etc/httpd/conf.d/ssl.confを修正
*** /etc/httpd/conf.d/ssl.conf.org 2010-04-05 06:22:02.000000000 +0900 --- /etc/httpd/conf.d/ssl.conf 2010-08-15 21:37:52.000000000 +0900 *************** *** 109,122 **** # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. ! SSLCertificateFile /etc/pki/tls/certs/localhost.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) ! SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the --- 109,122 ---- # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. ! SSLCertificateFile /etc/httpd/conf.d/pki/httpd.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) ! SSLCertificateKeyFile /etc/httpd/conf.d/pki/privatekey.httpd.pem # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the
webサーバ用の秘密鍵をパスフレーズ付き秘密鍵に変更
openssl rsa -in /etc/httpd/conf.d/pki/privatekey.httpd.pem -out /etc/httpd/conf.d/pki/privatekey.httpd.pem 【パスワード入力】
httpdの再起動
/etc/init.d/httpd restart httpd を停止中: [ OK ] httpd を起動中: [ OK ]