![[PukiWiki]](image/../localimages/Atom.gif "[PukiWiki]")
apacheのSSL化 †更新日 2017-08-19 (土) 20:32:05
CentOS6.9のhttpdをSSL化する # yum install openssl # yum install mod_ssl # cd /etc/httpd/conf /etc/httpd/confの中で以下のファイルを作成 1 秘密鍵 server.key作成 †# openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus .................................+++ ...............................+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: 2 公開鍵ファイル server.csr 作成 †# openssl req -new -key server.key > server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Mie Locality Name (eg, city) [Default City]:Matsusaka Organization Name (eg, company) [Default Company Ltd]:Ootsuji-C Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.ootsuji-c.com Email Address []:okada@ootsuji-c.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # ls httpd.conf magic server.csr server.key 3 秘密鍵と公開鍵を使って 証明書ファイル server.crt を作成(10年有効期限) †# openssl x509 -in server.csr -days 3650 -req -signkey server.key > server.crt Signature ok subject=/C=JP/ST=Mie/L=Matsusaka/O=Ootsuji-C/CN=www.ootsuji-c.com/emailAddress=okada@ootsuji-c.com Getting Private key Enter pass phrase for server.key: 起動時パスワードを聞かれないようにする †# mv server.key server.key.bak # openssl rsa -in server.key.bak > server.key Enter pass phrase for server.key.bak: writing RSA key # ls httpd.conf magic server.crt server.csr server.key server.key.bak apacheの設定 †
<VirtualHost _default_:443> # General setup for the virtual host, inherited from global configuration #DocumentRoot "/var/www/html" #ServerName www.example.com:443 # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. ## SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/httpd/conf/server.crt ←証明書ファイルを変更 # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) ## SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/httpd/conf/server.key ←パスワードを聞かれない秘密鍵に変更 # Server Certificate Chain:
IPでもアクセスできた 参考 † |
