apacheのSSL化

更新日 2017-08-19 (土) 20:32:05

CentOS6.9のhttpdをSSL化する

# yum install openssl
# yum install mod_ssl
# cd /etc/httpd/conf

/etc/httpd/confの中で以下のファイルを作成

1 秘密鍵 server.key作成

# openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
.................................+++
...............................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

2 公開鍵ファイル server.csr 作成

# openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Mie
Locality Name (eg, city) [Default City]:Matsusaka
Organization Name (eg, company) [Default Company Ltd]:Ootsuji-C
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.ootsuji-c.com
Email Address []:okada@ootsuji-c.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls
httpd.conf  magic  server.csr  server.key

3 秘密鍵と公開鍵を使って 証明書ファイル server.crt を作成(10年有効期限)

# openssl x509 -in server.csr -days 3650 -req -signkey server.key > server.crt
Signature ok
subject=/C=JP/ST=Mie/L=Matsusaka/O=Ootsuji-C/CN=www.ootsuji-c.com/emailAddress=okada@ootsuji-c.com
Getting Private key
Enter pass phrase for server.key:

起動時パスワードを聞かれないようにする

# mv server.key server.key.bak
# openssl rsa -in server.key.bak > server.key
Enter pass phrase for server.key.bak:
writing RSA key
# ls
httpd.conf  magic  server.crt  server.csr  server.key  server.key.bak

apacheの設定

  • /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
## SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/server.crt  ←証明書ファイルを変更

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
## SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/server.key ←パスワードを聞かれない秘密鍵に変更
 

#   Server Certificate Chain: 
  • httpd再起動

IPでもアクセスできた

参考


トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2017-08-19 (土) 20:32:05 (189d)