オレオレ証明書のインストール
http://centossrv.com/apache-ssl.shtmlを参考に行いました。
正直ほとんどそのままですが、記録として書きます。
前提
CentOS release 5.5 (Final)
apacheは「yum install httpd」でインストール済み
手順
- mod_sslがインストールされているか確認
# yum list installed | grep ssl
openssl.i686 0.9.8e-12.el5_4.6 installed openssl-devel.i386 0.9.8e-12.el5_4.6 installed
- mod_sslをインストール
# yum -y install mod_ssl
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: ftp.yz.yamagata-u.ac.jp * base: ftp.yz.yamagata-u.ac.jp * extras: ftp.yz.yamagata-u.ac.jp * updates: ftp.iij.ad.jp Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mod_ssl.i386 1:2.2.3-43.el5.centos.3 set to be updated --> Processing Dependency: libdistcache.so.1 for package: mod_ssl --> Processing Dependency: libnal.so.1 for package: mod_ssl --> Running transaction check ---> Package distcache.i386 0:1.4.5-14.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: mod_ssl i386 1:2.2.3-43.el5.centos.3 updates 91 k Installing for dependencies: distcache i386 1.4.5-14.1 base 119 k Transaction Summary ================================================================================ Install 2 Package(s) Upgrade 0 Package(s) Total download size: 210 k Downloading Packages: (1/2): mod_ssl-2.2.3-43.el5.centos.3.i386.rpm | 91 kB 00:00 (2/2): distcache-1.4.5-14.1.i386.rpm | 119 kB 00:00 -------------------------------------------------------------------------------- Total 227 kB/s | 210 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : distcache 1/2 Installing : mod_ssl 2/2 Installed: mod_ssl.i386 1:2.2.3-43.el5.centos.3 Dependency Installed: distcache.i386 0:1.4.5-14.1 Complete!
# cd /etc/pki/tls/certs/
- サーバー用証明書有効期限を1年から30年に変更
# sed -i 's/365/10950/g' Makefile
# make server.crt umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > server.key Generating RSA private key, 1024 bit long modulus ..................++++++ .++++++ e is 65537 (0x10001) Enter pass phrase:<パスワードを入力> Verifying - Enter pass phrase:<上と同じパスワードを入力> umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -x509 -days 1095000 -out server.crt -set_serial 0 Enter pass phrase for server.key:<上と同じパスワードを入力> You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:<JP> State or Province Name (full name) [Berkshire]:<Tokyo> Locality Name (eg, city) [Newbury]:<Hoge> Organization Name (eg, company) [My Company Ltd]:<hoge.co.jp> Organizational Unit Name (eg, section) []:<空> Common Name (eg, your name or your server's hostname) []:<webmail.hoge.co.jp> Email Address []:<webmaster@hoge.co.jp>
- サーバー用秘密鍵からパスワード削除
※パスワードを削除するのは、Webサーバー起動時にパスワードを要求されないようにするため
# openssl rsa -in server.key -out server.key Enter pass phrase for server.key:<<上と同じパスワードを入力>> writing RSA key
- ApacheSSL設定ファイル編集
# vi /etc/httpd/conf.d/ssl.conf
- サーバー用証明書を指定
SSLCertificateFile /etc/pki/tls/certs/server.crt
- サーバー用秘密鍵を指定
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
- "#"を削除(コメント解除)
# General setup for the virtual host, inherited from global configuration #DocumentRoot "/var/www/html" ↓ DocumentRoot "/var/www/html"
- Apache再起動
エラーが出た
#/etc/rc.d/init.d/httpd restart
[Fri Nov 05 09:28:12 20??] [error] VirtualHost _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
社内からはローカルIP
社外からはグローバルIPで利用するため
以下を追加
# vi /etc/httpd/conf.d/ssl.conf
<VirtualHost *> DocumentRoot "/var/www/html/host" ServerName host.hoge.co.jp:443
終了