【WEBサーバ】Apache2SSL導入

  • 秘密鍵作成

    cd /etc/pki/tls/certs
    openssl genrsa -aes256 1024 > server.key
    
    Generating RSA private key, 1024 bit long modulus
    ......................++++++
    ............++++++
    e is 65537 (0x10001)
    Enter pass phrase:パスワード入力
    Verifying - Enter pass phrase:パスワード再入力
    
  • 公開鍵作成

    openssl req -new -key server.key > server.csr
    
    Enter pass phrase for server.key:パスワード入力
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    略
    Country Name (2 letter code) [XX]:JP
    State or Province Name (full name) []:Tokyo
    Locality Name (eg, city) [Default City]:Akihabara
    Organization Name (eg, company) [Default Company Ltd]:OreOreCA
    Organizational Unit Name (eg, section) []:z-area
    Common Name (eg, your name or your server's hostname) []:z-area.net
    Email Address []:空欄
    A challenge password []:空欄
    An optional company name []:空欄
    
  • 証明書作成

    openssl x509 -in server.csr -days 36500 -req -signkey server.key > server.crt
    
    Signature ok
    subject=/C=JP/ST=Tokyo/L=Akihabara/O=OreOreCA/OU=z-area/CN=z-area.net
    Getting Private key
    Enter pass phrase for server.key:パスワード入力
    
  • 秘密鍵パスワード解除
    現状のままだとApache2の再起動のたびにパスワードを求められるので、
    秘密鍵のパスワードを解除しておきます。

    mv server.key server.key.org
    openssl rsa -in server.key.org > server.key
    
    Enter pass phrase for server.key.org:パスワード入力
    writing RSA key
    
  • Apache2のSSL導入

    yum install mod_ssl
    
  • Apache2のSSL設定

    cp -pi /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org
    vi /etc/httpd/conf.d/ssl.conf
    
    下記内容に変更
    #DocumentRoot "/var/www/html"
    ↓
    DocumentRoot "/var/www/html"
    
    #ServerName www.example.com:443
    ↓
    ServerName z-area.net:443
    
    
    ErrorLog logs/ssl_error_log
    ↓
    ErrorLog /var/log/httpd/ssl_error_log
    
    TransferLog logs/ssl_access_log
    ↓
    #TransferLog logs/ssl_access_log
    
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ↓
    CustomLog /var/log/httpd/ssl_access_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    
    # POODLE SSLv3.0 脆弱性問題対処
    SSLProtocol all -SSLv2
    ↓
    SSLProtocol all -SSLv2 -SSLv3
    
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    ↓
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    ↓
    SSLCertificateKeyFile /etc/pki/tls/certs/server.key
    
  • Apache2SSLの動作確認

    echo '<h1>It works!</h1>' > /var/www/html/index.html
    /etc/rc.d/init.d/iptables stop
    /etc/rc.d/init.d/httpd restart
    

    https://192.168.XXX.YYY/

    証明書の確認が表示された後、「It works!」が表示されれば正常です。

    /etc/rc.d/init.d/iptables start
    rm -f /var/www/html/index.html