-
秘密鍵作成
cd /etc/pki/tls/certs openssl genrsa -aes256 1024 > server.key
Generating RSA private key, 1024 bit long modulus ......................++++++ ............++++++ e is 65537 (0x10001) Enter pass phrase:パスワード入力 Verifying - Enter pass phrase:パスワード再入力
-
公開鍵作成
openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:パスワード入力 You are about to be asked to enter information that will be incorporated into your certificate request. 略 Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Akihabara Organization Name (eg, company) [Default Company Ltd]:OreOreCA Organizational Unit Name (eg, section) []:z-aws Common Name (eg, your name or your server's hostname) []:z-aws.net Email Address []:空欄 A challenge password []:空欄 An optional company name []:空欄
-
証明書作成
openssl x509 -in server.csr -days 36500 -req -signkey server.key > server.crt
Enter pass phrase for server.key:パスワード入力
-
秘密鍵パスワード解除
現状のままだとApache2の再起動のたびにパスワードを求められるので、
秘密鍵のパスワードを解除しておきます。mv server.key server.key.org openssl rsa -in server.key.org > server.key
Enter pass phrase for server.key.org:パスワード入力 writing RSA key
-
Apache2のSSL導入
yum install mod_ssl
-
Apache2のSSL設定
cp -pi /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org vi /etc/httpd/conf.d/ssl.conf
下記内容に変更 #DocumentRoot "/var/www/html" ↓ DocumentRoot "/var/www/html" ErrorLog logs/ssl_error_log ↓ ErrorLog /var/log/httpd/ssl_error_log TransferLog logs/ssl_access_log ↓ #TransferLog logs/ssl_access_log CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ↓ CustomLog /var/log/httpd/ssl_access_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # POODLE SSLv3.0 脆弱性問題対処 SSLProtocol all -SSLv2 ↓ SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/pki/tls/certs/localhost.crt ↓ SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ↓ SSLCertificateKeyFile /etc/pki/tls/certs/server.key
-
Apache2SSLの動作確認
AWSコンソール画面から「セキュリティグループ」-「インバウンド」で
以下を許可しておきます。プロトコル:TCP ポート:443
echo '<h1>It works!</h1>' > /var/www/html/index.html /etc/rc.d/init.d/httpd restart
https://xxx.xxx.xxx.xxx/
証明書の確認が表示された後、「It works!」が表示されれば正常です。
rm -f /var/www/html/index.html