VineLinux3.x/Apache2.2/SSLを使うための設定

Last-modified: 2008-11-08 (土) 11:29:59 (3301d)

概要

SSL(Secure Socket Layer:暗号化通信)を行うための設定。

Apache2.2では設定ファイルが個別になっており、httpd.confでインクルードするようになっています。

設定手順

サーバ用秘密鍵の作成(server.key)

# mkdir /usr/local/apache2/conf/certs
# cd /usr/local/apache2/conf/certs/

# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
..................++++++
e is 65537 (0x10001)

# ls
server.key

サーバ用公開鍵の作成(server.csr)

# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Hyogo
Locality Name (eg, city) []:Akashi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:kayanomori.net
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, YOUR name) []:kayanomori.net
Email Address []:webmaster@kayanomori.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls
server.csr  server.key

サーバー用証明書の作成(server.crt)

# openssl x509 -in server.csr -out server.crt -req -signkey server.key -da
ys 365
Signature ok
subject=/C=JP/ST=Hyogo/L=Akashi/O=kayanomori.net/OU=Admin/CN=kayanomori.net/emailAddress=webmaster@kayanomori.net
Getting Private key

# ls
server.crt  server.csr  server.key

アクセス権の変更

# chmod 400 *
# ls -l
合計 12
-r--------    1 root     root          977 Aug 18 19:03 server.crt
-r--------    1 root     root          720 Aug 18 19:03 server.csr
-r--------    1 root     root          887 Aug 18 19:01 server.key

httpd.confの編集

httpd-ssl.confをインクルードするためコメントアウトする。

# vi /usr/local/apache2/conf/httpd.conf
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

httpd-ssl.confの編集

自分の環境に合うように書き換える。

# vi /usr/local/apache2/conf/extra/httpd-ssl.conf
##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "/home/httpd/html"
ServerName kayanomori.net:443
ServerAdmin webmaster@kayanomori.net


#   ciphers, etc.)
SSLCertificateFile /usr/local/apache2/conf/certs/server.crt
#SSLCertificateFile /usr/local/apache2/conf/server-dsa.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache2/conf/certs/server.key


<Directory "/home/httpd/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

Apache2の再起動

# /etc/rc.d/init.d/apache2 restart
httpdを停止中:                                             [  OK  ]
httpdを起動中:                                             [  OK  ]

動作の確認

クライアントから、https:// でアクセスし、以下のセキュリティ警告ダイアログが出ればOK。

ssl.png

コメント



添付ファイル: filessl.png 126件 [詳細]