Vine Linux に SSL接続を導入

認証局の構築

通常は第三者機関に認証してもらうが、有料なので自分で認証局をつくり、自分を認証する

mod_sslのインストール

[root@server root]# apt-get install mod_ssl-apache2
パッケージリストを読みこんでいます... 完了
依存情報ツリーを作成しています... 完了
＊ mod_ssl-apache2 は既に最新バージョンがインストールされています。
アップグレード: 0 個, 新規インストール: 0 個, 削除: 0 個, 保留: 29 個
[root@server root]#

秘密鍵と証明書の作成

[root@server root]# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.....++++++
.............................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:****************
Verifying - Enter PEM pass phrase:****************
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kumamoto
Locality Name (eg, city) []:Kumamoto city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:server's Laboratory
Organizational Unit Name (eg, section) []:Technology department
Common Name (eg, YOUR name) []:server.mydns.jp
Email Address []:owner@server.mydns.jp
[root@server root]# ls
Desktop/ backup.sh* demoCA/ rpm/ upgrade-log
Xrootenv.0 backup.sh~ install.log server.csr www.req
anaconda-ks.cfg backuplist install.log.syslog server.key
backup.list backupnolist mbox serverca.crt
[root@server root]# cd demoCA
[root@server demoCA]# ls -l
合計 24
-rw-r--r-- 1 root root 1468 3月 7日 13:22 cacert.pem　←自己署名型証明書
drwxr-xr-x 2 root root 4096 3月 7日 13:18 certs/
drwxr-xr-x 2 root root 4096 3月 7日 13:18 crl/
-rw-r--r-- 1 root root 0 3月 7日 13:18 index.txt
drwxr-xr-x 2 root root 4096 3月 7日 13:18 newcerts/
drwxr-xr-x 2 root root 4096 3月 7日 13:18 private/
-rw-r--r-- 1 root root 3 3月 7日 13:18 serial
[root@server demoCA]# ls -l private
合計 4
-rw-r--r-- 1 root root 963 3月 7日 13:22 cakey.pem　←秘密鍵

アクセス制限で保護

[root@server demoCA]# chmod 600 ./private/cakey.pem
[root@server demoCA]# chmod 700 ./private

証明書の確認

[root@server demoCA]# openssl x509 -in cacert.pem -text

ＳＳＬサーバの構築

サーバ秘密鍵の作成

[root@server demoCA]# cd
[root@server root]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...........................................++++++
........................++++++
e is 65537 (0x10001)
[root@server root]# ls -l server.key
-rw-r--r-- 1 root root 887 3月 7日 13:34 server.key

証明書署名要求（ＣＳＲ）の作成

[root@server root]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kumamoto
Locality Name (eg, city) []:Kumamoto city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:server's Laboratory
Organizational Unit Name (eg, section) []:Technology department
Common Name (eg, YOUR name) []:server.mydns.jp
Email Address []:owner@server.mydns.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server root]# ls -l server.*
-rw-r--r-- 1 root root 757 3月 7日 13:50 server.csr　←証明書署名要求（ＣＳＲ）
-rw-r--r-- 1 root root 887 3月 7日 13:34 server.key
[root@server root]#

証明書に自己署名
実際は第三者証明機関にＣＳＲを送って署名してもらう

[root@server root]# openssl ca -out serverca.crt -infiles server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 7 05:04:18 2009 GMT
Not After : Mar 7 05:04:18 2010 GMT
Subject:
countryName = JP
stateOrProvinceName = Kumamoto
organizationName = server's Laboratory
organizationalUnitName = Technology department
commonName = server.mydns.jp
emailAddress = owner@server.mydns.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
92:2D:E5:47:42:76:E2:B6:31:7C:3D:43:4F:03:08:B1:A0:1E:F2:F6
X509v3 Authority Key Identifier:
keyid:5F:E1:7A:66:65:3D:EB:7B:A9:4E:4F:F3:B4:A0:69:E6:C1:18:DD:99
DirName:/C=JP/ST=Kumamoto/L=Kumamoto city/O=server's Laboratory/OU=Technology department/CN=server.mydns.jp/emailAddress=owner@server.mydns.jp
serial:DF:6A:E3:03:D7:08:84:6A

Certificate is to be certified until Mar 7 05:04:18 2010 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server root]# ls -l server*.*
-rw-r--r-- 1 root root 761 3月 7日 14:03 server.csr
-rw-r--r-- 1 root root 887 3月 7日 13:34 server.key
-rw-r--r-- 1 root root 3922 3月 7日 14:04 serverca.crt　←サーバの証明書
[root@server root]# chmod 400 server*.*
[root@server root]# ls -l
合計 8
-r-------- 1 root root 887 3月 7日 13:34 server.key
-rw------- 1 root root 3922 3月 7日 14:04 serverca.crt
[root@server ssl]#

サーバ証明書を規定の場所に移動する

[root@server root]# mkdir /etc/apache2/conf/ssl
[root@server root]# mv server.key /etc/apache2/conf/ssl.key/
[root@server root]# mv serverca.crt /etc/apache2/conf/ssl.crt/seerver.crt
[root@server root]#

apache2を再起動

[root@server conf]# service apache2 restart
httpdを停止中:                                             [  OK  ]
httpdを起動中:                                             [  OK  ]
[root@server conf]# netstat -a | grep http*
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:https *:* LISTEN
[root@server conf]#

ブロードバンドルータのNAT指定とファイアウォールの設定。
テストはhttps://server.mydns.jp:443/にアクセス。

設定してページが表示できた。証明書も表示できた。期限も正しく設定されている。
これでいいっかな。(^-^;