====== 02 Apache2で自己認証ssl ======
===== mod_ssl インストール =====
yum install mod_ssl
===== サーバ秘密鍵・証明書の作成 =====
# cd /etc/pki/tls/certs/
# sed -i 's/365/3650/g' Makefile
※サーバー用証明書有効期限を1年から10年に変更
# make server.crt
===== 秘密鍵作成 =====
# openssl genrsa -des3 2048 > ./ssl.key/ssl.globalsign.com.key
===== 秘密鍵をパスワード無しにする。 =====
# openssl rsa -in server.key -out server.key
==== 応答ファイルを作る方法 ====
=== 応答ファイル作成 ===
# vi /etc/ssl/certs/pass_phrase.sh
#!/bin/sh
echo "your passphrase"
=== 権限変更 ===
# chmod 500 /etc/ssl/certs/pass_phrase.sh
=== 設定ファイルに追加 ===
# vi /etc/httpd/conf.d/ssl.conf
SSLPassPhraseDialog exec:/etc/ssl/certs/pass_phrase.sh
===== csr作成 =====
# openssl req -new -key server.key -out server.csr
===== 自己証明書作成 =====
# openssl x509 -in server.csr -days 365 -req -signkey server.key > server.crt
===== 証明書と秘密鍵から、CSRを再生性 =====
# openssl x509 -x509toreq -in 証明書 -signkey 鍵ファイル -out 署名要求
# openssl x509 -x509toreq -in server.pem -signkey server.key -out server.csr
===== 秘密鍵と証明書がマッチしているかどうかの確認 =====
openssl rsa -in [秘密鍵] -pubout
openssl x509 -in [証明書] -pubkey
# openssl rsa -in /etc/pki/tls/certs/server.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/smbmb0cX7DLKTTtDrbAEcORd
RKwFLXB4kysLD5M8rdZ7mrKatJxkJy0G1zTaGGgRRn4vnK9gpAiG1st8JLEtV3H3
8RWbS14che8EmuKNn4U5pf6M67d68V9eMsBKFAERTWHGihoVGQ04rflzoaegdjQA
5dmU5eL0l8ktANsZ5QIDAQAB
-----END PUBLIC KEY-----
# openssl x509 -in /etc/pki/tls/certs/server.crt -pubkey
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/smbmb0cX7DLKTTtDrbAEcORd
RKwFLXB4kysLD5M8rdZ7mrKatJxkJy0G1zTaGGgRRn4vnK9gpAiG1st8JLEtV3H3
8RWbS14che8EmuKNn4U5pf6M67d68V9eMsBKFAERTWHGihoVGQ04rflzoaegdjQA
5dmU5eL0l8ktANsZ5QIDAQAB
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIIDcTCCAtqgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCSkEx
EDAOBgNVBAgTB1RvdWt5b3UxEjAQBgNVBAcTCVR5dXVvdS1rdTEWMBQGA1UEChMN
RmxhdEVpZ2h0LmNvbTEYMBYGA1UEAxMPd3d3LmZsYXQ4LmNvLmpwMSEwHwYJKoZI
hvcNAQkBFhJtYXRzdWlAZmxhdDguY28uanAwHhcNMTAwNDI3MDIwODA4WhcNMjAw
NDI0MDIwODA4WjCBiDELMAkGA1UEBhMCSkExEDAOBgNVBAgTB1RvdWt5b3UxEjAQ
BgNVBAcTCVR5dXVvdS1rdTEWMBQGA1UEChMNRmxhdEVpZ2h0LmNvbTEYMBYGA1UE
AxMPd3d3LmZsYXQ4LmNvLmpwMSEwHwYJKoZIhvcNAQkBFhJtYXRzdWlAZmxhdDgu
Y28uanAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+yZuZvRxfsMspNO0Ot
sARw5F1ErAUtcHiTKwsPkzyt1nuaspq0nGQnLQbXNNoYaBFGfi+cr2CkCIbWy3wk
sS1XcffxFZtLXhyF7wSa4o2fhTml/ozrt3rxX14ywEoUARFNYcaKGhUZDTit+XOh
p6B2NADl2ZTl4vSXyS0A2xnlAgMBAAGjgegwgeUwHQYDVR0OBBYEFOoA+LP6/ew0
dD+cHN1/ddKZxlooMIG1BgNVHSMEga0wgaqAFOoA+LP6/ew0dD+cHN1/ddKZxloo
oYGOpIGLMIGIMQswCQYDVQQGEwJKQTEQMA4GA1UECBMHVG91a3lvdTESMBAGA1UE
BxMJVHl1dW91LWt1MRYwFAYDVQQKEw1GbGF0RWlnaHQuY29tMRgwFgYDVQQDEw93
d3cuZmxhdDguY28uanAxITAfBgkqhkiG9w0BCQEWEm1hdHN1aUBmbGF0OC5jby5q
cIIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAD5mWuFfXRZAXzXc
iGsAY4oS1tQHl9NVGkEy7BF8lRNc7gLZjyxgApq6OcULUuPGALQcHCxOTHNLvQU+
AeKfYDuOKrjZxXnHS/+V5iM9hq+WoeAnZpkfA3MW7qdDlkC3L+/bqcZNvF0/Jlnc
U19qc1XDEGuVRTBgaJtk+XKwC+QO
-----END CERTIFICATE-----
===== CSR確認方法 =====
# openssl req -in fl8.jp.csr -text
===== 秘密鍵の内容を確認 =====
# openssl rsa -in fl8.jp.key -text
===== 証明書の内容を確認 =====
# openssl x509 -in fl8.jp.crt -text
===== pksc8に変換 =====
openssl gendsa -out pkcs8_proxyhostip.com.key proxyhostip.com.key
===== 中間証明書の整合性確認 =====
このハッシュ値が合致していればOK
$ openssl x509 -issuer_hash -noout -in [サーバ証明書].crt
8d28ae65
$ openssl x509 -subject_hash -noout -in [中間証明書].crt
8d28ae65
中間証明書がちゃんと反映されている確認
[[01_linux:02_www:03_sslcertificatechainfile]]
{{tag>openssl}}