RedHatLinuxES4でインターネット公開用WEBサーバーを構築(3)の続き~
10.SSL Server IDの設定
SSL認証は、認証局をVerisignにしました。
(1)CSRの生成
GNOME端末で
# cd /etc/httpd/conf
# openssl genrsa -rand rand.dat -des3 1024 > /etc/httpd/conf/ssl.key/Serverkey.pem
361 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.......++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase:password
Verifying - Enter pass phrase: password
# openssl req -new -key /etc/httpd/conf/ssl.key/ Serverkey.pem -out /etc/httpd/conf/ssl.csr/ Servercsr.pem
Enter pass phrase for /etc/httpd/conf/ssl.key/ Serverkey.pem: password
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Aichi
Locality Name (eg, city) [Newbury]:Nagoya City
Organization Name (eg, company) [My Company Ltd]:THE ABC,LTD
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.abc.co.jp
Email Address []:webmaster@abc.co.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
このままだと、Apacheを起動するたびにパスフレーズの入力を求められるので、パスフレーズをキーの中に入れる。
# openssl rsa -in /etc/httpd/conf/ssl.key/Serverkey.pem -out /etc/httpd/conf/ssl.key/ Serverkey.pem
Enter pass phrase for /etc/httpd/conf/ssl.key/ Serverkey.pem:password
writing RSA key
作成したServercsr.pemをVerisignへ送る。
参考URL:http://www.verisign.co.jp/server/reg_exp/index.html
(2)返送されたキーを/etc/httpd/conf/ssl.crt/Servercrt.pemというファイルにする。
(3)/etc/httpd/conf.d/ssl.confの変更
SSLCertificateFile /etc/httpd/conf/ssl.crt/Servercrt.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/Serverkey.pem
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/inca.pem (グローバルIDの場合のみ中間認証局も必要)