Linux

SSL証明書適用 Apache2.2系 CentOS6

 

秘密鍵の作成

# cd /etc/httpd/conf/ssl

# openssl md5 * > rand.dat

# openssl genrsa -rand rand.dat -des3 2048 > 20170328-sslexample.com_r1.key


441 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
...................................................+++
e is 65537 (0x10001)
Enter pass phrase:sslexample0721←入力
Verifying - Enter pass phrase:sslexample0511←入力

 

パスフレーズを秘密鍵から除去

# openssl rsa -in 20170328-sslexample.com_r1.key -out 20170328-sslexample.com_r1.key

Enter pass phrase for 20170217-sslexamplehealthcare.com-server.key:sslexample0511
writing RSA key

 

CSR発行

# openssl req -utf8 -new -key 20170328-sslexample.com_r1.key -out 20170328-sslexample.com_r1.csr

1325 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
....................+++
........+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
You have mail in /var/spool/mail/root
[root@sslexample ssl]# openssl rsa -in 20170328-sslexample.com_r1.key -out 20170328-sslexample.com_r1.key
Enter pass phrase for 20170328-sslexample.com_r1.key:
writing RSA key
[root@sslexample ssl]# openssl req -utf8 -new -key 20170328-sslexample.com_r1.key -out 20170328-sslexample.com_r1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Nakano-ku
Organization Name (eg, company) [Default Company Ltd]:sslexample Co., Ltd.
Organizational Unit Name (eg, section) []:Management Department
Common Name (eg, your name or your server's hostname) []:www.sslexample.com
Email Address []:postmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

ここポイント

wwwありなしの証明書にしたい場合はwww.ドメインの形でCommon Nameを登録する必要があります。

 

 

 

 

# cat 20170328-sslexample.com_r1.key

-----BEGIN RSA PRIVATE KEY-----
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Hp9xhraIFdH4jf6DQB4fmbUevjNIcjEEBSff+KQrdimpw8e7Qyh03d9pTsVT+aSG

(略)

Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA0DXk+MBqX5KakNH9QpOui0L1
0+PvPk6XLMaRXFSnxSeRkQNDZqfi9AVaPh6Tx+tS6O5aHRCdqBoI
-----END RSA PRIVATE KEY-----

 

 

# cat 20170328-sslexample.com_r1.csr

-----BEGIN CERTIFICATE REQUEST-----
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU

(略)


Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
nB48oWGEYEyEX3glcCGSncEDPgH8VJ2flN522DVU9BMV3iRzkdDoew==
-----END CERTIFICATE REQUEST-----

 

 

 

SSLストアで証明書を購入

認証ファイル設置

# mkdir -p /home/web/corporate/public/.well-known/pki-validation

# vi /home/web/corporate/public/.well-known/pki-validation/fileauth.txt

20170327162007hdjf1mjazestesttesttest...testdayovrqzkc72nt4pos

 

証明書がメールで届く

 

 

# cd /etc/httpd/conf/ssl

# vi 20170328-sslexample.com_r1.crt

-----BEGIN CERTIFICATE-----
MIIFezCCBGOgAwIBAgIQWV+aVGjX0SzjMofvaAJdoDANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENhBMB4XDTE3MDMyNzAwMDAwMFoXDTE4MDMyNzIzNTk
OVowHjEcMBoGA1UEAwwTd3d3LnRlbmdhLWdyb3VwLmNvbTCCASIwDQYJKoZIhvcN

(略)

s84rMWnZt5s3kJFf+8xx34JpVYUNwX/o83o5ZTH2KqbVjqdyYe1VFnnkKjXWAsHY
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
nvO9UolglxvD7ipZ+u2SscuRyWx6oWIYm+r3Y8qPgcg/PG9d2Magr1CGiWVRsVgb
VHAmigFfd4m6NLiBdax4
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMxMjExMjM0NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQG
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU

(略)

EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSUmFwaWRTU0wg
U0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1jBEgEu
l9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFytUrkshhTIWX1SG5tmx2G
a1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
2A==
-----END CERTIFICATE-----

 

 

 

 

中間証明書(三層目)

@see https://www.geotrust.co.jp/resources/rapidssl/repository/intermediate_sha2.html

# vi /etc/httpd/conf/ssl/20170328-sslexample.com_rapidssl.crt

-----BEGIN CERTIFICATE-----
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
Ws2sXFmMXa5GK/zFRwIttcsTOeP2gTEUWW0gmWwidutBDOrmgSvszorQn96zg6nV
02dWmg15ATTtVllFeJEeOwwpjEeUpu2CNume7CcTuDboB+Z2eL+4XaSGy3oquSUU
gP8L8mJMcCaY
-----END CERTIFICATE-----

 

 

# vi /etc/httpd/conf.d/sslexample.com.conf


#LoadModule ssl_module modules/mod_ssl.so
#Listen 443
#NameVirtualHost *:443

SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512


SSLCryptoDevice builtin




<VirtualHost *:80>
  DocumentRoot /home/web/corporate/public
  #ServerName www.sslexample.com
  ServerName sslexample.com
  ServerAlias www.sslexample.com
  Redirect permanent / https://sslexample.com
  ErrorLog logs/sslexample.com-error.log
  CustomLog logs/sslexample.com-access.log common
  <Directory "/home/web/corporate/public">
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

  <IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  </IfModule>

</VirtualHost>



<VirtualHost *:443>
DocumentRoot "/home/web/corporate/public"
ServerName sslexample.com:443
ServerAlias www.sslexample.com
ErrorLog logs/sslexample.com-ssl_error_log
TransferLog logs/sslexample.com-ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/httpd/conf/ssl/20170328-sslexample.com_r1.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/20170328-sslexample.com_r1.key
SSLCertificateChainFile /etc/httpd/conf/ssl/20170328-sslexample.com_rapidssl.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#SSLVerifyClient require
#SSLVerifyDepth  10
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire


  <IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.sslexample\.com
RewriteCond %{SERVER_PORT} 443
RewriteRule ^(.*)$ https://sslexample.com$1 [R=301,L]
  </IfModule>

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
#<Directory "/var/www/cgi-bin">
#    SSLOptions +StdEnvVars
#</Directory>
  <Directory "/home/web/corporate/public">
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/sslexample_ja-ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

 

反映させる前のENCRYPTEDチェック

 

自分が構築したサーバでない場合、他のドメインでパスフレーズを使った秘密鍵の導入を行っている可能性があります。他のドメインのSSLの秘密鍵でENCRYPTEDがないか絶対に確認してください。

もしENCRYPTEDがあった場合はお客さんに確認しましょう。もしわからない場合は、前開発会社への問い合わせが必要です。

# cat /etc/httpd/conf/httpd.conf | grep SSLCertificateKeyFile
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# cat /etc/httpd/conf.d/*.conf | grep SSLCertificateKeyFile
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

 

# cat server.key
 
 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED

おおぅ…。

このまま反映させていたらサーバが止まるところでした。

 

 

# httpd -t
Syntax OK

# service httpd reload
Reloading httpd:

 

stop, startじゃないと反映しなかったり、ソースからインストールされている場合は、

# apachectl stop
# apachectl startssl

でいけたりします。

環境によりますね~。

 

 

 

 

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)