SSLè‡ªå·±è¨¼æ˜Žæ›¸ã®ä½œæˆ - opentechnoboxã®æ

ä½•ã§SSLè‡ªå·±è¨¼æ˜Žæ›¸ãŒå¿…è¦ã«ï¼Ÿ
ã€€Iaasï¼ˆå…·ä½“çš„ã«ã¯SaaSesã®Industriaï¼‰ã§Apacheã‚’ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã€‚
ã€€ãã®å¾Œã€ã‚µãƒ¼ãƒã«HTTPSã‚¢ã‚¯ã‚»ã‚¹ã—ã‚ˆã†ã¨ã—ãŸã‚‰å…¨ãã‚¢ã‚¯ã‚»ã‚¹ã§ããªã„ãƒ»ãƒ»ãƒ»ãƒ»
ã€€ãŠã‹ã—ã„ã¨æ€ã£ã¦ãƒã‚°ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ç¢ºèªã—ãŸã‚‰ã“ã‚“ãªã‚¨ãƒ©ãƒ¼ãŒå‡ºã¦ã„ã¾ã—ãŸã€‚

ã€/var/log/ssl/ssl_error_logã€‘

ãƒ»ãƒ»ãƒ»
[Tue Jun 21 16:16:26 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 21 16:16:26 2011] [warn] RSA server certificate CommonName (CN) `ign-st-l-2' does NOT match server name!?
[Tue Jun 21 16:16:26 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 21 16:16:26 2011] [warn] RSA server certificate CommonName (CN) `ign-st-l-2' does NOT match server name!?
[Tue Jun 21 16:53:49 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 21 16:53:49 2011] [warn] RSA server certificate CommonName (CN) `ign-st-l-2' does NOT match server name!?
[Tue Jun 21 16:53:49 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 21 16:53:49 2011] [warn] RSA server certificate CommonName (CN) `ign-st-l-2' does NOT match server name!?
[Tue Jun 21 17:11:54 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 21 17:11:54 2011] [warn] RSA server certificate CommonName (CN) `ign-st-l-2' does NOT match server name!?
[Tue Jun 21 17:11:54 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 21 17:11:54 2011] [warn] RSA server certificate CommonName (CN) `ign-st-l-2' does NOT match server name!?
ãƒ»ãƒ»ãƒ»

ã€€ã“ã®ã‚¨ãƒ©ãƒ¼ã¯ã€ã‚µãƒ¼ãƒè¨¼æ˜Žæ›¸ãŒæ£ã—ãè¨å®šã•ã‚Œã¦ãªã„äº‹ãŒåŽŸå› ã®æ§˜åã€‚
ã€€èªè¨¼æ©Ÿé–¢ãŒç™ºè¡Œã™ã‚‹æ£å¼ãªã‚µãƒ¼ãƒè¨¼æ˜Žæ›¸ã¯é«˜ä¾¡ãªã®ã§ã€SSLè‡ªå·±è¨¼æ˜Žæ›¸ã‚’è¨å®šã—ã¦ã¿ã¾ã—ãŸã€‚

ã‚µãƒ¼ãƒè¨¼æ˜Žæ›¸è¨å®šæ‰‹é †æ¦‚ç•¥
ã€€è©³ç´°ãªã‚ªãƒšãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ã¯å¾Œè¿°ã™ã‚‹ã¨ã—ã¦ã€è¨å®šæ‰‹é †ã®æ¦‚ç•¥ã¯æ¬¡ã®é€šã‚Šã§ã™ã€‚

ã€€(1) openssl ã‚³ãƒžãƒ³ãƒ‰ã‚’ä½¿ã£ã¦ SSL è‡ªå·±è¨¼æ˜Žæ›¸ã‚’ä½œæˆã™ã‚‹ã€‚
ã€€ã€€1) ç§˜å¯†éµï¼ˆserver.keyï¼‰ã®ä½œæˆ

openssl genrsa -aes128 1024 > server.key

ã€€ã€€2) å…¬é–‹éµï¼ˆserver.csrï¼‰ã®ä½œæˆ

openssl req -new -key server.key > server.csr

ã€€ã€€3) ãƒ‡ã‚¸ã‚¿ãƒ«è¨¼æ˜Žæ›¸ï¼ˆserver.crtï¼‰ã®ä½œæˆ

openssl x509 -in server.csr -days 365 -req -signkey server.key > server.crt

ã€€(2) Apache ã® ssl.conf ã‚’ç·¨é›†ã™ã‚‹ã€‚

ã€€ä»¥ä¸Šã§ä½œæˆå®Œäº†ã§ã™ã€‚
ã€€ã“ã®ä½œæ¥ã€/etc/httpd/conf/ ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªå†…ã§ä½œæ¥ã™ã‚‹ã¨ssl.confãƒ•ã‚¡ã‚¤ãƒ«ã®ç·¨é›†ãŒæ¥½ã§ã™ã€‚

ã‚µãƒ¼ãƒè¨å®šæ‰‹é †è©³ç´°
ï¼‘ï¼Žç§˜å¯†éµï¼ˆserver.keyï¼‰ã®ä½œæˆ
ã€€æ¬¡ã®ã‚³ãƒžãƒ³ãƒ‰ã§ç§˜å¯†éµï¼ˆserver.keyï¼‰ã‚’ä½œæˆã—ã¾ã™ã€‚
ã€€ã“ã®ãƒ•ã‚¡ã‚¤ãƒ«ã¯ã€ã‚µãƒ¼ãƒã®CSRã‚’ä½œæˆã™ã‚‹ãŸã‚ã«å¿…è¦ã§ã™ã€‚

# openssl genrsa -aes128 1024 > server.key

ã€€ã“ã®ã‚³ãƒžãƒ³ãƒ‰ã®å¼•æ•°ã®æ„å‘³ã¯æ¬¡ã®é€šã‚Šã€‚
ã€€genrsa
ã€€ã€€ã€€RSAå½¢å¼ã®ç§˜å¯†éµã‚’ä½œæˆã™ã‚‹
ã€€-aes128
ã€€ã€€ã€€128ãƒ“ãƒƒãƒˆã® AES æ–¹æ³•ã§æš—å·åŒ–ã™ã‚‹ã€‚
ã€€1024
ã€€ã€€ã€€1024ãƒã‚¤ãƒˆã®éµã‚’ä½œæˆã™ã‚‹ã€‚

ã€€ç¶šã‘ã¦ãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºã®å…¥åŠ›ã‚’æ±‚ã‚ã‚‰ã‚Œã‚‹ã®ã§ã€é©å½“ãªãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºã‚’è¨å®šã—ã¦ä¸‹ã•ã„ã€‚

Generating RSA private key, 1024 bit long modulus
..................++++++
..........................................++++++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase: XXXXXXXXXXã€€â†ã€€ãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºè¨å®š
Verifying - Enter pass phrase: XXXXXXXXXXã€€â†ã€€ãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºå†è¨å®š

ï¼’ï¼Žå…¬é–‹éµï¼ˆserver.csrï¼‰ä½œæˆ
ã€€Webã‚µãƒ¼ãƒã®CSRãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆserver.csrï¼‰ã‚’ä½œæˆã—ã¾ã™ã€‚
ã€€ã€€ãƒ»CSRï¼ˆCertificate Signing Requestï¼‰ã¨ã¯ã€SSL è¨¼æ˜Žæ›¸ã‚’ä½œæˆã™ã‚‹å…ƒã«ãªã‚‹æƒ…å ±ãŒæ›¸ã‹ã‚Œã¦ã„ã‚‹ãƒ•ã‚¡ã‚¤ãƒ«ã§ã™ã€‚
ã€€ã€€ãƒ»çµ„ç¹”åã‚„ã‚µãƒ¼ãƒã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãªã©ã®æƒ…å ±ã‚’å«ã¿ã¾ã™ã€‚
ã€€ã€€ãƒ»ã„ã‚ã‚†ã‚‹å…¬é–‹éµã®ãƒ•ã‚¡ã‚¤ãƒ«ã§ã™ã€‚
ã€€æ¬¡ã® openssl ã‚³ãƒžãƒ³ãƒ‰ã§ CSR ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ä½œæˆã™ã‚‹äº‹ãŒã§ãã¾ã™ã€‚

# openssl req -new -key server.key > server.csr

ã€€ã“ã®ã‚³ãƒžãƒ³ãƒ‰ã®å¼•æ•°ã®æ„å‘³ã¯æ¬¡ã®é€šã‚Šã€‚
ã€€req
ã€€ã€€ã€€CSRãƒ•ã‚¡ã‚¤ãƒ«ã‚’ä½œæˆã™ã‚‹ã€‚
ã€€-new
ã€€ã€€ã€€æ–°è¦ã«CSRã‚’ä½œæˆã™ã‚‹ã€‚
ã€€-key
ã€€ã€€ã€€ç§˜å¯†éµãƒ•ã‚¡ã‚¤ãƒ«
ã€€ç¶šã‘ã¦ï¼‘ã§è¨å®šã—ãŸãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºã‚’å«ã‚ã¦ã€ã„ãã¤ã‹ã®ãƒ¦ãƒ¼ã‚¶æƒ…å ±ã‚’å…¥åŠ›ã—ã¾ã™ã€‚

Enter pass phrase for server.key: XXXXXXXXXXã€€â†ã€€ãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºè¨å®š
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-

Country Name (2 letter code) [AU]: JP
State or Province Name (full name) [Some-State]: TOKYO
Locality Name (eg, city) : chiyoda-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]: XXXXXX Corp.
Organizational Unit Name (eg, section) : Sales div.
Common Name (eg, YOUR name) : example.com((é‹ç”¨ã™ã‚‹ã‚µã‚¤ãƒˆã®åå‰ã‚’å…¥åŠ›ã™ã‚‹ã€‚IPã‚¢ãƒ‰ãƒ¬ã‚¹ã§é‹ç”¨ã™ã‚‹Webã‚µãƒ¼ãƒã®å ´åˆã¯ IP ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’å…¥åŠ›ã™ã‚‹ã€‚))
Email Address : [email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : blank
An optional company name : blank

ï¼“ï¼Žãƒ‡ã‚¸ã‚¿ãƒ«è¨¼æ˜Žæ›¸ï¼ˆserver.crtï¼‰ä½œæˆ
ã€€æ¬¡ã® openssl ã‚³ãƒžãƒ³ãƒ‰ã§ãƒ‡ã‚¸ã‚¿ãƒ«è¨¼æ˜Žæ›¸ï¼ˆserver.crtï¼‰ã‚’ä½œæˆã™ã‚‹äº‹ãŒã§ãã¾ã™ã€‚

# openssl x509 -in server.csr -days 365 -req -signkey server.key > server.crt

ã€€ã“ã®ã‚³ãƒžãƒ³ãƒ‰ã®å¼•æ•°ã®æ„å‘³ã¯æ¬¡ã®é€šã‚Šã€‚
ã€€x509
ã€€ã€€ã€€X.509 å½¢å¼ã®ãƒ‡ã‚¸ã‚¿ãƒ«è¨¼æ˜Žæ›¸ã‚’ä½œæˆã™ã‚‹ã€‚
ã€€-in CSRãƒ•ã‚¡ã‚¤ãƒ«
ã€€ã€€ã€€CSR ãƒ•ã‚¡ã‚¤ãƒ«åã‚’æŒ‡å®šã™ã‚‹ã€‚
ã€€-days æ—¥æ•°
ã€€ã€€ã€€è¨¼æ˜Žæ›¸ã®æœ‰åŠ¹æœŸé™ã‚’æŒ‡å®šã™ã‚‹ã€‚
ã€€-req
ã€€ã€€ã€€å…¥åŠ›ãƒ•ã‚¡ã‚¤ãƒ«ãŒCSRãƒ•ã‚¡ã‚¤ãƒ«ã§ã‚ã‚‹ã“ã¨ã‚’æŒ‡å®šã™ã‚‹ã€‚
ã€€-signkey ç§˜å¯†éµãƒ•ã‚¡ã‚¤ãƒ«
ã€€ã€€ã€€è‡ªå·±è¨¼æ˜Žæ›¸ä½œæˆæ™‚ã«ä½¿ç”¨ã™ã‚‹ã‚ªãƒ—ã‚·ãƒ§ãƒ³ã€‚ç§˜å¯†éµãƒ•ã‚¡ã‚¤ãƒ«ã‚’æŒ‡å®šã™ã‚‹ã€‚
ã€€å…¥åŠ›ã—ãŸæƒ…å ±ã®æ‰“ã¡è¿”ã—ã«ç¶šã‘ã¦ã€ãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºã®å…¥åŠ›ã‚’æ±‚ã‚ã‚‰ã‚Œã¾ã™ã€‚
ã€€ï¼’ã§è¨å®šã—ãŸãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºã‚’å…¥åŠ›ã—ã¦ä¸‹ã•ã„ã€‚

ãƒ»ãƒ»ãƒ»
Enter pass phrase for server.key: XXXXXXXXXXã€€â†ã€€ãƒ‘ã‚¹ãƒ•ãƒ¬ãƒ¼ã‚ºè¨å®š
unable to write 'random state'
ãƒ»ãƒ»ãƒ»

ã€€ä»¥ä¸Šã§è‡ªå·±è¨¼æ˜Žæ›¸ã®ä½œæˆã¯å®Œäº†ã§ã™ã€‚

ï¼”ï¼ŽApache mod_ssl ã®è¨å®š
ã€€Apache ã§ SSL æš—å·åŒ–é€šä¿¡ã‚’è¡Œã†éš›ã¯ã€mod_ssl ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã‚’ä½¿ç”¨ã—ã¾ã™ã€‚
ã€€Apache 2.2.3 ã§ã¯ã€/etc/httpd/conf.d/ssl.conf ã« mod_ssl ã®åŸºæœ¬çš„ãªè¨å®šãŒã‚ã‚‰ã‹ã˜ã‚ç”¨æ„ã•ã‚Œã¦ã„ã‚‹ã®ã§ã€ã“ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ä¿®æ£ã—ã¦è¨å®šã—ã¾ã™*1ã€‚
ã€€SSLCertificateFile ã¨ SSLCertificateKeyFile ã®è¨å®šã§ã€ä¸Šè¨˜ã§ä½œæˆã—ãŸ server.crt ã¨ server.key ã‚’æŒ‡å®šã—ã¾ã™ã€‚

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

# SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ã€€
ã€€ä»¥ä¸Šã§ã€SSLè‡ªå·±è¨¼æ˜Žæ›¸ã®ä½œæˆã¯å®Œäº†ã§ã™ã€‚
ã€€Apacheã‚’ãƒªã‚¹ã‚¿ãƒ¼ãƒˆã—ã€HTTPSã‚¢ã‚¯ã‚»ã‚¹ã‚’ã—ãŸã¨ã“ã‚æ£ã—ãæŽ¥ç¶šã™ã‚‹äº‹ãŒã§ãã¾ã—ãŸã€‚

*1:ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã‹ã‚‰ãƒ“ãƒ«ãƒ‰ã—ãŸå ´åˆã€conf/extra/httpd-ssl.conf ã‚’ä½¿ã„ã¾ã™