lost and found ( for me ? )

Apache: launch SSL site w/ self-signed certificate

# httpd -v
Server version: Apache/2.2.3
Server built: Sep 3 2009 17:38:51

self-signed なので、CAを構築しなくてもOK

- 秘密鍵の作成

rsa形式 , des3 アルゴリズム , 強度は1024bit

# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.................................++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:hello <- 秘密鍵のパスフレーズ
Verifying - Enter pass phrase for server.key:hello

- 秘密キーのパスフレーズを外す方法

# openssl rsa -in server.key -out server_no_pass.key
Enter pass phrase for server.key:hello


# cat server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0AF87B2E0386C79B

Mk9orvGj6TqKrGoTPvzEMaxe27agT6eJGT7jQAyNRUhGoLdNpE2dOvrICBNMTuTF
qeIJ3AF/RoTn30y990DC1LnGVAAwAaB/H1BgMug7+PV/2x+nMZuzYjKAewkL1ehf
z7X3PVNhdy2MeQFklnx1FL16ItpL5FXeMZcpujhnQN4hlGd9cHyLEzOOppDWC5gw
j1FYotnZte0u3diljd3kcHhGWtG+B10zZvV3A/PLcIViHn4Y2rNKGGO4/UdHDNZk
yyuD4E0KHaQp7AvxKjsC4FqDDv5U9OidptlAEftaAEmh1nf5MCPfMUSrmHM+W3IO
5b0HoyJpksI8Egg2R0YCpbliqX9vivOJ3txvvSjtNnjkYlNWXjWqrUzUhLDE2JLV
EEHmhasyww73suspL9M/RqsUw1rgPdhJ7SIg24D8oqCs2cCIUVUsp0jKY2/nQuwA
j3rwqFUIqSPyly/ONkV3cNgyEgdQ1Rf0ElWPLJnlEQivR0Sb3L/u2giyt9+mXdo1
V4EUTBskrixZyUZR4GFYd3w6ybl8KF8Qdt34Y4o4gibAVW58xwCY1AXianfvW0ei
EMzZ+R2rtBT9IMqtmc766w+MT0MvhvoLUum7CN2QSYDuwMxedSeo0StvEn9/cGpW
8XuvmkKHqRJSLCr/8IM8pM7DfVDoynbc9vzGEXCaKOIFCiaBmHIO9yjWs+lf0z72
qCNnpB2w+mwzc+Uc6mM8aVr821P103qeuAqWjTx2frY9N1XYl8tHdo7Y3hx2aIVC
TpPDeBFynjVxeYUlAyiHMgR7IVyQrfdyBaTi7qFKXSI9vscipA0LnQ==
-----END RSA PRIVATE KEY-----

openssl コマンドで server.key を確認できる。

# openssl rsa -text -in server.key

- 自己証明書 ( self-signed certificate ) の作成

# openssl req -new -x509 -days 3650 -key server.key -out server.crt
Enter pass phrase for server.key:hello ( <- server.key のパスフレーズ )
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Test
Locality Name (eg, city) [Newbury]:Test
Organization Name (eg, company) [My Company Ltd]:Test
Organizational Unit Name (eg, section) []:Test
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:

# cat server.crt
-----BEGIN CERTIFICATE-----
MIIDDTCCAnagAwIBAgIJAP674zk/fJ3JMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
BAYTAkpQMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ0wCwYDVQQKEwRU
ZXN0MQ0wCwYDVQQLEwRUZXN0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcN
MDkxMTExMDIyOTMwWhcNMTkxMTA5MDIyOTMwWjBjMQswCQYDVQQGEwJKUDENMAsG
A1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDENMAsGA1UEChMEVGVzdDENMAsGA1UE
CxMEVGVzdDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDvg1xovoqoDE37QeSJbIroxcwJxQwkguKEYBy/NEByACuI
Max2VoKFER43cKG6Ve5uk+ISk6Qk0hh6zNkuIhI2IDd1OwcQaksc95KcnxRnpPr3
OOuWiiyyaA9nj1mEMIZJOx+w5CbY/8jdKg3Q0aOq62wwd6DRrdyCP9pYztYFqwID
AQABo4HIMIHFMB0GA1UdDgQWBBRQOcdNBq1wdE/5jytCIiBL5H69HDCBlQYDVR0j
BIGNMIGKgBRQOcdNBq1wdE/5jytCIiBL5H69HKFnpGUwYzELMAkGA1UEBhMCSlAx
DTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDTALBgNVBAoTBFRlc3QxDTAL
BgNVBAsTBFRlc3QxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbYIJAP674zk/fJ3J
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAqwsDNcBx4XxuPnYLegAD
oTSxLo4ZKf2PecFzKcrK4Mz9xmEKkDtPJCc1cjYEHP3x3ja6TSUCgt+zl9P1Ohcx
NKmAVmfI0iCV4ghtsRZUQdjHFvPRka6V4kwwDmTJq8kxyDZibZWqBB0kOQdJTiJh
AuGXpENNtr/0h0/mra54PLU=
-----END CERTIFICATE-----


# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fe:bb:e3:39:3f:7c:9d:c9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=Test, L=Test, O=Test, OU=Test, CN=www.example.com
Validity
Not Before: Nov 11 02:29:30 2009 GMT
Not After : Nov 9 02:29:30 2019 GMT
Subject: C=JP, ST=Test, L=Test, O=Test, OU=Test, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ef:83:5c:68:be:8a:a8:0c:4d:fb:41:e4:89:6c:
8a:e8:c5:cc:09:c5:0c:24:82:e2:84:60:1c:bf:34:
40:72:00:2b:88:31:ac:76:56:82:85:11:1e:37:70:
a1:ba:55:ee:6e:93:e2:12:93:a4:24:d2:18:7a:cc:
d9:2e:22:12:36:20:37:75:3b:07:10:6a:4b:1c:f7:
92:9c:9f:14:67:a4:fa:f7:38:eb:96:8a:2c:b2:68:
0f:67:8f:59:84:30:86:49:3b:1f:b0:e4:26:d8:ff:
c8:dd:2a:0d:d0:d1:a3:aa:eb:6c:30:77:a0:d1:ad:
dc:82:3f:da:58:ce:d6:05:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
50:39:C7:4D:06:AD:70:74:4F:F9:8F:2B:42:22:20:4B:E4:7E:BD:1C
X509v3 Authority Key Identifier:
keyid:50:39:C7:4D:06:AD:70:74:4F:F9:8F:2B:42:22:20:4B:E4:7E:BD:1C
DirName:/C=JP/ST=Test/L=Test/O=Test/OU=Test/CN=www.example.com
serial:FE:BB:E3:39:3F:7C:9D:C9

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
ab:0b:03:35:c0:71:e1:7c:6e:3e:76:0b:7a:00:03:a1:34:b1:
2e:8e:19:29:fd:8f:79:c1:73:29:ca:ca:e0:cc:fd:c6:61:0a:
90:3b:4f:24:27:35:72:36:04:1c:fd:f1:de:36:ba:4d:25:02:
82:df:b3:97:d3:f5:3a:17:31:34:a9:80:56:67:c8:d2:20:95:
e2:08:6d:b1:16:54:41:d8:c7:16:f3:d1:91:ae:95:e2:4c:30:
0e:64:c9:ab:c9:31:c8:36:62:6d:95:aa:04:1d:24:39:07:49:
4e:22:61:02:e1:97:a4:43:4d:b6:bf:f4:87:4f:e6:ad:ae:78:
3c:b5
-----BEGIN CERTIFICATE-----
MIIDDTCCAnagAwIBAgIJAP674zk/fJ3JMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
BAYTAkpQMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ0wCwYDVQQKEwRU
ZXN0MQ0wCwYDVQQLEwRUZXN0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcN
MDkxMTExMDIyOTMwWhcNMTkxMTA5MDIyOTMwWjBjMQswCQYDVQQGEwJKUDENMAsG
A1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDENMAsGA1UEChMEVGVzdDENMAsGA1UE
CxMEVGVzdDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDvg1xovoqoDE37QeSJbIroxcwJxQwkguKEYBy/NEByACuI
Max2VoKFER43cKG6Ve5uk+ISk6Qk0hh6zNkuIhI2IDd1OwcQaksc95KcnxRnpPr3
OOuWiiyyaA9nj1mEMIZJOx+w5CbY/8jdKg3Q0aOq62wwd6DRrdyCP9pYztYFqwID
AQABo4HIMIHFMB0GA1UdDgQWBBRQOcdNBq1wdE/5jytCIiBL5H69HDCBlQYDVR0j
BIGNMIGKgBRQOcdNBq1wdE/5jytCIiBL5H69HKFnpGUwYzELMAkGA1UEBhMCSlAx
DTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDTALBgNVBAoTBFRlc3QxDTAL
BgNVBAsTBFRlc3QxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbYIJAP674zk/fJ3J
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAqwsDNcBx4XxuPnYLegAD
oTSxLo4ZKf2PecFzKcrK4Mz9xmEKkDtPJCc1cjYEHP3x3ja6TSUCgt+zl9P1Ohcx
NKmAVmfI0iCV4ghtsRZUQdjHFvPRka6V4kwwDmTJq8kxyDZibZWqBB0kOQdJTiJh
AuGXpENNtr/0h0/mra54PLU=
-----END CERTIFICATE-----


- httpd の設定

# egrep -i "^sslcert" /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /root/server.crt
SSLCertificateKeyFile /root/server.key

# /etc/init.d/httpd start
httpd を起動中: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server server1.localdomain:443 (RSA)
Enter pass phrase:hello <- 秘密鍵のパスフレーズ

OK: Pass Phrase Dialog successful.
[ OK ]
#

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.