CentOS 6.2 (64bit) apache 2 mod_ssl インストールの手順のメモです。
こちらは、あくまでも私的なメモです (再インストールの際などに役立てるため)
■重要■
- このページは「http://kajuhome.com/apache_ssl.shtml」から手順を参考に (というよりもそっくりそのまま真似て) インストールを行なっています。
- まるっきり Web ページをそのままコピーペーストでは、著作権侵害であり、上のページの製作者の方へ大変失礼になりますし、私自身のメモとしては役に立ちません。
- このページでは、実際に自分が行った作業をそのまま記録して、自分自身で今後の参考にする目的で載せていますが、手順自体は上のページとほとんど同じです。
- Apache2 mod_ssl インストールをされる方は、このページよりも、ぜひ上のページをご参考にするようお願いします。手順ごとに説明がついていてわかりやすいです。
- 「CentOS 6 apache2 mod_ssl」のインストール手順書を Web で検索しましたが、(私が探した中では) 上のページの手順書が最もわかりやすいと思っています。ページ製作者の方に感謝を申し上げます。
- 上のページとこのページが違うのは、このページでは「私自身が行った作業の結果を載せている」点と、「★特定のディレクトリでのみ SSL を利用する (他のディレクトリでは通常の http で通信を行う)」という項目を追加したことです。
yum にて、mod_ssl をインストール
yum -y install mod_ssl
[root@pc101 ~]# yum -y install mod_ssl Loaded plugins: downloadonly, fastestmirror, priorities, refresh-packagekit Determining fastest mirrors epel/metalink | 3.6 kB 00:00 * base: www.ftp.ne.jp * epel: ftp.iij.ad.jp * extras: www.ftp.ne.jp * rpmforge: fr2.rpmfind.net * updates: www.ftp.ne.jp base | 3.7 kB 00:00 extras | 3.5 kB 00:00 google-chrome | 951 B 00:00 rpmforge | 1.1 kB 00:00 updates | 3.5 kB 00:00 2683 packages excluded due to repository priority protections Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mod_ssl.x86_64 1:2.2.15-15.el6.centos will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================== Package Arch Version Repository Size ======================================================================================== Installing: mod_ssl x86_64 1:2.2.15-15.el6.centos base 87 k Transaction Summary ======================================================================================== Install 1 Package(s) Total download size: 87 k Installed size: 183 k Downloading Packages: mod_ssl-2.2.15-15.el6.centos.x86_64.rpm | 87 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 1:mod_ssl-2.2.15-15.el6.centos.x86_64 1/1 Installed: mod_ssl.x86_64 1:2.2.15-15.el6.centos Complete! [root@pc101 ~]#
CA用秘密鍵(ca.key)の作成
[root@pc161 ~]# openssl genrsa -des3 -out /etc/httpd/conf/ca.key -rand rand.dat 1024 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ........................................................++++++ .......++++++ e is 65537 (0x10001) Enter pass phrase for /etc/httpd/conf/ca.key: Verifying - Enter pass phrase for /etc/httpd/conf/ca.key: [root@pc161 ~]#
CA用証明書(ca.crt)の作成
[root@pc101 ~]# openssl genrsa -des3 -out /etc/httpd/conf/ca.key -rand rand.dat 1024 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ........................................................++++++ .......++++++ e is 65537 (0x10001) Enter pass phrase for /etc/httpd/conf/ca.key: Verifying - Enter pass phrase for /etc/httpd/conf/ca.key: [root@pc101 ~]# openssl req -new -x509 -days 365 -key /etc/httpd/conf/ca.key -out /etc/httpd/conf/ca.crt Enter pass phrase for /etc/httpd/conf/ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Chiyoda Organization Name (eg, company) [Default Company Ltd]:Private_CA Organizational Unit Name (eg, section) []:Admin Common Name (eg, your name or your server's hostname) []:www123456.dyndns.info Email Address []:xxx@yyyy.zz.jp [root@pc101 ~]#
サーバ用秘密鍵(server.key)の作成
[root@pc101 ~]# openssl genrsa -des3 -out /etc/httpd/conf/server.key -rand rand.dat 1024 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..++++++ ..........................................................++++++ e is 65537 (0x10001) Enter pass phrase for /etc/httpd/conf/server.key: Verifying - Enter pass phrase for /etc/httpd/conf/server.key: [root@pc101 ~]#署名要求書(server.csr)の作成
[root@pc101 ~]# openssl genrsa -des3 -out /etc/httpd/conf/server.key -rand rand.dat 1024 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..++++++ ..........................................................++++++ e is 65537 (0x10001) Enter pass phrase for /etc/httpd/conf/server.key: Verifying - Enter pass phrase for /etc/httpd/conf/server.key: [root@pc101 ~]# openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr Enter pass phrase for /etc/httpd/conf/server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Shinjuku Organization Name (eg, company) [Default Company Ltd]:abcdefg_company Organizational Unit Name (eg, section) []:it_dept Common Name (eg, your name or your server's hostname) []:www123456.dyndns.info Email Address []:xxx@yyyy.zz.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@pc101 ~]#
サーバ用秘密鍵(server.key)からのパスフレーズ削除
[root@pc101 ~]# openssl rsa -in /etc/httpd/conf/server.key.bak -out /etc/httpd/conf/server.key Enter pass phrase for /etc/httpd/conf/server.key.bak: writing RSA key [root@pc101 ~]#
★特定のディレクトリでのみ SSL を利用する (他のディレクトリでは通常の http で通信を行う)
[root@pc161 ssl]# mkdir ssl
[root@pc101 ssl]# vi /etc/httpd/conf/httpd.conf
以下のように変更する
変更前
# ===== changed 2011/01/09 ===== <Directory "/var/www/html"> (中略) </Directory> # ===== changed 2011/01/09 =====
変更後
<Directory "/var/www/html"> (中略) </Directory> # ===== changed 2011/01/09 ===== <Location "/ssl"> SSLRequireSSL </Location> # ===== changed 2011/01/09 =====