mac Apache2.2のSSL環境構築(メモ)
前提
$ port installed | grep apache2 apache2 @2.2.14_0+darwin+preforkmpm (active) ... $ port installed | grep openssl openssl @0.9.8k_0+darwin (active) ...
プライベートCA(認証局)の作成
$ cd /opt/local/etc/openssl/ $ sudo ./misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .............................++++++ .............................................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: <-----CA用パスフレーズ Verifying - Enter PEM pass phrase:<-----再入力 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: 【ENTER】 State or Province Name (full name) [Some-State]:【ENTER】 Locality Name (eg, city) []:【ENTER】 Organization Name (eg, company) [Internet Widgits Pty Ltd]:【ENTER】 Organizational Unit Name (eg, section) []:【ENTER】 Common Name (eg, YOUR name) []:private<----ここだけ【private】にした Email Address []:【ENTER】 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:【ENTER】 An optional company name []:【ENTER】 Using configuration from /opt/local/etc/openssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem:<------先ほどのパスフレーズを入れる Check that the request matches the signature Signature ok Certificate Details: .........(中略)........... Write out database with 1 new entries Data Base Updated
サーバー秘密鍵の作成
$ cd /opt/local/apache2/conf $ sudo mkdir openssl $ cd openssl $ sudo openssl genrsa -out apache2.key -des3 1024 $ sudo openssl rsa -in apache2.key -out apache2_nopasswd.key $ sudo openssl req -new -key apache2_nopasswd.key -out apache2.csr ....(いろいろ訊かれるが全部エンター。Common Nameだけ前述の【private】にする)
サーバー証明書の作成
$ cd /opt/local/etc/openssl (なぜかわからないけど、demoCA/index.txtを空にしておかないとうまく行かなかったので) $ sudo rm demoCA/index.txt $ sudo touch demoCA/index.txt $ sudo openssl ca -in /opt/local/apache2/conf/openssl/apache2.csr -out /opt/local/apache2/conf/openssl/apache2.crt
これで秘密鍵と証明書ができた
$ ls -l /opt/local/apache2/conf/openssl -rw-r--r-- 1 root admin 3071 11 16 16:28 apache2.crt -rw-r--r-- 1 root admin 631 11 16 16:28 apache2.csr -rw-r--r-- 1 root admin 963 11 16 16:23 apache2.key -rw-r--r-- 1 root admin 891 11 16 16:23 apache2_nopasswd.key
httpd-ssl.confの編集
(ファイルの中身) Listen 443 <VirtualHost *:443> DocumentRoot "/opt/local/apache2/htdocs" SSLEngine on SSLCertificateFile "/opt/local/apache2/conf/openssl/apache2.crt" SSLCertificateKeyFile "/opt/local/apache2/conf/openssl/apache2_nopasswd.key" </VirtualHost>
動作確認
ブラウザからhttps://localhostにアクセスして、ブラウジングできればOK