make コマンドにより必用な鍵や証明書を生成。
* make-dummy-cert は、以下を固定値で localhost.key と localhost.crt を一気に作成する。
# cd /etc/pki/tls/certs
# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key". # key 生成
To create a CSR, run "make SOMETHING.csr". # key, csr 生成
To create a test certificate, run "make SOMETHING.crt". # key, crt 生成
To create a key and a test certificate in one file, run "make SOMETHING.pem". # pem(key+crt) 生成
To create a key for use with Apache, run "make genkey". # ../private/localhost.key 生成
To create a CSR for use with Apache, run "make certreq". # localhost.csr 生成
To create a test certificate for use with Apache, run "make testcert". # localhost.crt 生成
To create a test certificate with serial number other than zero, add SERIAL=num
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem SERIAL=2
make testcert SERIAL=3
# /usr/bin/openssl req -newkey rsa:1024 -keyout server.key -nodes -x509 -days 365 -out server.crt
Generating a 1024 bit RSA private key
.....................................................................................++++++
......................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Shinjuku-ku
Organization Name (eg, company) [My Company Ltd]:Linux Academy
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:Akihito YAKOSHI
Email Address []:ycos001@yahoo.co.jp
# ls -l server*
-rw-r--r-- 1 root root 1346 Aug 16 13:43 server.crt
-rw-r--r-- 1 root root 887 Aug 16 13:43 server.key
# mv server.key ../private/
# vi /etc/httpd/conf.d/ssl.conf
( ssl.conf を修正 )
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/server.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/server.key
# /etc/init.d/http restart
# openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 /C=JP/ST=Tokyo/L=Shinjuku-ku/O=Linux Academy/OU=Linux/CN=Akihito YAKOSHI/emailAddress=ycos001@yahoo.co.jp
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=JP/ST=Tokyo/L=Shinjuku-ku/O=Linux Academy/OU=Linux/CN=Akihito YAKOSHI/emailAddress=ycos001@yahoo.co.jp
verify return:1
---
Certificate chain
0 s:/C=JP/ST=Tokyo/L=Shinjuku-ku/O=Linux Academy/OU=Linux/CN=Akihito YAKOSHI/emailAddress=ycos001@yahoo.co.jp
i:/C=JP/ST=Tokyo/L=Shinjuku-ku/O=Linux Academy/OU=Linux/CN=Akihito YAKOSHI/emailAddress=ycos001@yahoo.co.jp
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDtTCCAx6gAwIBAgIJAJZ+j6GB94vzMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
VQQGEwJKUDEOMAwGA1UECBMFVG9reW8xFDASBgNVBAcTC1NoaW5qdWt1LWt1MRYw
FAYDVQQKEw1MaW51eCBBY2FkZW15MQ4wDAYDVQQLEwVMaW51eDEYMBYGA1UEAxMP
QWtpaGl0byBZQUtPU0hJMSIwIAYJKoZIhvcNAQkBFhN5Y29zMDAxQHlhaG9vLmNv
LmpwMB4XDTEyMDgxNjA0NDMxOVoXDTEyMTEyNDA0NDMxOVowgZkxCzAJBgNVBAYT
AkpQMQ4wDAYDVQQIEwVUb2t5bzEUMBIGA1UEBxMLU2hpbmp1a3Uta3UxFjAUBgNV
BAoTDUxpbnV4IEFjYWRlbXkxDjAMBgNVBAsTBUxpbnV4MRgwFgYDVQQDEw9Ba2lo
aXRvIFlBS09TSEkxIjAgBgkqhkiG9w0BCQEWE3ljb3MwMDFAeWFob28uY28uanAw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMA4pKyq8flhtabXInX0DbxBg0fo
bMl0owAO+jzMje4jv/BxR/D5KQrNluooeLml5fAW6CCLQ5O+efiAI7Z0aKrXHf1Y
rFTg/e3cvdyGQbtDACQAM4payJ//tU3j49393nQBbvPn1O22rlIhM/pnQAPP2XHw
7TCKPUy3a1skaoWpAgMBAAGjggEBMIH+MB0GA1UdDgQWBBRSjQD1SQ3qdYEVZ6Ir
/koIjjSbozCBzgYDVR0jBIHGMIHDgBRSjQD1SQ3qdYEVZ6Ir/koIjjSbo6GBn6SB
nDCBmTELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMRQwEgYDVQQHEwtTaGlu
anVrdS1rdTEWMBQGA1UEChMNTGludXggQWNhZGVteTEOMAwGA1UECxMFTGludXgx
GDAWBgNVBAMTD0FraWhpdG8gWUFLT1NISTEiMCAGCSqGSIb3DQEJARYTeWNvczAw
MUB5YWhvby5jby5qcIIJAJZ+j6GB94vzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAO8JJu4JMoQvyHDpLgZj42tuvDztRsmA6pv0Y0y9HgwRcrwWdJPA/
7wH/ohvueFDbFkqxpNUV1pRlJLYvQJHxM55UGWbBF2t240UvYqQ9varm3G2tQZkv
r+90SLSA72AKWwyedmSLNMyuTniHXtBk2cXUEi7jEAdqCsslKPYey+s=
-----END CERTIFICATE-----
subject=/C=JP/ST=Tokyo/L=Shinjuku-ku/O=Linux Academy/OU=Linux/CN=Akihito YAKOSHI/emailAddress=ycos001@yahoo.co.jp
issuer=/C=JP/ST=Tokyo/L=Shinjuku-ku/O=Linux Academy/OU=Linux/CN=Akihito YAKOSHI/emailAddress=ycos001@yahoo.co.jp
---
No client certificate CA names sent
---
SSL handshake has read 1524 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: E6B39B3ECCEDCE84ABEEA704FBA1C2CFA5385217B7A6AB8F873683C421A1757F
Session-ID-ctx:
Master-Key: F3981B1230137AE50ADADAB4FAD7FBB426B06555519DB201E78825BC10987F5EE8BFF3E5E6F50AC201AE9855975B57DE
Key-Arg : None
Krb5 Principal: None
Start Time: 1345093422
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
quit
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>quit to / not supported.<br />
</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at vboxm.ycos.net Port 443</address>
</body></html>
closed
# mv server.key server.key.bkup # openssl rsa -in server.key.bkup > server.key詳しい手順については、LPIC2 補足資料に詳しく紹介