気まぐれサンポポ

みなさま、はじめまして 当ブログ管理人のサンポポ(sanpopo)と申します。

Webサーバ構築_SSL導入編【Apache】【フリーソフト】

  • 環境

OS:Ubuntu

バージョン:Server amd64 20.04.1 LTS

カーネル:5.4.0-52-generic

 

  • 概要

 SSLのv2,3とTLSのv1のプロトコルを実装する事ができるフリーソフト。多数のシステムに組み込まれている。

 

  • 構築

ここから最新版(openssl-1.1.1h.tar.gz)をダウンロードし導入します

ubuntu@ubuntu:~$ wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz
ubuntu@ubuntu:~$ tar zxvf openssl-1.1.1h.tar.gz
ubuntu@ubuntu:~$ cd openssl-1.1.1h/
ubuntu@ubuntu:~/openssl-1.1.1h$ ./config
ubuntu@ubuntu:~/openssl-1.1.1h$ make
ubuntu@ubuntu:~/openssl-1.1.1h$ make test
ubuntu@ubuntu:~/openssl-1.1.1h$ sudo make install

 

自己認証局(CA)を作成

まずは、秘密鍵と証明書を作成するスクリプトをコピーします

ubuntu@ubuntu:~$ cp /usr/local/ssl/misc/CA.pl ./
ubuntu@ubuntu:~$ ./CA.pl -newca
CA certificate filename (or enter to create) →Enterを押す

Making CA certificate ...

openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
openssl: symbol lookup error: openssl: undefined symbol: EVP_mdc2, version OPENSSL_1_1_0
==> 32512

 

シンボルクリックが見つからないとのことなので、再設定します

ubuntu@ubuntu:~$ sudo ldconfig
ubuntu@ubuntu:~$ ./CA.pl -newca
CA certificate filename (or enter to create) →Enterを押す

Making CA certificate ...

openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Generating a RSA private key
.......................+++++
.................................+++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: →パスワードを入力する
Verifying - Enter PEM pass phrase: →パスワードを入力する
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Osaka
Locality Name (eg, city) :Osaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
Organizational Unit Name (eg, section) :Home

Common Name (e.g. server FQDN or YOUR name) :Home_Server
Email Address :home@home.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : →Enterを押す
An optional company name : →Enterを押す

==> 0


openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: →パスワードを入力する
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
19:8b:17:05:04:78:93:34:a1:dc:f8:d5:cc:5f:6a:b3:b7:d6:6f:c6
Validity
Not Before: Nov 10 14:36:57 2020 GMT
Not After : Nov 10 14:36:57 2023 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = Home
organizationalUnitName = Home
commonName = Home_Server
emailAddress = home@home.com
X509v3 extensions:
X509v3 Subject Key Identifier:
47:AF:B4:F0:14:53:BD:49:64:09:5E:E5:8E:1E:45:63:82:B3:5E:7E
X509v3 Authority Key Identifier:
keyid:47:AF:B4:F0:14:53:BD:49:64:09:5E:E5:8E:1E:45:63:82:B3:5E:7E

X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Nov 10 14:36:57 2023 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
==> 0

CA certificate is in ./demoCA/cacert.pem

 

秘密鍵と証明書が作成できました

ubuntu@ubuntu:~$ tree demoCA/
demoCA/
 cacert.pem →証明書
 careq.pem
 certs
 crl
 crlnumber
 index.txt
 index.txt.attr
 index.txt.old
 newcerts
   198B170504789334A1DCF8D5CC5F6AB3B7D66FC6.pem
 private
   cakey.pem 秘密鍵
mqq serial

 

署名をするので、適切な権限を設定します

ubuntu@ubuntu:~$ chmod 600 demoCA/private/cakey.pem
ubuntu@ubuntu:~$ chmod 700 demoCA/private/
-rw------- 1 ubuntu ubuntu 1854 Nov 10 14:17 demoCA/private/cakey.pem
drwx------ 2 ubuntu ubuntu 4096 Nov 10 14:17 private

 

 

次にサーバで利用する証明書を作成します
流れとしては
①サーバで利用する秘密鍵の生成
②証明書署名要求の作成
③自己CAで前に作成した証明書署名要求に署名

 

サーバで利用する秘密鍵の作成をします

ubuntu@ubuntu:~$ openssl genrsa -out server.key 1024
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
....................................+++++
e is 65537 (0x010001)

 

証明書署名要求(CSR)を作成します

ubuntu@ubuntu:~$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Osaka
Locality Name (eg, city) :Osaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
Organizational Unit Name (eg, section) :Home

Common Name (e.g. server FQDN or YOUR name) :Home_Server.com
Email Address :home@home.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : →Enterを押す
An optional company name : →Enterを押す

 

秘密鍵(server.key)と証明書署名要求(server.csr)が作成されていることを確認します

ubuntu@ubuntu:~$ ls | find s*
server.csr
server.key

 

自己CAで先ほど作成した証明書署名要求を署名します

ubuntu@ubuntu:~$ openssl ca -out serverca.crt -infiles server.csr
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
19:8b:17:05:04:78:93:34:a1:dc:f8:d5:cc:5f:6a:b3:b7:d6:6f:c9
Validity
Not Before: Nov 19 04:36:14 2020 GMT
Not After : Nov 19 04:36:14 2021 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = Home
organizationalUnitName = Home
commonName = Home_Server.com
emailAddress = home@home.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
79:66:F5:FB:67:4D:F0:CA:52:43:6D:0B:8B:18:E3:24:01:F3:65:1B
X509v3 Authority Key Identifier:
keyid:CB:44:09:AC:F6:2D:81:40:0C:52:6A:EB:02:B8:AF:A4:2D:B8:A9:5C

Certificate is to be certified until Nov 19 04:36:14 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

無事サーバの証明書が作成されました

ubuntu@ubuntu:~$ ls | find s*
serverca.crt
server.csr
server.key

 

サーバの証明書と秘密鍵を適切な場所に保存して設定ファイルを変更します

ubuntu@ubuntu:~$ sudo mkdir /opt/www/conf/key
ubuntu@ubuntu:~$ sudo mv serverca.crt /opt/www/conf/key/
ubuntu@ubuntu:~$ sudo mv server.key /opt/www/conf/key/

 

 

/opt/www/conf/extra/httpd-ssl.conf

SSLCertificateFile "/opt/www/conf/key/serverca.crt"

SSLCertificateKeyFile "/opt/www/conf/key/server.key"

 

/opt/www/conf/httpd.conf

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

 

起動しSSL暗号化されていることを確認する

ubuntu@ubuntu:~$ sudo /opt/www/bin/apachectl start
ubuntu@ubuntu:~$ netstat -antu | grep 443
tcp6 0 0 :::443 :::* LISTEN

 

f:id:sanpopo:20201122043156p:plain