SSLサーバ証明書をインストール (1)

先日「Apache SSLを無効にする」との記事を書きました

Apache SSLを無効にする
http://www.rootlinks.net/2014/09/06/apache-sslを無効にする/

この記事中に”Cheap RapidSSL Certificateが1証明書3年で$19.99″と格安リセラーを紹介しましたが、勉強のつもりで申し込むことにしました

Cheap SSL & Web Security Solution Providers
https://cheapsslsecurity.com/

実はこのサイトは数年前に見つけていたのですが、なにせ全て英語でちょっと自信が無かったので保留にしていました
今回申し込みをしたのはRapidSSL Certificateで1証明書×3年で$19.99です
実は CertifiComodo PositiveSSLcateは1証明書×3年で$14.99なので更に格安なのですがRapidSSLが米国GeoTrust(ジオトラスト)社の1事業部のサービスなので取り敢えずこちらにしてみました

それではまず証明書を設定するサーバ側の作業を行います。今回の環境はCentOSでApache + mod_sslです

Certificate Signing Request (CSR) Generation Instructions for Apache SSL
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985

1. 秘密鍵の作成

opensslコマンドで秘密鍵を作成します

Shell

[root@host1 ~]# mkdir /etc/sslkey [root@host1 ~]# cd /etc/sslkey [root@host1 sslkey]# openssl genrsa -des3 -out ssl.key 2048 Generating RSA private key, 2048 bit long modulus ....................................+++ ....................+++ e is 65537 (0x10001) Enter pass phrase for ssl.key:password Verifying - Enter pass phrase for ssl.key:password [root@host1 sslkey]# ls ssl.key

1 2 3 4 5 6 7 8 9 10 11

[root@host1 ~]# mkdir /etc/sslkey [root@host1 ~]# cd /etc/sslkey [root@host1 sslkey]# openssl genrsa -des3 -out ssl.key 2048 Generating RSA private key, 2048 bit long modulus ....................................+++ ....................+++ e is 65537 (0x10001) Enter pass phrase for ssl.key:password Verifying - Enter pass phrase for ssl.key:password [root@host1 sslkey]# ls ssl.key

2. CSRの作成

CSR(Certificate Signing Request:証明書署名要求)を作成します
注意点としては下記の記述があります

NOTE: Please do not enter an email address, challenge password or an optional company name when generating the CSR.
CSR作成時にE-mailアドレス、チャレンジパスワード、オプションの会社名を入力しないで下さい

Shell

[root@host1 sslkey]# openssl req -new -key ssl.key -out ssl.csr Enter pass phrase for ssl.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Saitama Locality Name (eg, city) [Newbury]:Kazo Organization Name (eg, company) [My Company Ltd]:RootLinks Co., Ltd. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.rootlinks.net Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@host1 ssl]# ls ssl.csr ssl.key

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

[root@host1 sslkey]# openssl req -new -key ssl.key -out ssl.csr Enter pass phrase for ssl.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Saitama Locality Name (eg, city) [Newbury]:Kazo Organization Name (eg, company) [My Company Ltd]:RootLinks Co., Ltd. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.rootlinks.net Email Address []:   Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@host1 ssl]# ls ssl.csr  ssl.key

これで事前準備ができました