[server] オレオレ証明書の登録方法メモ  #CentOS7.0 + Nginx + mod-ssl 編

2015年9月10日

Tips サーバー テクノロジー

基本モジュールインストール

#nginxのrepoを登録 $ vi /etc/yum.repos.d/nginx.repo # nginx.repoの内容を記述して保存 [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1 #nginxのインストール $ yum --enablerepo=nginx install nginx #nginxの起動 $ systemctl start nginx.service

鍵と証明書の作成

秘密鍵の作成

$ openssl genrsa -aes128 1024 > server.key Generating RSA private key, 1024 bit long modulus .......++++++ .......................++++++ e is 65537 (0x10001) Enter pass phrase: ***** Verifying - Enter pass phrase: ***** Verify failure User interface error 139960119879584:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382:

秘密鍵のパスワードを削除

$ openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key

公開鍵の作成

$ openssl req -new -key server.key > server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: *** string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) [XX]:*** State or Province Name (full name) []:*** Locality Name (eg, city) [Default City]:*** Organization Name (eg, company) [Default Company Ltd]:*** Organizational Unit Name (eg, section) []:*** Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:*** An optional company name []:

証明書の作成

$ openssl x509 -in server.csr -days 365 -req -signkey server.key > server.crt Signature ok subject=/C=***/ST=***/L=***/O=***/OU=*** Getting Private key Enter pass phrase for server.key: <font color="red">***</font>

証明書を定位置に移動

$ mv server.* /etc/ssl/certs/

nginxの設定

# /etc/nginx/conf.d/ssl.conf の編集 server { listen 443 ssl; server_name _; ssl on; ssl_certificate /etc/pki/tls/certs/server.crt; ssl_certificate_key /etc/pki/tls/certs/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root /usr/share/nginx/html; index index.html index.htm; } }

nginxの再起動

$ systemctl restart nginx.service

このブログを検索

ごあいさつ

このWebサイトは、独自思考で我が道を行くユゲタの少し尖った思考のTechブログです。 毎日興味がどんどん切り替わるので、テーマはマルチになっています。 もしかしたらアイデアに困っている人の助けになるかもしれません。