インストール

設定ファイルの構成

PHPを使えるようにする

mod_deflate

mod_ssl

とりあえず暗号化されれば良いだけなら・・・

$ sudo yum -y install mod_ssl
$ cd /etc/http/conf.d/
$ sudo mv ssl.conf 50_ssl.conf
$ sudo /etc/init.d/httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中:                                            [  OK  ]

以上

サーバー証明書を作る

オレオレ CA の作成

# cd /etc/pki/tls/misc/
# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...+++
............+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Bunkyo
Organization Name (eg, company) [Default Company Ltd]:Personal CA
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:kagyuu
Email Address []:kagyuu@hondou.homedns.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: ※最初に打ち込んだ pass phrase を入力※
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f3:84:6d:a2:a3:b5:cd:8d
        Validity
            Not Before: Jun 30 16:14:03 2010 GMT
            Not After : Jun 29 16:14:03 2013 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Personal CA
            commonName                = kagyuu
            emailAddress              = kagyuu@hondou.homedns.org
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                4A:DB:4D:62:2D:4D:F2:58:B7:EB:02:41:C5:E6:B2:97:6D:8D:32:95
            X509v3 Authority Key Identifier: 
                keyid:4A:DB:4D:62:2D:4D:F2:58:B7:EB:02:41:C5:E6:B2:97:6D:8D:32:95

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Jun 29 16:14:03 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

証明書の発行依頼

# ./CA -newreq-nodes
Generating a 2048 bit RSA private key
.......................................+++
..................+++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo 
Locality Name (eg, city) [Default City]:Bunkyo
Organization Name (eg, company) [Default Company Ltd]:AHO
Organizational Unit Name (eg, section) []:Web Admin
Common Name (eg, your name or your server's hostname) []:hondou.homedns.org
Email Address []:kagyuu@hondou.homedns.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem

オレオレ CA で依頼に基づき証明書を発行

# ./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f3:84:6d:a2:a3:b5:cd:8e
        Validity
            Not Before: Jun 30 16:33:34 2010 GMT
            Not After : Jun 27 16:33:34 2020 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Bunkyo
            organizationName          = AHO
            organizationalUnitName    = Web Admin
            commonName                = hondou.homedns.org
            emailAddress              = kagyuu@hondou.homedns.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                93:7C:01:CD:79:F5:0F:25:91:67:CC:6A:85:A4:35:E3:E5:D5:4C:29
            X509v3 Authority Key Identifier: 
                keyid:4A:DB:4D:62:2D:4D:F2:58:B7:EB:02:41:C5:E6:B2:97:6D:8D:32:95

Certificate is to be certified until Jun 27 16:33:34 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

Apache用に鍵セットと証明書を抽出

$ cd /etc/pki/tls/misc/
$ sudo openssl rsa -in newreq.pem -out server.key 
writing RSA key
$ sudo openssl x509 -in newcert.pem -out server.crt

Apacheへの組み込み

$ sudo vi /etc/httpd/conf.d/50_ssl.conf 

   100 
   101 #   Server Certificate:
   102 # Point SSLCertificateFile at a PEM encoded certificate.  If
   103 # the certificate is encrypted, then you will be prompted for a
   104 # pass phrase.  Note that a kill -HUP will prompt again.  A new
   105 # certificate can be generated using the genkey(1) command.
   106 SSLCertificateFile /etc/pki/tls/misc/server.crt
   107 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   108 
   109 #   Server Private Key:
   110 #   If the key is not combined with the certificate, use this
   111 #   directive to point at the key file.  Keep in mind that if
   112 #   you've both a RSA and a DSA private key you can configure
   113 #   both in parallel (to also allow the use of DSA ciphers, etc.)
   114 SSLCertificateKeyFile /etc/pki/tls/misc/server.key
   115 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
   116 
$ sudo /etc/init.d/httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中:                                            [  OK  ]

DoS攻撃対策


Fedora 13 Server


添付ファイル: fileaverage.png 2628件 [詳細] filecert.png 2719件 [詳細] fileiptables.png 2818件 [詳細] filecert2.png 2805件 [詳細] filemod_deflate.png 2754件 [詳細] filehello.png 2671件 [詳細] filephpinfo.png 2637件 [詳細]

トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS   sitemap
Last-modified: 2012-12-24 (月) 01:07:15 (4311d)
Short-URL:
ISBN10
ISBN13
9784061426061