mod_sslのインストール
yum -y install mod_ssl
秘密鍵作成に必要な疑似乱数の生成
sudo bash
mkdir /etc/httpd/ssl
cd /bin
./openssl md5 * > /etc/httpd/ssl/rand.dat
ここで入力するパスフレースはどこかにメモしておきます:
./openssl genrsa -rand /etc/httpd/ssl/rand.dat -des3 2048 > /etc/httpd/ssl/private.pem
Enter pass phrase:
Verifying - Enter pass phrase:
./openssl req -new -key /etc/httpd/ssl/private.pem -out /etc/httpd/ssl/csr.pem
Enter pass phrase for /root/ssl/private.pem:(パスフレーズ入力)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Minato-Ku
Organization Name (eg, company) [Default Company Ltd]:My company
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:FQDN
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
SSL StoreのCSRを貼り付ける場所に/etc/httpd/ssl/csr.pemの中身をペーストします。
SSL STOREからのアクセスを許可
SSL STOREから発行されたfileauth.txtは/.well-known/pki-validation/fileauth.txtでアクセスできるようにしなければなりませんが、
WebサーバがBASIC認証で保護されている場合はこちらの方法でアクセスを開放します:
thebaker.hatenablog.com
受領した証明書の設置
SSLサーバ証明書は、/etc/httpd/ssl/server.crt
、中間証明書は/etc/httpd/ssl/chain.crt
として設置します。
/etc/httpd/conf.d/ssl.confの編集
次の3行を変更します:
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/ssl/server.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/ssl/private.pem
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/httpd/ssl/chain.crt
まず、停止させます:
systemctl stop httpd
次に起動します:
systemctl start httpd
パスフレーズが聞かれるので入力します
エラー
Firefoxで次のエラーが出る場合は、30分待ってください:
The OCSP server has no status for the certificate. エラーコード: SEC_ERROR_OCSP_UNKNOWN_CERT
www.fujissl.jp
httpd.confに以下を追加します:
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
cd /etc/httpd/ssl
penssl rsa -in private.pem -out private_no_passphrase.pem