apache の検証環境を作る際、いつも「オレオレ証明書」で検索してる気がするからいい加減まとめる。
10年有効なオレオレ証明書を作る。OSはCentOS、Apache httpd は2系(yumでインストール)。
cd /etc/httpd/conf/
openssl genrsa -aes128 -out server.key 2048
(パスフレーズ:testtesttest)
openssl req -new -key server.key -sha256 -out server.csr
Enter pass phrase for server.key: (testtesttest)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:(Enter)
State or Province Name (full name) []:(Enter)
Locality Name (eg, city) [Default City]:(Enter)
Organization Name (eg, company) [Default Company Ltd]:(Enter)
Organizational Unit Name (eg, section) []:(Enter)
Common Name (eg, your name or your server's hostname) []:(Enter)
Email Address []:(Enter)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(Enter)
An optional company name []:(Enter)
openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.crt
(パスフレーズ:testtesttest)
/etc/httpd/conf.d/ssl.conf の以下を修正。
SSLCertificateFile "/etc/httpd/conf/server.crt" SSLCertificateKeyFile "/etc/httpd/conf/server.key"
httpd 起動時のパスフレーズを無効にする。
cd /etc/httpd/conf/ mv server.key server.key.back openssl rsa -in server.key.back -out server.key (パスフレーズ:testtesttest)
起動。
systemctl start httpd
httpsでアクセスして証明書を表示。無事10年有効なオレオレ証明書が作成できた。
