Help us understand the problem. What is going on with this article?

apache 2.4におけるSSL証明書の設定

More than 3 years have passed since last update.

apache 2.4(厳密には2.4.8以降)でSSL証明書の設定でちょっとハマったのでメモ。
※CentOS 7系の標準apacheだと2.4.6のため、ここで記載するapache 2.2の方の設定になります。注意。

結論

初っ端から結論。
apache 2.4では中間CA証明書を指定する SSLCertificateChainFile ディレクティブがなくなってます。
そのためapache 2.4ではサーバ証明書と中間CA証明書、それからクロスルート証明書を一つのファイルにまとめてサーバ証明書を指定する SSLCertificateFile ディレクティブで指定します。

参考:http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile

apache 2.2での証明書構成

  • SSLCertificateKeyFile - 秘密鍵
  • SSLCertificateFile - サーバ証明書
  • SSLCertificateChainFile - 上:中間CA証明書、下:クロスルート証明書

apache 2.4での証明書構成

  • SSLCertificateKeyFile - 秘密鍵
  • SSLCertificateFile - 上:サーバ証明書、中:中間CA証明書、下:クロスルート証明書

SSLの設定

以上を踏まえてよくやってるSSL設定のメモ。

apache 2.2での設定

apache 2.2(〜2.4.7まで)のssl設定。

ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
    ErrorLog logs/ssl_error_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile conf/ssl/server.crt
    SSLCertificateKeyFile conf/ssl/server.key
    SSLCertificateChainFile conf/ssl/chain.crt
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_access_log ltsv_ssl
</VirtualHost>

apache 2.4での設定

こっちはapache 2.4(2.4.8以降)のssl設定。
SSLCertificateChainFileは不要です。

ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
    ErrorLog logs/ssl_error_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile conf/ssl/server.crt
    SSLCertificateKeyFile conf/ssl/server.key
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_access_log ltsv_ssl
</VirtualHost>

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした