キーとCSRの作成
ランダムデータとキーの作成
$ openssl sha1 /usr/bin/* > rand.dat
$ openssl genrsa -rand rand.dat -des3 2048 > key.pem.2015
67002 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
...................+++
........+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
キーのパスフレーズを入れる
CSRの作成
# openssl req -new -key key.pem.2015 -out csr.pem.2015
Enter pass phrase for key.pem.2015: ←先ほど入れたパスフレーズ
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shibuya-ku
Organization Name (eg, company) [Default Company Ltd]:XXX ltd
Organizational Unit Name (eg, section) []:Development Department
Common Name (eg, your name or your server's hostname) []:www.test.com ←きちんと入れる
Email Address []:admin@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXXX
An optional company name []:
キーとCSRを控えて証明書を取得
$ cat key.pem.2015
$ cat csr.pem.2015
SSL証明書の販売事業者から購入。
キーのパスフレーズをはずす
Apacheなどに証明書を設定した際、起動時にSSLのパスフレーズを聞かれてしまうので、SSLのパスフレーズを削除したものを設定。
$ openssl rsa -in ./key.pem.2015 -out ./no-pass-key.pem.2015
Enter pass phrase for ./key.pem.2015:
writing RSA key
あとはこれをサーバに設定。
中間証明書なども事業者から取得。