Apache
SSL
HTTPS

おれおれ認証局になっておれおれSSL証明書を発行してやる方法

Chromeでhttps://localhostを開いたとき、次の画像のようにちゃんとグリーンになるような独自SSL証明書の発行方法について。

Monosnap 2018-01-29 17-23-10.png

おれおれ認証局になる

おれおれ認証局の秘密鍵を作る

openssl genrsa -des3 -out myCA.key 2048

Generating RSA private key, 2048 bit long modulus
.+++
.......................+++
e is 65537 (0x10001)

Enter pass phrase for myCA.key: test

Verifying - Enter pass phrase for myCA.key: test

おれおれ認証局の証明書を作る

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) []:Minato-ku
Organization Name (eg, company) []:Localhost, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Localhost
Email Address []:noreply@localhost

おれおれ認証局の証明書をMacに信頼させる

OSX:開発環境のオレオレSSL証明書をChromeやSafariに信頼させる - Qiita

myCA.pemについて、上記ページを参考にやる。

おれおれ証明書を手に入れる

おれおれ証明書の秘密鍵を作る

openssl genrsa -out localhost.key 2048

おれおれ署名リクエストを作る

openssl req -new -key localhost.key -out localhost.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) []:Minato-ku
Organization Name (eg, company) []:Localhost, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Localhost
Email Address []:noreply@localhost

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

localhost.extというファイルを作り、ホスト名を書く

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

おれおれ認証局としておれおれ証明書を発行してあげる

openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out localhost.crt -days 1825 -sha256 -extfile localhost.ext
Signature ok
subject=/C=JP/ST=Tokyo/L=Minato-ku/O=Localhost, Inc./CN=Localhost/emailAddress=noreply@localhost
Getting CA Private Key

Enter pass phrase for myCA.key: test

ApacheのSSLを設定する

証明書置き場を確認する

grep SSL /etc/httpd/conf.d/ssl.conf | grep File
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

証明書などを配置する

cp localhost.crt /etc/pki/tls/certs/localhost.crt
cp localhost.key /etc/pki/tls/private/localhost.key
cp myCA.pem /etc/pki/tls/certs/ca-bundle.crt

あとはApacheを再起動してOK。