Chromeでhttps://localhostを開いたとき、次の画像のようにちゃんとグリーンになるような独自SSL証明書の発行方法について。
おれおれ認証局になる
おれおれ認証局の秘密鍵を作る
openssl genrsa -des3 -out myCA.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for myCA.key: test
Verifying - Enter pass phrase for myCA.key: test
おれおれ認証局の証明書を作る
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Enter pass phrase for myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) []:Minato-ku
Organization Name (eg, company) []:Localhost, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Localhost
Email Address []:noreply@localhost
おれおれ認証局の証明書をMacに信頼させる
OSX:開発環境のオレオレSSL証明書をChromeやSafariに信頼させる - Qiita
myCA.pemについて、上記ページを参考にやる。
おれおれ証明書を手に入れる
おれおれ証明書の秘密鍵を作る
openssl genrsa -out localhost.key 2048
おれおれ署名リクエストを作る
openssl req -new -key localhost.key -out localhost.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) []:Minato-ku
Organization Name (eg, company) []:Localhost, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Localhost
Email Address []:noreply@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
localhost.extというファイルを作り、ホスト名を書く
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
おれおれ認証局としておれおれ証明書を発行してあげる
openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out localhost.crt -days 1825 -sha256 -extfile localhost.ext
Signature ok
subject=/C=JP/ST=Tokyo/L=Minato-ku/O=Localhost, Inc./CN=Localhost/emailAddress=noreply@localhost
Getting CA Private Key
Enter pass phrase for myCA.key: test
ApacheのSSLを設定する
証明書置き場を確認する
grep SSL /etc/httpd/conf.d/ssl.conf | grep File
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
証明書などを配置する
cp localhost.crt /etc/pki/tls/certs/localhost.crt
cp localhost.key /etc/pki/tls/private/localhost.key
cp myCA.pem /etc/pki/tls/certs/ca-bundle.crt
あとはApacheを再起動してOK。