ローカルオレオレ証明書

環境

  • Homebrew 1.1.7
  • Server version: Apache/2. 4.25 (Unix)
  • OpenSSL 1.0.2j 26 Sep 2016

Opensslの環境設定

[code lang=bash]
$ openssl version
$ brew update
$ brew list | grep openssl
$ brew info openssl
$ brew upgrade openssl
[/code]

OpenSSL のPATHを通す

[code lang=bash]
# OpenSSL
export PATH=/usr/local/Cellar/openssl/1.0.2j/bin:$PATH
[/code]

[code lang=bash]
$ source ~/.zshrc
[/code]

秘密鍵の作成

[code lang=bash]
$ openssl genrsa -aes128 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
…………………………………………………………………..+++
……………….+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:
[/code]

.csr (証明書情報) の作成

[code lang=bash]
$ openssl req -new -key server.key -sha256 -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Saitama
Locality Name (eg, city) []:Tokorozawa-shi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Localhost Inc.
Organizational Unit Name (eg, section) []:Localhost Section
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[/code]

公開鍵の作成

[code lang=bash]
$ openssl x509 -in server.csr -days 365 -req -signkey server.key -sha256 -out server.crt
Signature ok
subject=/C=JP/ST=Saitama/L=Tokorozawa-shi/O=Localhost Inc./OU=Localhost Section/CN=localhost
Getting Private key
Enter pass phrase for server.key:
[/code]

鍵の配置

[code lang=bash]
$ mv ./server.key /usr/local/etc/apache2/2.4/
$ mv ./server.crt /usr/local/etc/apache2/2.4/
[/code]

httpd.conf の設定

httpd-ssl.conf を読み込むようにする。

[code lang=text]
# Secure (SSL/TLS) connections
Include /usr/local/etc/apache2/2.4/extra/httpd-ssl.conf
[/code]

mod_ssl.so, mod_socache_shmcb.so をコメントアウトし、有効化。

[code lang=text]
LoadModule ssl_module libexec/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
[/code]

httpd-ssl.conf の設定

SSL Virtual Host の設定
[text]
<VirtualHost _default_:8443>
# General setup for the virtual host
DocumentRoot "/Users/{User}/Dropbox/Sites"
ServerName example.local:8443
ServerAdmin example@gmail.com
ErrorLog "/usr/local/var/log/apache2/error_log"
TransferLog "/usr/local/var/log/apache2/access_log"

// コメントアウト
SSLCertificateFile "/usr/local/etc/apache2/2.4/server.crt"

// コメントアウト
SSLCertificateKeyFile "/usr/local/etc/apache2/2.4/server.key"
[/text]

反映確認

[code lang=bash]
$ sudo httpd -k restart
httpd not running, trying to start
Apache/2.4.25 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Private key wi.local:8443:0 (/usr/local/etc/apache2/2.4/server.key)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[/code]

https://{domain}:8443 へアクセスして確認。