참고문서: http://www.fis.unipr.it/pub/linux/redhat/9/en/doc/RH-DOCS/rhl-cg-ko-9/s1-secureserver-certs.html
1. private key 생성.
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
……….++++++
………………………….++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:
2. CSR 생성
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
140719869691552:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:KO
State or Province Name (full name) [Some-State]:hoengseong
Locality Name (eg, city) []:^C
root@fox:~/ssl-key# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:KO
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:boxcorea
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.boxcorea.com
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3. server.key 에서 비밀번호 제거(웹서버 부팅때 비밀번호 묻는것을 방지)
# openssl rsa -in server.key -out server.key.nopasswd
Enter pass phrase for server.key:
writing RSA key
4. self-signed 인증서 생성
# openssl x509 -req -days 3650 -in server.csr -signkey server.key.nopasswd -out server.crt
Signature ok
subject=/C=KO/ST=kangwon/L=hoengseong/O=boxcorea/CN=*.boxcorea.com
Getting Private key
5. apache 웹서버에 적용
관련 virtualhost 에 아래 사항을 적용한후 아파치웹서버를 재실행한다.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName boxcorea.com
DocumentRoot /documentroot
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /documentroot>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warnCustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /xxx/ssl/server.crt
SSLCertificateKeyFile /xxx/ssl/server.keyBrowserMatch “MSIE [2-6]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown</VirtualHost>
</IfModule>