Skip to content

Apacheでクライアント認証してみる

Jump to bottom Edit New page
mechamogera edited this page Feb 17, 2014 · 29 revisions

環境

  • Amazon Linux AMI 2012.09 64bit
  • httpd-2.2.23-1.25.amzn1.x86_64
  • mod_ssl-2.2.23-1.25.amzn1.x86_6
  • openssl-1.0.0j-1.43.amzn1.x86_64

手順

前準備

  • ec2起動
$ sudo yum update -y
$ sudo yum install http mod_ssl openssl openssl-devel -y
  • httpd設定
$ echo "aaa" | sudo tee /var/www/html/index.html
$ sudo cp /etc/httpd/conf.d/ssl.conf{,.org}
$ sudo vi /etc/httpd/conf.d/ssl.conf
# => VirtualHost部分を削除

$ sudo vi /etc/httpd/conf.d/test.conf
$ sudo cat /etc/httpd/conf.d/test.conf
<VirtualHost *:80>
  DocumentRoot /var/www/html
</VirtualHost>

$ sudo /etc/init.d/httpd start
  • http://[ec2のPublicDNS名]アクセス
  • => aaaページ表示

SSL設定

  • ssl設定
$ mkdir tmp
$ cd tmp
$ openssl genrsa -out server.key 1024
$ openssl req -new -key server.key -out server.pem -sha1
$ openssl x509 -in server.pem -out server.crt -req -signkey server.key -days 365 -sha1
$ chmod 400 server.crt server.key server.pem
$ sudo cp server.crt /etc/pki/tls/certs/
$ sudo cp server.key /etc/pki/tls/private/
  • httpd設定ssl対応
$ sudo vi /etc/httpd/conf.d/test.conf
$ sudo cat /etc/httpd/conf.d/test.conf
<VirtualHost *:443>
  DocumentRoot /var/www/html

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/server.crt
  SSLCertificateKeyFile /etc/pki/tls/private/server.key
</VirtualHost>
$ sudo /etc/init.d/httpd restart
  • https://[ec2のPublicDNS名]アクセス
  • => server.crtをブラウザに取り込んでおいて認証しておくとaaa表示

クライアント認証設定

  • 自己CA証明書作成
$ sudo mkdir -p /etc/pki/example/newcerts
$ cd /etc/pki/example/
$ echo "01" | sudo tee serial
$ sudo touch index.txt
$ sudo cp /etc/pki/tls/openssl.cnf openssl_ca.cnf
$ sudo vi openssl_ca.cnf
# => dir = /etc/pki/example に
$ sudo openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3560 -config openssl_ca.cnf
# => password: passwordに

# => 以下のような感じで入力
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:
  • クライアント証明用のファイル準備
$ sudo mkdir Client
$ cd Client/
$ sudo openssl genrsa -out client.key 1024
$ sudo openssl req -new -key client.key -out client.csr -sha1

Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:

$ sudo cp ../openssl_ca.cnf .
$ sudo vi openssl_ca.cnf
# => dir = /etc/pki/example
# => private_key     = $dir/cakey.pem に
# => nsCertType = client, email に
$ sudo openssl ca -config openssl_ca.cnf -out client.crt -infiles client.csr
$ sudo openssl pkcs12 -export -in client.crt -inkey client.key -certfile ../cacert.pem -name www.example.com -caname www.example.com -out pom.p12
  • httpd設定クライアント認証対応
$ sudo vi /etc/httpd/conf.d/test.conf
$ sudo cat /etc/httpd/conf.d/test.conf
<VirtualHost *:443>
  DocumentRoot /var/www/html

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/server.crt
  SSLCertificateKeyFile /etc/pki/tls/private/server.key

  SSLCACertificatePath /etc/pki/example
  SSLCACertificateFile /etc/pki/example/cacert.pem
  SSLVerifyClient require
</VirtualHost>
$ sudo /etc/init.d/httpd restart
  • https://[ec2のPublicDNS名]アクセス
  • => pom.p12をブラウザに取り込んでおくとaaa表示

クライアント証明用のファイル準備(簡易バージョン)

  • サーバー設定
$ mkdir tmp
$ cd tmp
$ openssl genrsa -out client.key 1024
$ openssl req -new -key client.key -out server.pem -sha1
$ openssl x509 -in client.pem -out client.crt -req -signkey client.key -days 365 -sha1
$ chmod 400 client.crt
$ sudo mkdir /cert
$ sudo cp client.crt /cert
$ openssl pkcs12 -export -inkey server.key -in server.crt -out server.p12

$ sudo vi /etc/httpd/conf.d/test.conf
$ sudo cat /etc/httpd/conf.d/test.conf
<VirtualHost *:443>
  DocumentRoot /var/www/html

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/server.crt
  SSLCertificateKeyFile /etc/pki/tls/private/server.key

  SSLCACertificateFile /cert/client.crt
  SSLVerifyClient require
</VirtualHost>
$ sudo /etc/init.d/httpd restart
  • https://[ec2のPublicDNS名]アクセス
  • => server.p12をブラウザに取り込んでおくとaaa表示

クライアント証明書更新手順

前回のクライアント証明書を無効化

  • 証明書無効化
$ cd /etc/pki/example/Client/

# client.crtは前回作成したもの
$ sudo openssl ca -config openssl_ca.cnf -revoke client.crt

# crlnumberは初回のみ作成
$ echo "00" | sudo tee -a /etc/pki/example/crlnumber

$ sudo openssl ca -config openssl_ca.cnf -gencrl -out crl`date '+%Y%m%d'`.pem

新しいクライアント証明書を作成

  • 新しいクライアント証明書作成
$ sudo openssl req -new -key client.key -out client`date '+%Y%m%d'`.csr -sha1
$ sudo openssl ca -config openssl_ca.cnf -out client`date '+%Y%m%d'`.crt -infiles client`date '+%Y%m%d'`.csr
$ sudo openssl pkcs12 -export -in client`date '+%Y%m%d'`.crt -inkey client.key -certfile ../cacert.pem -out pom`date '+%Y%m%d'`.p12
  • httpdリロード
$ sudo /etc/init.d/httpd reload

参照サイト

Add a custom footer
Add a custom sidebar
Clone this wiki locally