Apache 2.4 : OpenSSL 테스트인증서 생성, https 설정

출처

• 개발시 HTTPS 테스트를 위한 SSL인증서(OpenSSL) 생성하기 | Hanumoka, IT Blog
• 윈도우 10에서 PHP 최신 개발환경 구축하기.. : 네이버블로그

RSA 개인키를 생성

$ openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus
....................................+++++
..........+++++
e is 65537 (0x10001)

RSA 개인키를 이용해서 RSA 공개키를 생성

$ openssl rsa -in private.key -pubout -out public.key
writing RSA key

CSR(인증요청서) 생성

$ openssl req -new -key private.key -out private.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:_
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bluexmas
Organizational Unit Name (eg, section) []:root CA
Common Name (e.g. server FQDN or YOUR name) []:test.iptime.org
Email Address []:test@test.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:test

CRT(인증서)만들기

CA 역할을 할 CA 대칭키 생성

$ openssl genrsa -aes256 -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................+++++
....................+++++
e is 65537 (0x10001)
Enter pass phrase for rootCA.key:test
Verifying - Enter pass phrase for rootCA.key:test

rootCA.key를 이용해서 rootCA.pem 생성

$ openssl req -x509 -new -nodes -key rootCA.key -days 2650 -out rootCA.pem
Enter pass phrase for rootCA.key:test
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:_
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bluexmas
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test
Email Address []:test

웹서버에 HTTPS적용을 위해 필요한 CRT 인증서를 생성

$ openssl x509 -req -in private.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out private.crt -days 3650
Signature ok
subject=/C=KR/ST=_/L=Seoul/O=bluexmas/OU=root CA/CN=lastxmas.iptime.org/emailAddress=test@test.com
Getting CA Private Key
Enter pass phrase for rootCA.key:test

C:\usr\local\Apache24\conf\httpd.conf

# Secure (SSL/TLS) connections
Include conf/httpd-ssl.conf

LoadModule rewrite_module modules/mod_rewrite.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so

C:\usr\local\Apache24\conf\httpd-ssl.conf

#
# When we also provide SSL we have to listen to the 
# standard HTTP port (see above) and to the HTTPS port
#
Listen 443

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is an internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache         "dbm:c:/Apache24/logs/ssl_scache"
SSLSessionCache        "shmcb:C:/usr/local/Apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

##
## SSL Virtual Host Context
##

<virtualhost _default_:443="">

#   General setup for the virtual host
# DocumentRoot "C:/usr/local/Apache24/htdocs"
DocumentRoot "C:/usr/local/Apache24/public_html"
ServerName www.example.com:443
ServerAdmin admin@example.com
ErrorLog "C:/usr/local/Apache24/logs/error.log"
TransferLog "C:/usr/local/Apache24/logs/access.log"

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile "C:/usr/local/Apache24/conf/private.crt"

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "C:/usr/local/Apache24/conf/private.key"