보안서버구축 - SSL(설치 및 키생성)

by ADMIN posted Jan 04, 2009
?

단축키

Prev이전 문서

Next다음 문서

ESC닫기

크게 작게 위로 아래로 댓글로 가기 인쇄

패키지 설치

apache 1.x 환경에서는 mod_ssl까지 설치, apache 2.x 환경에서는 mod_ssl 설치를 생략한다.
(apache 2.x 에는 기본적으로 mod_ssl 모듈이 포함되어 있음)


1. 패키지 설치 
openssl:
http://www.openssl.org/source/
mod_ssl: http://www.modssl.org/source/

# openssl
./config ; make ; make test ; make install;

# mod_ssl 컴파일
./configure --with-apache=../apache_1.3.37 --with-ssl=/usr/local/ssl;

여기서 --with-apache=../apache_1.3.37 은 소스 디렉토리를 말하며 (설치 디렉토리 아님)
mod_ssl 에 대하여 make, make install 은 할 필요가 없다.


apache-1.3.x 환경

1. 설치 

# apache 컴파일
./configure --prefix=/usr/local/apache --enable-module=so --enable-shared=max ?enable-module=rewrite --enable-module=ssl --enable-shared=rewrite --enable-shared=ssl;

# make ; make certificate ; make install

# /etc/rc.d/init.d/apachectl에 아래내용삽입 과정
---------- /etc/rc.d/init.d/apachectl ----------

# chkconfig: - 92 92
# description: Apache Web Server

echo "--- /etc/rc.d/init.d/apachectl_smile ---" >> /usr/local/apache/bin/apachectl;

echo "# chkconfig: - 92 92 " >> /usr/local/apache/bin/apachectl;

echo "# description: Apache Web Server" >> /usr/local/apache/bin/apachectl;

cp /us r/local/apache/bin/apachectl /etc/rc.d/init.d/apachectl_smile;

chkconfig --add apachectl_smile;

chkconfig --level 345 apachectl_smile on;
------------------------------------------------

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
httpd.conf 위내용찾아서 아래줄에 아래내용삽입

AddType application/x-httpd-php .php .php3 .htm .html .phtml .cgi
AddType application/x-httpd-php-source .phps

<Directory "/home/*">
        AllowOverride All
        Options +ExecCGI
        Order allow,deny
        Allow from all
</Directory>


2. 설정
 
###### key / csr / crt 값생성 ######

# key생성
openssl genrsa -des3 1024 > /usr/local/apache/conf/localhost.key
혹은 openssl genrsa -des3 -out /usr/local/apache/conf/localhost.key 1024

openssl rsa -noout -text -in /usr/local/apache/conf/localhost.key

-> 암호입력 (인증서 설치시 필요)

# csr생성
# key를 받아서 csr생성시 아래내용수행 (ssl인증기관등에서 받은 키를 csr 생성)

openssl req -new -key /usr/local/apache/conf/localhost.key > /usr/local/apache/conf/localhost.csr
혹은
openssl req -new -key localhost.key -out localhost.csr > key 값 입력했던 암호입력 / 인증서를 신청하기위한 정보등을 입력해야함

openssl req -noout -text -in localhost.csr

# key / csr 은 백업본을 보관

# ssl인증기관에 인증서 신청시 필요한과정중 메일로 csr값을 보내야하는상황

cat /usr/local/apache/conf/localhost.csr

첫줄과 -----BEGIN NEW CERTIFICATE REQUEST-----
끝줄 -----END NEW CERTIFICATE REQUEST-----
까지 포함하여 복사후 메모장에 붙여넣기한후 해당파일을 ssl 인증기관업체 메일로 발송

# crt 생성
openssl req -x509 -days 365 -key /usr/local/apache/conf/localhost.key
-in /usr/local/apache/conf/localhost.csr > /usr/local/apache/conf/localhost.crt

# apache 설정
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfModule mod_ssl.c>
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog      /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info
</IfModule>

<IfDefine SSL>

<VirtualHost 100.100.100.100:443>
   DocumentRoot /home/abc/public_html
   ServerName www.abc.com
   ServerAlias abc.com
   ServerAdmin root@abc.com
   ErrorLog logs/abc.com-error_log
   TransferLog logs/abc.com-access_log
   SSLEngine on
   SSLCertificateFile /home/abc/www.abc.com.crt
   SSLCertificateKeyFile /home/abc/abc.key
   SSLCACertificateFile /home/QuickTrustSSL_Bundle.crt
<Files ~ ".(cgi|shtml|phtml|php|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/home/abc/public_html">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown   downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>


apache-2.x 환경

1. 설치
./configure --prefix=/usr/local/apache --enable-modules=so --enable-mods-shared=all --enable-modules=shared --enable-ssl --enable-rewrite ;
make ;
make install ;
 
###### key / csr / crt 값생성 ######
1) key생성

관리를 위해 키파일을 모아놓을 디렉토리 생성
mkdir /usr/local/apache/conf/ssl

key생성
[root@ns /]# openssl genrsa -des3 1024 > /usr/local/apache/conf/ssl/adminplay.com.key
Generating RSA private key, 1024 bit long modulus
.........................................++++++
.....................................++++++
e is 65537 (0x10001)
Enter pass phrase:(암호입력)
Verifying - Enter pass phrase:(암호입력)



2) csr생성  

key를 받아서 csr생성시 아래내용 수행
[root@ns /]# openssl req -new -key /usr/local/apache/conf/ssl/adminplay.com.key > /usr/local/apache/conf/ssl/adminplay.com.csr
Enter pass phrase for /usr/local/apache/conf/ssl/adminplay.com.key:(설정한 암호입력)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:KR
State or Province Name (full name) [Berkshire]:Gyeonggi-do
Locality Name (eg, city) [Newbury]:Sujeong-gu
Organization Name (eg, company) [My Company Ltd]:Adminplay
Organizational Unit Name (eg, section) []:Adminplay
Common Name (eg, your name or your server's hostname) []:www.adminplay.com
Email Address []:dg_kim@naver.com


# ssl인증기관에 인증서 신청시 필요한과정중 메일로 csr값을 보내야하는상황
[root@ns /]# cat /usr/local/apache/conf/ssl/adminplay.com.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAktSMRQwEgYDVQQIEwtHeWVvbmdnaS1k
bzETMBEGA1UEBxMKU3VqZW9uZy1ndTESMBAGA1UEChMJQWRtaW5wbGF5MRIwEAYD
.
.
생략
.
.
kB0ErApRuF/EsAUnk7favGGMM0+08AZ2lVXydLLNlK10/76Qo8WGPWZlWEL0Jkko
PzLnJv60tQ4HZvh22ewPD125XG5EZVqZWKWmBwQC132/ejti9Oh4uRVWavAFqsHK
NZk=
-----END CERTIFICATE REQUEST-----


첫줄과 -----BEGIN NEW CERTIFICATE REQUEST-----
끝줄 -----END NEW CERTIFICATE REQUEST-----
까지 포함하여 복사후 메모장에 붙여넣기한후 해당파일을 ssl 인증기관업체 메일로 발송

#########  등록 ###################
보안서버 를 검색 여러곳에서 SSL 등록을 행하고 있다..
등록및 인증서를 발급받는다..

3) 임시 crt 생성 (서버 자체에서 임시 인증서 생성 - test 목적)
openssl req -x509 -days 365 -key /usr/local/apache/conf/ssl/adminplay.com.key -in /usr/local/apache/conf/ssl/adminplay.com.csr > /usr/local/apache/conf/ssl/adminplay.com.crt


2. 실행

apachectl startssl 시 암호입력없이 하는 방법
sslPassPhraseDialog build -> sslPassPhraseDialog exec:/filename 으로 변경하고 filename 에 아래내용을 넣는다.

#!/bin/sh echo password(ssl시작시암호)