本来であれば、信頼できるCAにお願いするところですが
お金を払う余裕がないのでOpenSSLを使って自己認証局、以下CAを開局します。
認証局構築ディレクトリを変更
/usr/lib/ssl/openssl.cnf の修正
[変更前]
dir = ./demoCA # Where everything is kept
[変更後]
dir = /etc/ssl/CA # Where everything is kept
/usr/lib/ssl/misc/CA.sh の修正
CAのディレクトリを定義する
[以下を追加]
CATOP=/etc/ssl/CA # 追加
CA作成スクリプトとの実行
$ sudo /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) # そのままEnter
Making CA certificate …
Generating a 1024 bit RSA private key
………………………………………………++++++
…………………..++++++
writing new private key to ‘./demoCA/private/./cakey.pem’
Enter PEM pass phrase: # CAのパスワード
Verifying – Enter PEM pass phrase: # パスワードの再入力
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:JP # 国:JP
State or Province Name (full name) [Some-State]:Kanagawa # 県:Kanagawa
Locality Name (eg, city) []:yokohama # 市:yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]: # 組織名:
Organizational Unit Name (eg, section) []: # 部署:
Common Name (e.g. server FQDN or YOUR name) []:aaa.com # FQDN:aaa.com
Email Address []:root@aaa.com # メールアドレス:root@aaa.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: #
An optional company name []: #
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: # CAのパスワード(再入力)
Check that the request matches the signature
Signature ok
Certificate Details:
:
Data Base Updated
証明書が出来たのか確認
$ ls /etc/ssl/CA
cacert.pem certs index.txt index.txt.old private
careq.pem crl index.txt.attr newcerts serial
CA証明書(cacert.pem) が出来ております。
$ ls /etc/ssl/CA/private/
cakey.pem
CA秘密鍵(cakey.pem) が出来ております。
パーミッションの変更
$ sudo chmod 700 /etc/ssl/CA/private
$ sudo chmod 400 /etc/ssl/CA/private/cakey.pem
証明書の内容確認
$ sudo openssl x509 -in /etc/ssl/CA/cacert.pem -text
有効期限は、以下のところを確認する
Validity
Not Before: Dec 14 05:04:49 2012 GMT # 開始日時
Not After : Dec 14 05:04:49 2015 GMT # 終了日時
PEMフォーマットの証明書をバイナリDERフォーマットに変換
$ sudo openssl x509 -in cacert.pem -outform DER -out cacert.der
считаю верным выбором для SEO-оптимизации.