Squid Reverse Proxy with Domain Based Virtual Hosting for HTTPS
2. Squid(Reverse Proxy)用公開鍵証明書の作成
[root@CentOS4 ~]# openssl genrsa -out ./server.key 2048
Generating RSA private key, 2048 bit long modulus
.....................+++
...............................................................................+++
e is 65537 (0x10001)
[root@CentOS4 ~]#
秘密鍵を生成します。des3で暗号化すると強度を高められますが、事ある毎にパスフレーズを聞かれて面倒なので、今回は無しで。
これで秘密鍵(/root/server.key)が生成されます。
[root@CentOS4 ~]# openssl req -new -key ./server.key -out ./server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Yamagata Locality Name (eg, city) [Newbury]:Yamagata-shi Organization Name (eg, company) [My Company Ltd]:Example Corp. Organizational Unit Name (eg, section) []: (改行のみ) Common Name (eg, your name or your server's hostname) []:*.example.com Email Address []: (改行のみ) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: (改行のみ) An optional company name []: (改行のみ) [root@CentOS4 ~]#
証明書署名要求(CSR)を作成します。
今回は「first.example.com」「second.example.com」「third.example.com」を1つの証明書でカバーしたいので「*.example.com」のワイルドカード証明書を作成しました(Common Nameに「*.example.com」と入力しました)。
ベリサイン(シマンテック)ではワイルドカード証明書を受け付けていませんのでご注意ください。
※ベリサインではマルチドメイン機能(SANs)を推奨しています。
[root@CentOS4 ~]# openssl x509 -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -req -in ./server.csr -out ./server.pem -days 3650 -CAcreateserial Signature ok subject=/C=JP/ST=Yamagata/L=Yamagata-shi/O=Example Corp./CN=*.example.com Getting CA Private Key Enter pass phrase for /etc/pki/CA/private/cakey.pem: (プライベートCA作成時に入力したパスフレーズを入力) [root@CentOS4 ~]# [root@CentOS4 ~]# cp -pv server.key /etc/pki/tls/private/ `server.key' -> `/etc/pki/tls/private/server.key' [root@CentOS4 ~]# cp -pv server.pem /etc/pki/tls/certs/ `server.pem' -> `/etc/pki/tls/certs/server.pem' [root@CentOS4 ~]#
証明書署名要求(CSR)をプライベートCAで署名して、公開鍵証明書(公開鍵)を作成します。
サーバの秘密鍵(/root/server.key)と公開鍵証明書(/root/server.pem)をSquid(Reverse Proxy)から使えるように、それぞれ「/etc/pki/tls/private/server.key」「/etc/pki/tls/certs/server.pem」に配置(コピー)します。
Admiring the time and energy you put into your site and in depth information you offer.
It's good to come across a blog every once in a while that isn't the same unwanted rehashed material.
Great read! I've saved your site and I'm adding your RSS feeds to
my Google account.