Apache İçin SSL Sertifikası Oluşturma

SSL sertifikası kullanımı için iki yol vardır. Bunlardan biri sertifika isteği oluşturarak bunu geçerli bir sertifika otoritesi(CA) göndermek, diğeri de kendi sertifika otoritemizi oluşturarak sertifika taleplerini onaylamak.

Sertifika işlemleri için komut satırından openssl, grafik arabirim tercih ediyorsanız XCA kullanabilirsiniz.

Adım adım sertifika oluşturma ve kendi CA’miz tarafından sertifikanın onaylanması

1- Sertifika OTORİTESİ Oluşturma

1.1 Gizli anahtar oluşturma

# openssl genrsa -des3 -out ca.key 2048

1.2 CA için sertifika oluşturma

# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:TR
State or Province Name (full name) [Some-State]:Istanbul
Locality Name (eg, city) []:Istanbul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bilgi Guvenligi AKADEMISI
Organizational Unit Name (eg, section) []:Training
Common Name (eg, YOUR name) []:www.bga.com.tr
Email Address []:info@bga.com.tr
You have new mail in /var/mail/root

Web sunucu için gizli anahtarın oluşturulması
# openssl genrsa -des3 -out sunucu.key 2048
Generating RSA private key, 2048 bit long modulus
………………………………………………………………+++
………..+++
e is 65537 (0×10001)
Enter pass phrase for sunucu.key:
Verifying – Enter pass phrase for sunucu.key:

2. Sunucu için certificate imzalama isteği

# openssl req -new -key sunucu.key -out sunucu.csr

Enter pass phrase for sunucu.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:TR
State or Province Name (full name) [Some-State]:Istanbul
Locality Name (eg, city) []:Istanbul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bilgi Guvenligi AKADEMISI
Organizational Unit Name (eg, section) []:Egitim
Common Name (eg, YOUR name) []:www.bga.com.tr
Email Address []:info@bga.com.tr

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You have new mail in /var/mail/root

[root@labs ~/CA]# ls -ltr
total 8
-rw-r–r– 1 root wheel 0 Jun 15 08:17 my-ca.key
-rw-r–r– 1 root wheel 1751 Jun 15 08:17 ca.key
-rw-r–r– 1 root wheel 1740 Jun 15 08:19 ca.crt
-rw-r–r– 1 root wheel 1743 Jun 15 08:22 sunucu.key
-rw-r–r– 1 root wheel 1082 Jun 15 08:25 sunucu.csr

3. CA(Sertifika Otoritesi) kullanarak CSR’i onaylama

# openssl x509 -req -in sunucu.csr -out sunucu.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 730
Signature ok
subject=/C=TR/ST=Istanbul/L=Istanbul/O=Bilgi Guvenligi AKADEMISI/OU=Egitim/CN=www.bga.com.tr/emailAddress=info@bga.com.tr
Getting CA Private Key
Enter pass phrase for ca.key:
You have new mail in /var/mail/root

#chmod 400 *.key

4. Apache’i SSL ile başlatma

# apachectl start

Apache/2.2.13 mod_ssl/2.2.13 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.bga.com.tr:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.