RHCE : HTTP/HTTPS – TLS 보안 구성

RHCE 주제입니다. CertDepot 사이트를 번역 및 내용 추가하였으며, 컨텐츠 관련 모든 권리는 CertDepot에 있습니다.

사전 준비사항

파일다운로드 위치
TLS 서버 인증서http://repo.example.com/server2.4am.kr.crt
TLS 서버 개인키http://repo.example.com/server2.4am.kr.key
TLS CA 인증서http://repo.example.com/server2.4am.kr-ca.crt

설정하기

1. 인증서 및 개인키들을 저장한다.
[root@server2 ~]# cd /etc/httpd/conf
[root@server2 conf]# wget http://repo.example.com/server2.4am.kr.crt
--2016-05-04 14:30:26--  http://repo.example.com/server2.4am.kr.crt
Resolving repo.example.com (repo.example.com)... 
Connecting to repo.example.com (repo.example.com)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2390 (2.3K) [application/x-x509-ca-cert]
Saving to: ‘server2.4am.kr.crt’

100%[======================================>] 2,390       --.-K/s   in 0s      

2016-05-04 14:30:27 (338 MB/s) - ‘server2.4am.kr.crt’ saved [2390/2390]

[root@server2 conf]# wget http://repo.example.com/server2.4am.kr.key
--2016-05-04 14:30:40--  http://repo.example.com/server2.4am.kr.key
Resolving repo.example.com (repo.example.com)... 
Connecting to repo.example.com (repo.example.com)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3294 (3.2K) [text/plain]
Saving to: ‘server2.4am.kr.key’

100%[======================================>] 3,294       --.-K/s   in 0s      

2016-05-04 14:30:40 (328 MB/s) - ‘server2.4am.kr.key’ saved [3294/3294]

[root@server2 conf]# wget http://repo.example.com/server2.4am.kr-ca.crt
--2016-05-04 14:30:51--  http://repo.example.com/server2.4am.kr-ca.crt
Resolving repo.example.com (repo.example.com)... 
Connecting to repo.example.com (repo.example.com)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2106 (2.1K) [application/x-x509-ca-cert]
Saving to: ‘server2.4am.kr-ca.crt’

100%[======================================>] 2,106       --.-K/s   in 0s      

2016-05-04 14:30:51 (502 MB/s) - ‘server2.4am.kr-ca.crt’ saved [2106/2106]

[root@server2 conf]# 
2. /etc/httpd/conf.d/ssl.conf파일을 열어서, SSLCertificate 줄을 다음과 같이 변경한다.
[root@server2 conf.d]# vim ssl.conf 
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/server2.4am.kr.crt
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/server2.4am.kr.key
#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/httpd/conf/server2.4am.kr-ca.crt
                                                              101,53        49%
[root@server2 conf.d]# 
3. 같은 부분에서 ServerName 부분을 찾아 다음과 같이 변경해준다.

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
ServerName server2.4am.kr:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
                                                              61,29         25%
4. 설정 파일을 확인한다.
[root@server2 conf.d]# apachectl configtest
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using server2.example.com. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@server2 conf.d]# 

노트: httpd -t 커맨드를 통해서도 확인이 가능하다.

5. httpd 서비스를 재시작한다.
[root@server2 conf.d]# systemctl restart httpd
[root@server2 conf.d]# 

노트: apachectl restart커맨드를 통해서도 재시작이 가능하다.

6. 가상 호스트 구성을 확인한다.
[root@server2 conf.d]# httpd -D DUMP_VHOSTS
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using server2.example.com. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server server2.4am.kr (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost server2.4am.kr (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost server2.4am.kr (/etc/httpd/conf.d/ssl.conf:56)
[root@server2 conf.d]# 

노트: 추가로 openssl s_client -connect server2.4am.kr:443 -state커맨드를 통해 인증서를 확인할 수 있다.

테스트하기

tls-security-firefox-test-1

at4am의 프로필 이미지

at4am

2016년 05월 04일

글쓴이의 더 많은 글 읽어보기