トップ 差分 一覧 Farm ソース 検索 ヘルプ PDF RSS ログイン

Apache+SSL

[コンピュータ関連Tips]
[ネットワーク]

 必要なもの

  • Apache(apache_1.3.29)
  • OpenSSL(openssl-0.9.7c)
  • mod_ssl(mod_ssl-2.8.16-1.3.29)

 インストール

opensslのコンパイル

tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config --prefix=/usr/local --openssldir=/usr/local/openssl -fPIC
make

mod_ssl付きのapacheのコンパイル

tar zxvf apache_1.3.29
tar xvfz mod_ssl-2.8.3-1.3.29.tar.gz
cd mod_ssl-2.8.3-1.3.29
./configure --with-apache=../apache_1.3.29 --with-ssl=../openssl-0.9.7c?
 --prefix=/usr/local/apache --enable-shared=ssl --enable-module=so?
 --enable-rule=SHARED_CORE --enable-module=rewrite --enable-shared=rewrite
make
make certificate
make install

 設定

httpd.conf

  • Portは通常のHTTPを8080から80に、またHTTPSを8443から443に変更
  • <VertualHost>のところのサーバ名に注意

 起動

startのかわりにstartssl

 設定方法 (自分がCAになる)

CA 自身の秘密鍵 ca.key の作成。

$ openssl genrsa -des3 -out ca.key 1024

CA 自身の証明書 ca.crt を作成。

$ openssl req -new -x509 -key ca.key -out ca.crt

Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:       <--- パスフレーズ入力
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:T.I.Tech
Organizational Unit Name (eg, section) []:Sugino Laboratory
Common Name (eg, YOUR name) []:foo baar
Email Address []:foo@bar

サーバ用秘密鍵 server.key の作成。

$ openssl genrsa -des3 -out server.key 1024

サーバ証明書発行のための CSR (Certificate Signing Request) の作成。

$ openssl req -new -key server.key -out server.csr

Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:       <--- パスフレーズ入力
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:T.I.Tech
Organizational Unit Name (eg, section) []:Sugino Laboratory
Common Name (eg, YOUR name) []:www.sgn.ip.titech.ac.jp
Email Address []:foo@bar

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:         <--- Enter
An optional company name []:     <--- Enter

サーバ用証明書の発行。

この時、ca.key は ca.crt 等はこのファイル名通りでないとダメ

$ $SRC/mod_ssl-2.8.16-1.3.29/pkg.contrib/sign.sh server.csr

...
Certificate is to be certified until Sep 13 04:30:55 2001 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

...

コピー

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key