memo.xight.org

日々のメモ

Debian で Apache + mod_ssl

インストール

# aptitude install libapache-mod-ssl
# aptitude install libapache-mod-ssl-doc
# cat /usr/share/doc/libapache-mod-ssl-doc/examples/mod-ssl.conf >> /etc/apache/conf.d/ssl.conf
# zcat /usr/share/doc/libapache-mod-ssl-doc/examples/vhost.conf.gz >> /etc/apache/conf.d/vhost.conf
# apachectl configtest


鍵を作る

# mod-ssl-makecert
What type of certificate do you want to create?

1. dummy (dummy self-signed Snake Oil cert)
2. test (test cert signed by Snake Oil CA)
3. custom (custom cert signed by own CA)
4. existing (existing cert)

Use dummy when you are a vendor package maintainer,
test when you are an admin but want to do tests only,
custom when you are an admin willing to run a real server
existing when you are an admin who upgrades a server.

Normally you would choose 2.

your choice: 2
Which algorithm should be used to generate required key(s)?

1. RSA
2. DSA

Normally you would choose 1.

your choice: 1
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
______________________________________________________________________

STEP 1: Generating RSA private key (1024 bit) [server.key]
1261417 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
....++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-
1. Country Name (2 letter code) [XY]:JP
2. State or Province Name (full name) [Snake Desert]:Tokyo
3. Locality Name (eg, city) [Snake Town]:Itabashi-ku
4. Organization Name (eg, company) [Snake Oil, Ltd]:Example Co.,Ltd.
5. Organizational Unit Name (eg, section) [Webserver Team]:Web Contents Group
6. Common Name (eg, FQDN) [www.snakeoil.dom]:example.com
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:admin@example.com
8. Certificate Validity (days) [365]:
______________________________________________________________________

STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=JP/ST=Tokyo/L=Itabashi-ku/O=Example Co.,Ltd./OU=Web Contents
Group/CN=example.com/emailAddress=admin@example.com
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/etc/apache/ssl.crt/server.crt: OK
______________________________________________________________________

STEP 4: Enrypting RSA private key with a pass phrase for security
[server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

RESULT: Server Certification Files

o /etc/apache/ssl.key/server.key
   The PEM-encoded RSA private key file which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o /etc/apache/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o /etc/apache/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our demonstration-only Snake Oil CA) which later can replace
   the /etc/apache/ssl.crt/server.crt file.

WARNING: Do not use this for real-life/production systems


鍵を隠す

# chmod 600 /etc/apache/ssl.key/server.key


apacheの再起動

# apachectl stop
# apachectl start


Reference

http://shiro.pochi.cc/~sasaki/chalow/2004-12-09.html#2004-12-09-4
http://oceanicsky.dyndns.org/pukiwiki/?libapache-mod-ssl