Kozupon.com    
 
 CentOSでApache2 + mod_ssl鯖の構築!


仕事で要りようなので、https鯖をCentOS 4.3環境で構築した。今更ながら、yum -y install は楽だ。だけど、エラーで止まったときにはsourceコンパイル時よりたちが悪いという先入観が、俺をsource離れさせない。だけど、急いで鯖構築しなければいけないときは、やはりyum、aptにお世話になる。いつもながら感謝!
ちなみに、sourceコンパイルする場合は、以下がオフィシャルサイトのsourceのダウンロード場所。
mod_ssl( http://www.modssl.org/source/
OpenSSL( http://www.openssl.org/source/

インストール環境 )
OS:CentOS 4.3
マシン:Dell PowerEdge SC430


1.mod_sslのインストール
[root@ns apache_1.3.36]# yum -y install mod_ssl
Loading "fastestmirror" plugin
Setting up Install Process
Setting up repositories
Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for mod_ssl to pack into transaction set.
mod_ssl-2.0.52-22.ent.cen 100% |=========================| 24 kB 00:00
---> Package mod_ssl.i386 1:2.0.52-22.ent.centos4 set to be updated
--> Running transaction check
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Processing Dependency: httpd = 2.0.52-22.ent.centos4 for package: mod_ssl
--> Processing Dependency: httpd-mmn = 20020903 for package: mod_ssl
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Package httpd.i386 0:2.0.52-22.ent.centos4 set to be updated
---> Downloading header for distcache to pack into transaction set.
distcache-1.4.5-6.i386.rp 100% |=========================| 7.2 kB 00:00
---> Package distcache.i386 0:1.4.5-6 set to be updated
--> Running transaction check
--> Processing Dependency: httpd-suexec for package: httpd
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Package httpd-suexec.i386 0:2.0.52-22.ent.centos4 set to be updated
--> Running transaction check

Dependencies Resolved

===================================================================
Package Arch Version Repository Size
===================================================================
Installing:
mod_ssl i386 1:2.0.52-22.ent.centos4 base 97 k
Installing for dependencies:
distcache i386 1.4.5-6 base 111 k
httpd i386 2.0.52-22.ent.centos4 base 887 k
httpd-suexec i386 2.0.52-22.ent.centos4 base 28 k

Transaction Summary
===================================================================
Install 4 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 1.1 M
Downloading Packages:
(1/4): mod_ssl-2.0.52-22. 100% |=========================| 97 kB 00:00
(2/4): httpd-2.0.52-22.en 100% |=========================| 887 kB 00:00
(3/4): httpd-suexec-2.0.5 100% |=========================| 28 kB 00:00
(4/4): distcache-1.4.5-6. 100% |=========================| 111 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: distcache ######################### [1/4]
Installing: httpd ######################### [2/4]
Installing: mod_ssl ######################### [3/4]
Installing: httpd-suexec ######################### [4/4]

Installed: mod_ssl.i386 1:2.0.52-22.ent.centos4
Dependency Installed: distcache.i386 0:1.4.5-6 httpd.i386 0:2.0.52-22.ent.centos4
httpd-suexec.i386 0:2.0.52-22.ent.centos4
Complete!


2.暗号化Key作成
1)秘密鍵を作る
[root@ns apache_1.3.36]# openssl genrsa -des3 -out server.key.secure 1024
Generating RSA private key, 1024 bit long modulus
....++++++
...................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key.secure: パスフレーズを入力(好きなパスワードを入力する)
Verifying - Enter pass phrase for server.key.secure: パスフレーズを再入力

[root@ns certs]# openssl rsa -in server.key.secure -out server.key
Enter pass phrase for server.key.secure: 上で入力したパスフレーズを入力
writing RSA key
これで、秘密鍵が生成された。

セキュリティのためパーミッション設定
[root@ns certs]# chmod 400 server.key

2)署名要求を作る
[root@ns certs]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: JP ←国
State or Province Name (full name) [Berkshire]: Tokyo ←都道府県
Locality Name (eg, city) [Newbury]: Chiyodaku ←市区町村
Organization Name (eg, company) [My Company Ltd]: xxxxxxxxxxxxx.jp ←ドメイン名など
Organizational Unit Name (eg, section) []: Enter
Common Name (eg, your name or your server's hostname) []: www.xxxxxxxxxxxxx.jp ←ホスト名
Email Address []: mity@xxxxxxxxxxxxx.jp ←管理者メールアドレス

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: Enter
An optional company name []: Enter

セキュリティーのためパーミッションを設定
[root@ns certs]# chmod 400 server.csr

3)CA証明書を作る
[root@ns certs]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365

Signature ok
subject=/C=JP/ST=Tokyo/L=Chiyodaku/O=xxxxxxxxxxxxx.jp/CN=www.xxxxxxxxxxxxx.jp
/emailAddress=mity@xxxxxxxxxxxxx.jp
Getting Private key
これで、MyCA局が開設された。


3.confファイルの編集
[root@ns certs]# vi /etc/httpd/conf.d/ssl.conf
省略
SSLCertificateFile /usr/share/ssl/certs/server.pem
SSLCertificateKeyFile /usr/share/ssl/certs/server.key

省略
# General setup for the virtual host, inherited from global configuration
# 以下、コメントアウト
#DocumentRoot "/var/www/html"

DocumentRoot "/var/www/html"
省略


4.Apacheの再起動(起動してなければ起動する)
[root@ns certs]# /etc/rc.d/init.d/httpd restart

httpd を停止中: [ OK ]
httpd を起動中: [ OK ]


5.動作確認及びその他必要事項
1)
ポート443を開ける
ルータを使っていたとしたら設定でポート443番をOPENする。

2)SSL鯖が動いてるか確認
https://サーバのホスト名 or サーバーIPアドレス/


   図1


   図2


   図3


   図4


   図5


   図6


   図7

尚、IEの場合、https://サーバーIPアドレス/にアクセスして上記のように証明書をインストールすれば、以降「セキュリティの警告」ウィンドウは表示されなくなる。

以上


 
 
 



Copyright 2005 Kozupon.com.