CentOSでApache2 + mod_ssl鯖の構築！

仕事で必要なので、https鯖をCentOS 4.3環境で構築した。今更ながら、yum -y install は楽だ。だけど、エラーで止まったときにはsourceコンパイル時よりたちが悪いという先入観が、俺をsource離れさせない。だけど、急いで鯖構築しなければいけないときは、やはりyum、aptにお世話になる。いつもながら感謝！
ちなみに、sourceコンパイルする場合は、以下がオフィシャルサイトのsourceのダウンロード場所。
mod_ssl（ http://www.modssl.org/source/ ）
OpenSSL（ http://www.openssl.org/source/ ）

インストール環境）
OS：CentOS 4.3
マシン：Dell PowerEdge SC430

１．mod_sslのインストール
[root@ns apache_1.3.36]# yum -y install mod_ssl
Loading “fastestmirror” plugin
Setting up Install Process
Setting up repositories
Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for mod_ssl to pack into transaction set.
mod_ssl-2.0.52-22.ent.cen 100% |=========================| 24 kB 00:00
—> Package mod_ssl.i386 1:2.0.52-22.ent.centos4 set to be updated
–> Running transaction check
–> Processing Dependency: libnal.so.1 for package: mod_ssl
–> Processing Dependency: httpd = 2.0.52-22.ent.centos4 for package: mod_ssl
–> Processing Dependency: httpd-mmn = 20020903 for package: mod_ssl
–> Processing Dependency: libdistcache.so.1 for package: mod_ssl
–> Restarting Dependency Resolution with new changes.
–> Populating transaction set with selected packages. Please wait.
—> Package httpd.i386 0:2.0.52-22.ent.centos4 set to be updated
—> Downloading header for distcache to pack into transaction set.
distcache-1.4.5-6.i386.rp 100% |=========================| 7.2 kB 00:00
—> Package distcache.i386 0:1.4.5-6 set to be updated
–> Running transaction check
–> Processing Dependency: httpd-suexec for package: httpd
–> Restarting Dependency Resolution with new changes.
–> Populating transaction set with selected packages. Please wait.
—> Package httpd-suexec.i386 0:2.0.52-22.ent.centos4 set to be updated
–> Running transaction check

Dependencies Resolved

===================================================================
Package Arch Version Repository Size
===================================================================
Installing:
mod_ssl i386 1:2.0.52-22.ent.centos4 base 97 k
Installing for dependencies:
distcache i386 1.4.5-6 base 111 k
httpd i386 2.0.52-22.ent.centos4 base 887 k
httpd-suexec i386 2.0.52-22.ent.centos4 base 28 k

Transaction Summary
===================================================================
Install 4 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 1.1 M
Downloading Packages:
(1/4): mod_ssl-2.0.52-22. 100% |=========================| 97 kB 00:00
(2/4): httpd-2.0.52-22.en 100% |=========================| 887 kB 00:00
(3/4): httpd-suexec-2.0.5 100% |=========================| 28 kB 00:00
(4/4): distcache-1.4.5-6. 100% |=========================| 111 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: distcache ######################### [1/4]
Installing: httpd ######################### [2/4]
Installing: mod_ssl ######################### [3/4]
Installing: httpd-suexec ######################### [4/4]

Installed: mod_ssl.i386 1:2.0.52-22.ent.centos4
Dependency Installed: distcache.i386 0:1.4.5-6 httpd.i386 0:2.0.52-22.ent.centos4
httpd-suexec.i386 0:2.0.52-22.ent.centos4
Complete!

２．暗号化Key作成
１）秘密鍵を作る
[root@ns apache_1.3.36]# openssl genrsa -des3 -out server.key.secure 1024
Generating RSA private key, 1024 bit long modulus
….++++++
……………………………..++++++
e is 65537 (0x10001)
Enter pass phrase for server.key.secure: パスフレーズを入力（好きなパスワードを入力する）
Verifying – Enter pass phrase for server.key.secure: パスフレーズを再入力

[root@ns certs]# openssl rsa -in server.key.secure -out server.key
Enter pass phrase for server.key.secure: 上で入力したパスフレーズを入力
writing RSA key
これで、秘密鍵が生成された。

セキュリティのためパーミッション設定
[root@ns certs]# chmod 400 server.key

２）署名要求を作る
[root@ns certs]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]: JP ←国
State or Province Name (full name) [Berkshire]: Tokyo ←都道府県
Locality Name (eg, city) [Newbury]: Chiyodaku ←市区町村
Organization Name (eg, company) [My Company Ltd]: xxxxxxxxxxxxx.jp ←ドメイン名など
Organizational Unit Name (eg, section) []: Enter
Common Name (eg, your name or your server’s hostname) []: www.xxxxxxxxxxxxx.jp ←ホスト名
Email Address []: mity@xxxxxxxxxxxxx.jp ←管理者メールアドレス

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: Enter
An optional company name []: Enter

セキュリティーのためパーミッションを設定
[root@ns certs]# chmod 400 server.csr

３）CA証明書を作る
[root@ns certs]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365
Signature ok
subject=/C=JP/ST=Tokyo/L=Chiyodaku/O=xxxxxxxxxxxxx.jp/CN=www.xxxxxxxxxxxxx.jp
/emailAddress=mity@xxxxxxxxxxxxx.jp
Getting Private key
これで、MyCA局が開設された。

３．confファイルの編集
[root@ns certs]# vi /etc/httpd/conf.d/ssl.conf
省略
SSLCertificateFile /usr/share/ssl/certs/server.pem
SSLCertificateKeyFile /usr/share/ssl/certs/server.key
省略
# General setup for the virtual host, inherited from global configuration
# 以下、コメントアウト
#DocumentRoot “/var/www/html”
↓
DocumentRoot “/var/www/html”
省略

４．Apacheの再起動（起動してなければ起動する）
[root@ns certs]# /etc/rc.d/init.d/httpd restart
httpd を停止中: [ OK ]
httpd を起動中: [ OK ]

５．動作確認及びその他必要事項
１） ポート443を開ける
ルータを使っていたとしたら設定でポート443番をOPENする。

２）SSL鯖が動いてるか確認
https://サーバのホスト名 or サーバーIPアドレス/