CentOSでApache2 + mod_ssl鯖の構築! でCentOS編を書き記したので、そんならばソース編もと言うことで書くことにした。基本的な証明書の作り方は同じで、コンパイルせねばならない所だけが違う。尚、Apacheの設定は詳しく記さないので詳しく知りたければ、 ここ を参照すること。
インストール環境 )
OS : DebianGNULinux 3.1Sarge
マシン : PentiumⅡマシン
1.ソースのゲット
ソースをダウンロードするサイトは以下、ただしいずれも2006年6月現在の最新バージョンでゲット。
mod_ssl( http://www.modssl.org/source/ )
OpenSSL( http://www.openssl.org/source/ )
ml2:~# cd /usr/local/src/
ml2:/usr/local/src# wget http://www.meisei-u.ac.jp/mirror/apache/httpd/apache_1.3.36.tar.gz
ml2:/usr/local/src# tar zxvf apache_1.3.36.tar.gz
ml2:/usr/local/src# chown -R root.root apache_1.3.36
ml2:/usr/local/src# wget http://www.openssl.org/source/openssl-0.9.8b.tar.gz
ml2:/usr/local/src# tar zxvf openssl-0.9.8b.tar.gz
ml2:/usr/local/src# chown -R root.root openssl-0.9.8b
ml2:/usr/local/src# wget http://www.modssl.org/source/mod_ssl-2.8.27-1.3.36.tar.gz
ml2:/usr/local/src# chown -R root.root mod_ssl-2.8.27-1.3.36
2.opensslのコンパイル&リンク
ml2:/usr/local/src# cd openssl-0.9.8b
ml2:/usr/local/src/openssl-0.9.8b# ./config
ml2:/usr/local/src/openssl-0.9.8b# make
ml2:/usr/local/src/openssl-0.9.8b# make test
ml2:/usr/local/src/openssl-0.9.8b# make install
3.apache + mod_sslコンパイル&リンク
未だに、俺はApache1の方が扱いやすい慣れないもんだね(笑)。
ml2:/usr/local/src/openssl-0.9.8b# cd ..
ml2:/usr/local/src# cd mod_ssl-2.8.27-1.3.36
ml2:/usr/local/src/mod_ssl-2.8.27-1.3.36# ./configure –with-apache=../apache_1.3.36
Configuring mod_ssl/2.8.27 for Apache/1.3.36
+ Apache location: ../apache_1.3.36 (Version 1.3.36)
+ Auxiliary patch tool: ./etc/patch/patch (local)
+ Applying packages to Apache source tree:
o Extended API (EAPI)
o Distribution Documents
o SSL Module Source
o SSL Support
o SSL Configuration Additions
o SSL Module Documentation
o Addons
Done: source extension and patches successfully applied.
Now proceed with the following commands (Bourne-Shell syntax):
$ cd ../apache_1.3.36
$ SSL_BASE=/path/to/openssl ./configure … –enable-module=ssl
$ make
$ make certificate
$ make install
ml2:/usr/local/src/mod_ssl-2.8.27-1.3.36# cd ../apache_1.3.36
ml2:/usr/local/src/apache_1.3.36# ./configure –enable-module=ssl –enable-module=so
Configuring for Apache, Version 1.3.36
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for Linux platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ using “tr [a-z] [A-Z]” to uppercase
+ checking for system header files
+ adding selected modules
o ssl_module uses ConfigStart/End
+ SSL interface: mod_ssl/2.8.27
+ SSL interface build type: OBJ
+ SSL interface compatibility: enabled
+ SSL interface experimental code: disabled
+ SSL interface conservative code: disabled
+ SSL interface vendor extensions: disabled
+ SSL interface plugin: Built-in SDBM
+ SSL library path: /usr/local/ssl
+ SSL library version: OpenSSL 0.9.8b 04 May 2006
+ SSL library type: installed package (stand-alone)
+ enabling Extended API (EAPI)
+ using builtin Expat
+ using -ldl for vendor DSO support
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/lib/expat-lite
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl
ml2:/usr/local/src/apache_1.3.36# make
ml2:/usr/local/src/apache_1.3.36# make install
4.暗号化Key作成
1)秘密鍵を作る
ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl genrsa
-des3 -out server.key.secure 1024 ←1行でGenerating RSA private key, 1024 bit long modulus
……………………………++++++
………………………………..++++++
e is 65537 (0x10001)
Enter pass phrase for server.key.secure: パスフレーズを入力(好きなパスワードを入力する)
Verifying – Enter pass phrase for server.key.secure: パスフレーズ再入力
ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl rsa -in
server.key.secure -out server.key ←1行で
Enter pass phrase for server.key.secure: 上記のパスフレーズを入力
writing RSA key
2)署名要求を作る
ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl req -new
-key server.key -out server.csr ←1行で
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]: JP ←国
State or Province Name (full name) [Berkshire]: Tokyo ←都道府県
Locality Name (eg, city) [Newbury]: Chiyodaku ←市区町村
Organization Name (eg, company) [My Company Ltd]: xxxxxxxxxxxxx.jp ←ドメイン名など
Organizational Unit Name (eg, section) []: Enter
Common Name (eg, your name or your server’s hostname) []: www.xxxxxxxxxxxxx.jp ←ホスト名
Email Address []: mity@xxxxxxxxxxxxx.jp ←管理者メールアドレス
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: Enter
An optional company name []: Enter
3)CA証明書の作成
ml2:/usr/local/apache/conf/ssl.crt# /usr/local/ssl/bin/openssl x509
-in server.csr -out server.pem -req -signkey server.key -days 365 ←1行で
Signature ok
subject=/C=JP/ST=Tokyo/L=Chiyodaku/O=xxxxxxxxxxxxx.jp/CN=www.xxxxxxxxxxxxx.jp
/emailAddress=mity@xxxxxxxxxxxxx.jp
Getting Private key
ml2:/usr/local/apache/conf/ssl.crt# chmod 400 server.*
5.apacheの設定
1)DocumentRoot作成
ml2:/usr/local/apache/conf/ssl.crt# mkdir /usr/local/apache/htdocs/sslcert
ml2:/usr/local/apache/conf/ssl.crt# chmod 777 /usr/local/apache/htdocs/sslcert
2)httpd.confの編集
ml2:/usr/local/apache/conf/ssl.crt# cd ..
ml2:/usr/local/apache/conf# vi httpd.conf
省略
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot “/usr/local/apache/htdocs/sslcert”
ServerName ml2.xxxxxxxxxxxxx.co.jp
ServerAdmin root@ml2.xxxxxxxxxxxxx.co.jp
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
省略
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.pem
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
省略
6.起動
1)Apache + sslの起動
ml2:/usr/local/apache/conf# /usr/local/apache/bin/apachectl sslstart
2)プロセス確認
ml2:/usr/local/apache/conf# ps -ef
省略
root 6095 1 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6096 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6097 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6098 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6099 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6100 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 6101 6095 0 12:15 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
省略
注:自動起動設定やlogrotation設定等は、当サイトの関連サイトを参照のこと。
7.Client側からブラウズ確認(IEの場合)
https://IPアドレスもしくはホスト名/ へアクセスして以下のような手続きを行う。
以上
コメント