����m�F�@[ FC1 / FC2 / FC3 / FC4 / FC5 / FC6 / Fedora7 / Fedora8 / Fedora9 / Fedora10 / Fedora11 / Fedora12 / Fedora13 / Fedora14 / Fedora15 / Fedora16 / Fedora17 / CentOS4 / CentOS5 / CentOS6 ]
- ssl�Ƃ́E�E�E(HTTPS : Hypertext Transfer Protocol Security)�Í����ʐM
- ssl���W���[���̃C���X�g�[��
- CA�p�閧��(ca.key)�̍쐬
- CA�p�ؖ���(ca.crt)�̍쐬
- �T�[�o�p�閧��(server.key)�̍쐬
- �����v����(server.csr)�̍쐬
- �T�[�o�p�閧��(server.key)����̃p�X�t���[�Y�폜
- �T�[�o�p�ؖ���(server.crt)�̍쐬
- �u���E�U�C���|�[�g�p�̃o�C�i��DER�t�H�[�}�b�g(ca.der)�̍쐬
- �쐬�����e�t�@�C���̏��L���ύX
- ssl�ݒ�t�@�C���̕ύX
- apache�̍ċN��
- �N���C�A���g�ւ�CA�ؖ����C���X�g�[��
- ���J�O�̏���
�� ssl�Ƃ́E�E�E(HTTPS : Hypertext Transfer Protocol Security)�Í����ʐM
SSL(Secure Sockets Layer)�͊ȒP�Ɍ����ƁA�f�[�^���Í������Ă���肷������̌��܂�ł��B
SSL���g�p����Ƒ��M����f�[�^���Í��������̂ŁA�v���C�o�V�[�Ɋւ������O�҂Ɍ���ꂸ�ɂ���肷�邱�Ƃ��ł��܂��B
Apache��SSL�𗘗p����ɂ́A���W���[����g�ݍ��ޕK�v������܂��B
���̃��W���[����g�ݍ��݁AApache�Ńf�[�^�̈Í������s���ʐM����\�z���@���Љ�܂��B
�� ssl���W���[���̃C���X�g�[��
# yum -y install mod_ssl |
�� CA�p�閧��(ca.key)�̍쐬
�����f�[�^(rand.dat)���g�p����CA�p�̌����쐬 # openssl genrsa -des3 -out /etc/httpd/conf/ca.key -rand rand.dat 1024 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ......++++++ ....................++++++ e is 65537 (0x10001) ca�p�̃p�X���[�h����� Enter pass phrase for /etc/httpd/conf/ca.key: �m�F�ׁ̈A��Ɠ����p�X���[�h����� Verifying - Enter pass phrase for /etc/httpd/conf/ca.key: |
�� CA�p�ؖ���(ca.crt)�̍쐬
CA�p�ؖ������쐬
# openssl req -new -x509 -days 365 -key /etc/httpd/conf/ca.key -out /etc/httpd/conf/ca.crt
CA�p�̃p�X�t���[�Y�����
Enter pass phrase for /etc/httpd/conf/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
���R�[�h�����
Country Name (2 letter code) [GB]:JP
�s���{�������
State or Province Name (full name) [Berkshire]:Chiba
�s���������
Locality Name (eg, city) [Newbury]:Yachiyo
�g�D�������
Organization Name (eg, company) [My Company Ltd]:Private_CA
�g�D�����j�b�g�������
Organizational Unit Name (eg, section) []:Admin
�T�[�o��(�z�X�g��)�����
Common Name (eg, your name or your server's hostname) []:fedora.kajuhome.com
�Ǘ��҃��[���A�h���X�����
Email Address []:[email protected]
|
�� �T�[�o�p�閧��(server.key)�̍쐬
�T�[�o�p�閧���̍쐬(����1024�r�b�g) # openssl genrsa -des3 -out /etc/httpd/conf/server.key -rand rand.dat 1024 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..........++++++ .......++++++ e is 65537 (0x10001) �T�[�o�p�̃p�X���[�h����� Enter pass phrase for /etc/httpd/conf/server.key: �m�F�ׁ̈A��Ɠ����p�X���[�h����� Verifying - Enter pass phrase for /etc/httpd/conf/server.key: |
�� �����v����(server.csr)�̍쐬
CA�ɑ���f�W�^���ؖ����̃��N�G�X�g�t�@�C���쐬
# openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr
�T�[�o�p�̃p�X�t���[�Y�����
Enter pass phrase for /etc/httpd/conf/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
���R�[�h�����
Country Name (2 letter code) [GB]:JP
�s���{�������
State or Province Name (full name) [Berkshire]:Chiba
�s���������
Locality Name (eg, city) [Newbury]:Yachiyo
�g�D�������
Organization Name (eg, company) [My Company Ltd]:HomeServer
�g�D�����j�b�g�������
Organizational Unit Name (eg, section) []:Self
�A�N�Z�X��(http://<�A�N�Z�X��>)�����
Common Name (eg, your name or your server's hostname) []:kajuhome.com
�Ǘ��҃��[���A�h���X�����
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
�������͂��Ȃ��ŃG���^�[�L�[����
A challenge password []:
�������͂��Ȃ��ŃG���^�[�L�[����
An optional company name []:
|
�� �T�[�o�p�閧��(server.key)����̃p�X�t���[�Y�폜
�I���W�i�����o�b�N�A�b�v # cp /etc/httpd/conf/server.key /etc/httpd/conf/server.key.bak server.key����̃p�X�t���[�Y�폜 # openssl rsa -in /etc/httpd/conf/server.key.bak -out /etc/httpd/conf/server.key �T�[�o�p�̃p�X�t���[�Y����� Enter pass phrase for /etc/httpd/conf/server.key.bak: writing RSA key |
�� �T�[�o�p�ؖ���(server.crt)�̍쐬
�� ���O����
- �T�[�o�p�ؖ������쐬����ɂ́Amod_ssl�t����"sign.sh"�V�F���X�N���v�g���K�v�ɂȂ�܂��B
mod_ssl: The Apache Interface to OpenSSL���mod_ssl���擾���A�Ώۂ̃V�F���X�N���v�g�����o���܂��B
mod_ssl���W���[���͓��X�o�[�W�����A�b�v���Ă��܂��B �ŐV�ł́wwww.modssl.org�x�Ŋm�F���Ă��������B mod_ssl���擾 # wget http://www.modssl.org/source/mod_ssl-2.8.28-1.3.37.tar.gz --15:12:37-- http://www.modssl.org/source/mod_ssl-2.8.28-1.3.37.tar.gz => `mod_ssl-2.8.28-1.3.37.tar.gz' www.modssl.org ��DNS�ɖ₢���킹�Ă��܂�... 195.30.6.168 www.modssl.org[195.30.6.168]:80 �ɐڑ����Ă��܂�... �ڑ����܂����B HTTP �ɂ��ڑ��v���𑗐M���܂����A������҂��Ă��܂�... 200 OK ����: 754,277 [application/x-tar] 100%[====================================>] 820,417 89.12K/s ETA 00:00 15:12:47 (80.68 KB/s) - `mod_ssl-2.8.28-1.3.37.tar.gz' ��ۑ����܂��� [820417/820417] �_�E�����[�h�����t�@�C����W�J # tar zxvf mod_ssl-2.8.28-1.3.37.tar.gz mod_ssl-2.8.28-1.3.37/ANNOUNCE mod_ssl-2.8.28-1.3.37/CHANGES �F �F mod_ssl-2.8.28-1.3.37/pkg.sslsup/mkcert.sh mod_ssl-2.8.28-1.3.37/pkg.sslsup/sslsup.patch |
�� �T�[�o�p�ؖ����̍쐬
�p�X�̈ړ� # cd /etc/httpd/conf/ ��L�Ŏ擾����mod_ssl�t����sign.sh�X�N���v�g�ŃT�[�o�p�f�W�^���ؖ������쐬 # /root/mod_ssl-2.8.28-1.3.37/pkg.contrib/sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config CA�p�̃p�X�t���[�Y����� Enter pass phrase for ./ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Chiba' localityName :PRINTABLE:'Yachiyo' organizationName :T61STRING:'HomeServer' organizationalUnitName:PRINTABLE:'Self' commonName :PRINTABLE:'kajuhome.com' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Oct 4 06:29:19 2005 GMT (365 days) "y"����͂��ăG���^�[�L�[���� Sign the certificate? [y/n]:y "y"����͂��ăG���^�[�L�[���� 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK |
�� �u���E�U�C���|�[�g�p�̃o�C�i��DER�t�H�[�}�b�g(ca.der)�̍쐬
CA�ؖ���(PEM�t�H�[�}�b�g)����o�C�i��DER�t�H�[�}�b�g�ō쐬 # openssl x509 -inform pem -in /etc/httpd/conf/ca.crt -outform der -out /etc/httpd/conf/ca.der |
�� �쐬�����e�t�@�C���̏��L���ύX
���L���̕ύX # chmod -R 400 /etc/httpd/conf/server.* /etc/httpd/conf/ca.* |
�� ssl�ݒ�t�@�C���̕ύX
ssl�ݒ�t�@�C���ύX # vi /etc/httpd/conf.d/ssl.conf # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /etc/httpd/conf/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/httpd/conf/server.key |
�� apache�̍ċN��
apache(httpd)���ċN������ �yFC1 ���� Fedora15 / CentOS4 / CentOS5 / CentOS6 �̏ꍇ�z # /etc/rc.d/init.d/httpd restart �yFedora16�ȍ~ �̏ꍇ�z # systemctl restart httpd.service |
�� �N���C�A���g�ւ�CA�ؖ����C���X�g�[��
�N���C�A���g���[https://�T�[�o�̃A�h���X/]�ŃA�N�Z�X����Ɖ��L�̉�ʂ��\������܂��B
��L�́u�ؖ����̕\���v���N���b�N����Ɖ��L�̉�ʂ��\������܂��B
- Intenet Explorer�ł́A���̕��@�ł͌x����ʂ���ؖ������C���|�[�g�ł��܂���B
�ȉ��̎菇���s�Ȃ��A�N���C�A���g����_�E�����[�h�o����l�ɒlj����܂��B
ca.der�����J�y�[�W�̃g�b�v�փR�s�[���܂� # cp /etc/httpd/conf/ca.der /var/www/html/ �p�[�~�b�V�����̕ύX # chmod 440 /var/www/html/ca.der ���L�ҁE�O���[�v�̕ύX # chown apache:apache /var/www/html/ca.der |
�C�ӂ̃z�[���y�[�W���A��Lca.der�Ƀ����N��\��A�_�E�����[�h�ł���l�ɂ��܂��B
���T�C�g�̏ؖ����͂�������_�E�����[�h�ł��܂��B������Ȋ����ŁE�E�E
(���T�C�g��SSL�ɂ���K�v���Ȃ��̂ňӐ}�I�Ƀ_�E�����[�h�ł��Ȃ��l�ɂ��Ă��܂��B)
���p�ȂǂŎg�p����ꍇ�́A��������ؖ��@���ɔ��s(�L��)���Ă�����Ă��������B
- �ؖ����̃_�E�����[�h
- ��x�A�K���ȃt�H���_�Ƀ_�E�����[�h���āA�_�E�����[�h�����uca.der�v���E�N���b�N���ؖ����̃C���X�g�[����I�����܂��B
- ���L��ʂŁu�ۑ��v���N���b�N���A�K���ȃt�H���_�Ƀ_�E�����[�h���܂��B
- �ؖ����̃C���|�[�g
- �_�E�����[�h�����uca.der�v���E�N���b�N���āA�u�ؖ����̃C���X�g�[���v��I������ƁA��ʂ��\�������̂Łu���ցv���N���b�N���܂��B
- ���L�̗l�ɑI�����A�u���ցv���N���b�N���܂��B
- �u�����v�{�^�����N���b�N���܂�
- �C���|�[�g�̊���
- ����ŁA�uhttps://�T�[�o�̃A�h���X/]�ŃA�N�Z�X���Ă��A�x���E�B���h�E���\������Ȃ��Ȃ�܂��B
�� ���J�O�̏���
�z�[���y�[�W���O���Ɍ��J����ɓ������āA���[�^�̐ݒ肪�K�v�ł��B
���[�^�̃|�[�g�J�́A�������̃��[�^�戵���������������������B
- ���[�^�̐ݒ���|�[�g�ԍ�443��(https�F http protocol over TLS/SSL)���J���Ă��������B
- �|�[�g�̊J��Ԃ́A�|�[�g�`�F�b�N�y�|�[�g�J���m�F�z�Ŋm�F�ł��܂��B
- �u�z�X�g���v�Ɏ����̃z�X�g���܂��̓O���[�o��IP�����
- �u�|�[�g�ԍ��v��443�����
- �u�|�[�g�`�F�b�N�v�{�^��������
- �u�z�X�g��xxxxxxxxxx�@�|�[�g��443�@�ɃA�N�Z�X�ł��܂����B�v�ƕ\�����鎖���m�F���܂��B
DNS���Őڑ�����ɂ͎��O�Ƀh���C�����̎擾���s���Ă���K�v������܂��B(�ȉ��͑�\�I�Ȃ��̂ł���A�܂��A���T�C�g���g�p�����Ē����Ă���܂�)
- �����F(DynDNS.org�Ȃ�)
- �L���F(VALUE-DOMAIN�Ȃ�)