SSL³µÏÀ

ssl.png

¥ª¥ì¥ª¥ìCA¡ÊCertificate Authority¡Ë¤ÎºîÀ®

  1. root¤Ë¤Ê¤ê¤Þ¤¹
    kagyuu@grape:~> su -
    Password:
  2. CA´ØÏ¢¤Î¥Õ¥¡¥¤¥ë¤ò³ÊǼ¤¹¤ë¥Ç¥£¥ì¥¯¥È¥ê¤òºîÀ®¤·¤Þ¤¹
    grape:~ # mkdir /usr/local/ssl
  3. CA¤òºîÀ®¤·¤Þ¤¹
       grape:~ # cd /usr/local/ssl
       grape:/usr/local/ssl # /usr/share/ssl/misc/CA.pl -newca
    ­¡ CA certificate filename (or enter to create)
       
       Making CA certificate ...
       Generating a 1024 bit RSA private key
       .................++++++
       ........++++++
       writing new private key to './demoCA/private/./cakey.pem'
    ­¢ Enter PEM pass phrase:****************
       Verifying - Enter PEM pass phrase:****************
       -----
       You are about to be asked to enter information that will be incorporated
       into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a DN.
       There are quite a few fields but you can leave some blank
       For some fields there will be a default value,
       If you enter '.', the field will be left blank.
       -----
    ­£ Country Name (2 letter code) [AU]:JA
    ­¤ State or Province Name (full name) [Some-State]:Tokyo
    ­¥ Locality Name (eg, city) []:Bunkyo
    ­¦ Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private CA
    ­§ Organizational Unit Name (eg, section) []:
    ­¨ Common Name (eg, YOUR name) []:kagyuu
    ­© Email Address []:kagyuu@hondou.homedns.org
    • ɬÍפ¬Í­¤ì¤Ð¡¢/etc/ssl/openssl.cnf ¤òÊÔ½¸¤¹¤ë
      • ¥ª¥Ö¥¸¥§¥¯¥Èǧ¾Ú¤â¹Ô¤¦(Excel VBA¤Ê¤É) ¢ª nsCertType? ¤òÊÔ½¸¡£¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¥ª¥Ö¥¸¥§¥¯¥Èǧ¾Ú°Ê³°¤ò¹Ô¤¨¤ë
      • ¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¤ÎÊѹ¹ ¢ª default_days ¤òÊÔ½¸¡£¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï365Æü¡£3650Æü(10ǯ)¤ËÊѹ¹¡£
    • ­¡¾å°Ì¤Îǧ¾Úµ¡´Ø¤Î¾ÚÌÀ½ñ¤¬¤¢¤ë¾ì¹ç¤Ë»ØÄê¡£¤³¤³¤Ç¤Ï²¿¤âÆþ¤ì¤Ê¤¤
    • ­¢Ç§¾Úµ¡´Ø¤Î¥Ñ¥¹¥ï¡¼¥É
    • ­£¡Á­©Å¬Åö¤Ë
  4. ¤³¤ì¤Ç demoCA ¤¬¤Ç¤­¤Þ¤·¤¿
    grape:/usr/local/ssl # ls
    .  ..  demoCA

¾ÚÌÀ½ñ¤Îȯ¹Ô

  1. ¿½ÀÁ½ñ¤ÎºîÀ®(³Æ¥µ¥¤¥È¤Î±¿±Ä¼Ô¤Î»Å»ö)
       grape:/usr/local/ssl # /usr/share/ssl/misc/CA.pl -newreq-nodes
       Generating a 1024 bit RSA private key
       ...........++++++
       .......++++++
       writing new private key to 'newreq.pem'
       -----
       You are about to be asked to enter information that will be incorporated
       into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a DN.
       There are quite a few fields but you can leave some blank
       For some fields there will be a default value,
       If you enter '.', the field will be left blank.
       -----
    ­¡ Country Name (2 letter code) [AU]:JP
    ­¢ State or Province Name (full name) [Some-State]:Tokyo
    ­£ Locality Name (eg, city) []:Bunkyo
    ­¤ Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hondoh
    ­¥ Organizational Unit Name (eg, section) []:Web Admin
    ­¦ Common Name (eg, YOUR name) []:hondou.homedns.org
    ­§ Email Address []:kagyuu@hondou.homedns.org
       
       Please enter the following 'extra' attributes
       to be sent with your certificate request
    ­¨ A challenge password []:
    ­© An optional company name []:
       Request (and private key) is in newreq.pem
       grape:/usr/local/ssl # ls
       .  ..  demoCA  newreq.pem
    • ¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤â¤é¤¦ÈëÌ©¸°¤Ë¤Ï passphrase ¤òÀßÄꤷ¤Þ¤»¤ó¡£(passphrase¤òÀßÄꤹ¤ë¤ÈApache¤òµ¯Æ°¤¹¤ëËè¤ËÆþÎϤ¹¤ëɬÍפ¬¤¢¤ë)
    • ­¦¤ËSSLÄÌ¿®¤ò¤¹¤ë¥µ¥¤¥È̾¤òµ­Æþ¤·¤Þ¤¹
    • ¸å¤ÏŬÅö¤Ë
    • ËÜÍè¤Ç¤¢¤ì¤Ð¡¢Ç§¾Ú¶É¤Ë¿½ÀÁ½ñ¤òÁ÷ÉÕ¤·¤Æ¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤â¤é¤¤¤Þ¤¹¡£¤³¤³¤Ç¤Ï¡¢¥ª¥ì¥ª¥ìǧ¾Ú¶É¤ò»È¤¦¤Î¤Ç¡¢¤½¤Î¤Þ¤Þºî¶È¤ò¿Ê¤á¤Þ¤¹¡£
  2. ¾ÚÌÀ½ñ¤Îȯ¹Ô(ǧ¾Ú¶É¤Î»Å»ö)
       grape:/usr/local/ssl # /usr/share/ssl/misc/CA.pl -sign
       Using configuration from /etc/ssl/openssl.cnf
    ­¡ Enter pass phrase for ./demoCA/private/cakey.pem:****************
       Check that the request matches the signature
       Signature ok
       Certificate Details:
               Serial Number: 1 (0x1)
               Validity
                   Not Before: Aug 18 17:44:34 2006 GMT
                   Not After : Aug 15 17:44:34 2016 GMT
               Subject:
                   countryName               = JP
                   stateOrProvinceName       = Tokyo
                   localityName              = Bunkyo
                   organizationName          = Hondoh
                   organizationalUnitName    = Web Admin
                   commonName                = hondou.homedns.org
                   emailAddress              = kagyuu@hondou.homedns.org
               X509v3 extensions:
                   X509v3 Basic Constraints:
                       CA:FALSE
                   Netscape Comment:
                       OpenSSL Generated Certificate
                   X509v3 Subject Key Identifier:
                       BC:E5:0A:10:94:5A:71:31:5F:04:CD:F8:71:17:98:C8:69:08:89:31
                   X509v3 Authority Key Identifier:
                       keyid:5B:68:21:F5:6D:0F:94:60:55:6A:2F:55:9A:8E:7E:07:F2:58:42:CB
                       DirName:/C=JP/ST=Tokyo/L=Bunkyo/O=PrivateCA/CN=kagyuu/emailAddress=kagyuu@hondou.homedns.org
                       serial:A8:16:81:D7:6B:0A:F2:FF
       
       Certificate is to be certified until Aug 15 17:44:34 2016 GMT (3650 days)
       Sign the certificate? [y/n]:y
       
       
    ­¢ 1 out of 1 certificate requests certified, commit? [y/n]y
       Write out database with 1 new entries
       Data Base Updated
       Signed certificate is in newcert.pem
       grape:/usr/local/ssl # ls
       .  ..  demoCA  newcert.pem  newreq.pem
    • ­¡Ç§¾Ú¶É¤Î¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤ·¤Þ¤¹
    • ¥«¥ì¥ó¥È¥Ç¥£¥ì¥¯¥È¥ê¤Ë¤¢¤ë¿½ÀÁ½ñ(newreq.pem)¤ËÂФ·¤Æ¡¢¾ÚÌÀ½ñ(newcert.pem)¤¬È¯¹Ô¤µ¤ì¤Þ¤¹

Apache2ÍѤ˸°¥»¥Ã¥È¤È¾ÚÌÀ½ñ¤òÃê½Ð

  1. Web¥µ¡¼¥Ð¤ÎÈëÌ©¸°¤ÎÃê½Ð
    grape:/usr/local/ssl # openssl rsa -in newreq.pem -out server.key
    writing RSA key
  2. Web¥µ¡¼¥Ð¤Î¾ÚÌÀ½ñ¤ÎÃê½Ð
    grape:/usr/local/ssl # openssl x509 -in newcert.pem -out server.crt
  3. Web¥µ¡¼¥Ð¤Î¸ø³«¸°¤Ï¤É¤³¤Ø¹Ô¤Ã¤¿¡©
    • CA¤ÎÈëÌ©¸°¤Ç°Å¹æ²½¤µ¤ì¤Æ¤¤¤ë¾ÚÌÀ½ñ¤Ë³ÊǼ¤µ¤ì¤Æ¤¤¤Þ¤¹
    • CA¤Î¸ø³«¸°¤Ç¾ÚÌÀ½ñ¤¬Ê£¹æ¤Ç¤­¤ì¤Ð¡¢¾ÚÌÀ½ñ¤Ï³Î¤«¤ËCA¤Ç°Å¹æ²½¤µ¤ì¤¿¤³¤È¤¬Ê¬¤«¤ë
    • ¾ÚÌÀ½ñ¤ÎÉü¹æ·ë²Ì¤¬Web¥µ¡¼¥Ð¤Î¸ø³«¸°

Apache2¤ÎÀßÄê

  1. mod_ssl¤ÎÍ­¸ú²½
    1. [Yast]-[¥Í¥Ã¥È¥ï¡¼¥¯¥µ¡¼¥Ó¥¹]-[HTTP¥µ¡¼¥Ð]
      ssl_yast1.png
    2. [¥â¥¸¥å¡¼¥ë]-[ssl] ¤Ç [¥¹¥Æ¡¼¥¿¥¹¤ÎÀÚ¤êÂؤ¨]
      ssl_yast2.png
  2. SSLÍ­¸ú²½¥Õ¥é¥°¤ÎÀßÄê
    • /etc/apache2/ssl-global.conf ¤ò¸«¤Æ¤âʬ¤«¤ë¤È¤ª¤ê¡¢Suse¤Ç¤Ï´Ä¶­ÊÑ¿ô¤ò¸«¤ÆSSL¤òÍ­¸ú²½¤·¤Æ¤¤¤ë¤è¤¦¤À
      # This global SSL configuration is ignored if
      # "SSL" is not defined, or if "NOSSL" is defined.
      <IfDefine SSL>
      <IfDefine !NOSSL>
      <IfModule mod_ssl.c>
       #
       #   Some MIME-types for downloading Certificates and CRLs
       #
       AddType application/x-x509-ca-cert .crt
       AddType appli
       Ž¥Ž¥Ž¥
    1. [Yast]-[¥·¥¹¥Æ¥à]-[/etc/sysconfig¥¨¥Ç¥£¥¿¡¼]
      ssl_yast3.png
    2. [Network]-[WWW]-[Apache2]-[APACHE_SERVER_FLAGS] ¤Ë¡¢¡Ö-D SSL¡×¤òÀßÄê
      ssl_yast4.png
  3. Virtual Host ¤ÎÀßÄê
    • Yast¤«¤é¥Ç¥Õ¥©¥ë¥È¥Û¥¹¥È¤ËSSLµ¡Ç½¤òÉղäǤ­¤ë¤è¤¦¤À¤¬¤è¤¯Ê¬¤«¤é¤ó
    • SSLÍѤÎVirtual Host¤Î¤Ò¤Ê·Á¤¬ÍÑ°Õ¤µ¤ì¤Æ¤¤¤ë¤Î¤Ç¤½¤ì¤òÍøÍѤ·¤ÆSSLÍѤÎVirtual Host¤òÄɲ乤ë
    • ÄɲäλÅÊý¤Ï´Êñ¤Ç¡¢/etc/apache2/vhosts.d ¤Ë¡¢*.conf ¥Õ¥¡¥¤¥ë¤òÃÖ¤­¡¢Apache¤òºÆµ¯Æ°¤¹¤ë¤ÈÄɲ䵤ì¤ë
      grape:/etc/apache2/vhosts.d # cp vhost-ssl.template vhost-ssl.conf
      grape:/etc/apache2/vhosts.d # vi vhost-ssl.conf
      
       Ž¥Ž¥Ž¥(¤¤¤í¤¤¤í¤¤¤¸¤Ã¤Æ)Ž¥Ž¥Ž¥
      
      grape:/etc/apache2/vhosts.d # diff vhost-ssl.template vhost-ssl.conf -u
      --- vhost-ssl.template  2005-09-10 03:39:20.000000000 +0900
      +++ vhost-ssl.conf      2006-08-19 03:58:09.000000000 +0900
      @@ -36,8 +36,8 @@
      
              #  General setup for the virtual host
              DocumentRoot "/srv/www/htdocs"
      -       #ServerName www.example.com:443
      -       #ServerAdmin webmaster@example.com
      +       ServerName hondou.homedns.org:443
      +       ServerAdmin kagyuu@hondou.homedns.org
              ErrorLog /var/log/apache2/error_log
              TransferLog /var/log/apache2/access_log
      
      @@ -57,16 +57,18 @@
              #   in mind that if you have both an RSA and a DSA certificate you
              #   can configure both in parallel (to also allow the use of DSA
              #   ciphers, etc.)
      -       SSLCertificateFile /etc/apache2/ssl.crt/server.crt
      +       #SSLCertificateFile /etc/apache2/ssl.crt/server.crt
              #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
      +        SSLCertificateFile /usr/local/ssl/server.crt
      
              #   Server Private Key:
              #   If the key is not combined with the certificate, use this
              #   directive to point at the key file.  Keep in mind that if
              #   you've both a RSA and a DSA private key you can configure
              #   both in parallel (to also allow the use of DSA ciphers, etc.)
      -       SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
      +       #SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
              #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
      +        SSLCertificateKeyFile /usr/local/ssl/server.key
      
              #   Server Certificate Chain:
              #   Point SSLCertificateChainFile at a file containing the
      @@ -86,6 +88,8 @@
              #         Makefile to update the hash symlinks after changes.
              #SSLCACertificatePath /etc/apache2/ssl.crt
              #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
      +        SSLCACertificatePath /usr/local/ssl/demoCA
      +        SSLCACertificateFile /usr/local/ssl/demoCA/cacert.pem
      
              #   Certificate Revocation Lists (CRL):
              #   Set the CA revocation path where to find CA CRLs for client
      grape:/etc/apache2/vhosts.d #
  4. ºÇ¸å¤Ë¡¢HTTPS(Port443)¤ò¤¢¤±¤Æ ( [Yast]-[¥»¥­¥å¥ê¥Æ¥£¤È¥æ¡¼¥¶]-[¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë] )
    ssl_yast5.png
  5. ºÆµ¯Æ°
    grape:/etc/apache2/vhosts.d # /etc/rc.d/apache2 restart
    Syntax OK
    Shutting down httpd2 (waiting for all children to terminate)          done
    Starting httpd2 (prefork)                                             done
  6. ADSL¥ë¡¼¥¿¤ÎÀßÄê¤Ç¡¢443¥Ý¡¼¥È¤ò¤¢¤±¤ë¤Î¤â˺¤ì¤º¤Ë

ÀßÄê·ë²Ì

ssl_access.png

https¤Ç¥¢¥¯¥»¥¹¤¹¤ë¤ÈÄÌ¿®¤¬°Å¹æ²½¤µ¤ì¤ë¤è¤¦¤Ë¤Ê¤Ã¤¿

Squirrelmail¤Î¶¯À©SSL¥¢¥¯¥»¥¹

/srv/www/htdocs/squirrelmail/index.php ¤Î¤ê¥À¥¤¥ì¥¯¥ÈÀè¤òhttps¤Ë¤¹¤ë¡£

  // if we are, go ahead to the login page.
- header('Location: src/login.php');
+ header('Location: https://hondou.homedns.org/squirrelmail/src/login.php');

Suse 10 Server


*1 µ¬³Ê¼«ÂΤÏTCP¤È¥¢¥×¥ê¥±¡¼¥·¥ç¥óÁؤδ֤ËÆþ¤ëÃæΩŪ¤Ê¤â¤Î¤Ê¤Î¤Ç¡¢SSL¤ò»È¤Ã¤¿ FTP/SMTP ¤Ê¤É¤â²Äǽ¤À¤¬¡¢¸½¼ÂŪ¤Ë¤Ï HTTP ¤Ç¤·¤«»È¤ï¤ì¤Æ¤¤¤Ê¤¤

źÉÕ¥Õ¥¡¥¤¥ë: filessl_yast5.png 2414·ï [¾ÜºÙ] filessl_yast1.png 2585·ï [¾ÜºÙ] filessl_access.png 2442·ï [¾ÜºÙ] filessl.png 2507·ï [¾ÜºÙ] filessl_yast4.png 2558·ï [¾ÜºÙ] filessl_yast2.png 2454·ï [¾ÜºÙ] filessl_yast3.png 2478·ï [¾ÜºÙ]

¥È¥Ã¥×   ÊÔ½¸ Åà·ë²ò½ü º¹Ê¬ ¥Ð¥Ã¥¯¥¢¥Ã¥× źÉÕ Ê£À½ ̾Á°Êѹ¹ ¥ê¥í¡¼¥É   ¿·µ¬ °ìÍ÷ ñ¸ì¸¡º÷ ºÇ½ª¹¹¿·   ¥Ø¥ë¥×   ºÇ½ª¹¹¿·¤ÎRSS   sitemap
Last-modified: 2006-08-19 (ÅÚ) 14:37:07 (6693d)
Short-URL:
ISBN10
ISBN13
9784061426061