Solaris User

Apache2 ¤Î SSL ÀßÄê ¡ÚSolaris10¡Û

Solaris 10 11/06 (U3)¤òÍѤ¤¤Æ Apache2+SSL ¤ÎÀßÄê¤ò¤·¤Æ¤ß¤Þ¤¹¡£
¡ÊÅöÁ³¤Ç¤¹¤¬¡¢¤³¤ÎÎã¤Ç»ÈÍѤ¹¤ë¾ÚÌÀ½ñ¤Ï¼«¸Ê½ð̾¤Ç¤¹¤Î¤Ç¥Æ¥¹¥È±¿ÍѤäÆÃÄê¤ÎÁÈ¿¥Æâ¤Î±¿ÍѤˤϻȤ¨¤Þ¤¹¤¬¡¢³°Éô¸þ¤±¤Î¥µ¡¼¥Ó¥¹¤Ë¤Ï¸þ¤¤¤Æ¤¤¤Þ¤»¤ó¡£¡Ë

Apache 2.0.x ¤«¤é¤Ï mod_ssl ¥â¥¸¥å¡¼¥ë¤¬¥Ç¥Õ¥©¥ë¥È¤Ç¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Æ¤¤¤Þ¤¹¡£mod_ssl¤¬¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Æ¤¤¤ë¤È¡¢/etc/apache2/ssl.conf ¤È¤¤¤¦ÀßÄê¥Õ¥¡¥¤¥ë¤¬À¸À®¤µ¤ì¤Þ¤¹¡£¤³¤Î¥Õ¥¡¥¤¥ë¤Ï¡¢¥Ç¥Õ¥©¥ë¥È¾õÂ֤ǤâɬÍפÊÀßÄ꤬¤Ò¤È¤È¤ª¤ê¹Ô¤ï¤ì¤Æ¤¤¤ë¤¿¤á¡¢ÆäËÊѹ¹¤¹¤ëɬÍפϤ¢¤ê¤Þ¤»¤ó¡£¤Ê¤ª¡¢ ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢
¥µ¡¼¥Ð¾ÚÌÀ½ñ¤Ï /etc/apache2/ssl.crt/server.crt ¤Ë¡¢
¥µ¡¼¥ÐÍѤÎÈëÌ©¸°¤Ï /etc/apache2/ssl.key/server.key ¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£

¥Ç¥Õ¥©¥ë¥È¤ÎÀßÄê¥Õ¥¡¥¤¥ë·²¤ò³Îǧ¤·¤Æ¤ß¤Þ¤¹¡£

bash-3.00# pwd
/etc/apache2

bash-3.00# ls
highperformance-std.conf  httpd.conf-example        ssl-std.conf
highperformance.conf      magic                     ssl.conf
httpd-std.conf            mime.types

¢£ apache2 ¥µ¡¼¥Ó¥¹¤ÎÍ­¸ú²½

¤Þ¤º¤Ï SSL ¤òÍ­¸ú¤Ë¤»¤º¡¢ apache2 ¥µ¡¼¥Ó¥¹¤òÍ­¸ú¤Ë¤·¤Þ¤¹¡£

bash-3.00# pwd
/etc/apache2
bash-3.00# cp  httpd.conf-example  httpd.conf

°Ê²¼¤Î¤è¤¦¤Ë ServerName ¤À¤±Å¬Åö¤ËÊÔ½¸¤·¤Þ¤¹¡£

bash-3.00# vi  httpd.conf
...
ServerName sol10pc.example.com

svcadm ¥³¥Þ¥ó¥É¤Ç apache2 ¥µ¡¼¥Ó¥¹¤òÍ­¸ú¤Ë¤·¤Þ¤¹¡£

bash-3.00# svcadm  enable  apache2
bash-3.00# svcs  apache2
STATE          STIME    FMRI
online         18:26:25 svc:/network/http:apache2

ÅöÁ³¡¢¤³¤ÎÀßÄê¤Ç¤Ï SSL ¤ÏÍ­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Þ¤»¤ó¡£

¢£ SSL ¤ÎÍ­¸ú²½

httpd.conf ¤Ë°Ê²¼¤Î¥¨¥ó¥È¥ê¤¬¤¢¤ë¤³¤È¤ò³Îǧ¤·¤Þ¤¹¡£
----------------------------------
<IfModule mod_ssl.c>
    Include /etc/apache2/ssl.conf
</IfModule>
----------------------------------
SSL¤Î¾ÜºÙ¤ÊÀßÄê¤Ï /etc/apache2/ssl.conf ¥Õ¥¡¥¤¥ë¤Ç¹Ô¤¤¤Þ¤¹¡£
/etc/apache ¥Ç¥£¥ì¥¯¥È¥ê¤Ë°ÜÆ°¤·¡¢ssl.conf ¥Õ¥¡¥¤¥ë¤ò³«¤­¤Þ¤¹¡£

bash-3.00# cd /etc/apache2
bash-3.00# vi ssl.conf
--------------------------------------
...
<VirtualHost 192.168.1.1:443>   <--- _default_ ¤òWeb¥µ¡¼¥Ð¡¼¤ÎIP¥¢¥É¥ì¥¹¤ËÃÖ¤­´¹¤¨¤ë
...
SSLCertificateFile /etc/apache2/ssl.crt/server.crt   
...
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
...
-------------------------------------------
¾åµ­¤Î¤è¤¦¤Ë°ìÉô¤ò½¤Àµ¤·¡¢SSLCertificateFile¤ÈSSLCertificateKeyFile¤ÎÀßÄêÃͤò³Îǧ¤·¤Þ¤¹¡£
SSLCertificateFile¤Ë¤Ï¥µ¡¼¥Ð¾ÚÌÀ½ñ¥Õ¥¡¥¤¥ë¡¢SSLCertificateKeyFile¤Ë¤Ï¥µ¡¼¥ÐÍÑÈëÌ©¸°¤Î¥Õ¥¡¥¤¥ë¤¬»ØÄꤵ¤ì¤Æ ¤¤¤Þ¤¹¡£

/etc/apache2 ¥Ç¥£¥ì¥¯¥È¥ê¤Ç¡¢º£³Îǧ¤·¤¿¥µ¡¼¥Ð¾ÚÌÀ½ñ¤È¥µ¡¼¥ÐÍѤÎÈëÌ©¸°¤ò³ÊǼ¤¹¤ë¤¿¤á¤Î¥Ç¥£¥ì¥¯¥È¥ê¤òºîÀ®¤·¤Þ¤¹¡£

bash-3.00# cd  /etc/apache2
bash-3.00# mkdir  ssl.crt
bash-3.00# mkdir  ssl.key
bash-3.00# ls -F
highperformance-std.conf   magic                      ssl.crt/
highperformance.conf       mime.types                 ssl.key/
httpd-std.conf             ssl-std.conf
httpd.conf-example         ssl.conf

¾ÚÌÀ½ñ¤ä¸°¤ÎºîÀ®¤Ê¤É¤Îºî¶ÈÍѤΥǥ£¥ì¥¯¥È¥ê¤òºî¤ê°ÜÆ°¤·¤Þ¤¹¡£

bash-3.00# mkdir  tmp
bash-3.00# ls  -F
highperformance-std.conf   magic                      ssl.crt/
highperformance.conf       mime.types                 ssl.key/
httpd-std.conf             ssl-std.conf               tmp/
httpd.conf-example         ssl.conf
bash-3.00# cd  tmp

openssl ¥³¥Þ¥ó¥É¤ò»ÈÍѤ¹¤ë¤¿¤á°Ê²¼¤Î¤è¤¦¤Ë¥Ñ¥¹¤òÄ̤·¤Æ¤ª¤­¤Þ¤¹¡£

bash-3.00# PATH=$PATH:/usr/sfw/bin
bash-3.00# export PATH

SSL¤ò»ÈÍѤ¹¤ë¤Ë¤Ï¡¢¤Þ¤ºCA¤ÎÈëÌ©¸°¤òºîÀ®¤·¤Þ¤¹¡£

bash-3.00# openssl  genrsa  -rand  /var/adm/messages  -out ca.key  1024
271074 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
...............++++++
e is 65537 (0x10001)

-rand ¥ª¥×¥·¥ç¥ó¤Ï¡¢¥é¥ó¥À¥à¥Ç¡¼¥¿¤Î´ð¤È¤Ê¤ë¥Õ¥¡¥¤¥ë¤òŬÅö¤Ë»ØÄꤷ¤Þ¤¹¡£¤³¤ÎÎã¤Ç¤Ï /var/adm/messages ¥Õ¥¡¥¤¥ë¤ò»È¤Ã¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤Ë¤è¤ê¡¢RSA Êý¼°¤Ç 1024bit ¤ÎÈëÌ©¸°¡Êca.key¡Ë¤¬ºîÀ®¤µ¤ì¤Þ¤¹¡£

¡¡¼¡¤Ë¡¢ca.key ¤«¤é CA ¾ÚÌÀ½ñ¤Î½ð̾Í×µá¡ÊCSR¡Ë¤òºîÀ®¤·¤Þ¤¹¡£¤³¤³¤ÇÂÐÏÃŪ¤ËÆþÎϤ·¤¿¹ñ̾¤Ê¤É¤Î¾ðÊó¤Ï¡¢È¯¹Ô¤µ¤ì¤ë¾ÚÌÀ½ñ¤Ëɽ¼¨¤µ¤ì¤Þ¤¹¡£

bash-3.00# openssl  req  -new  -key  ca.key  -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Shinagawa
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Example KK
Organizational Unit Name (eg, section) []:Test Dept
Common Name (eg, YOUR name) []:Test User
Email Address []:testuser@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

³¤¤¤Æ¡¢CA ¾ÚÌÀ½ñ¤Ë½ð̾¤·¤Æȯ¹Ô¤·¤Þ¤¹¡£¤³¤³¤Ç¤Ï»ØÄꤷ¤Æ¤¤¤Þ¤»¤ó¤¬¡¢-days¥ª¥×¥·¥ç¥ó¤Ë¤è¤ê¡¢¾ÚÌÀ½ñ¤ÎÍ­¸ú´ü¸Â¤òÀßÄꤹ¤ë¤³¤È¤â²Äǽ¤Ç¤¹¡£Î㤨¤Ð¡¢¡Ö- days 365¡×¤È¤¹¤ë¤È1ǯ´ÖÍ­¸ú¤Î¾ÚÌÀ½ñ¤¬È¯¹Ô¤µ¤ì¤Þ¤¹¡£

bash-3.00# ls
ca.csr  ca.key
bash-3.00# openssl  x509  -req  -in  ca.csr  -signkey  ca.key  -out  ca.crt
Signature ok
subject=/C=JP/ST=Tokyo/L=Shinagawa/O=Example KK/OU=Test Dept/CN=Test User/emailAddress=testuser@example.com
Getting Private key

°Ê¹ß¤Ï¥µ¡¼¥ÐÍѤξÚÌÀ½ñ¤òºîÀ®¤¹¤ëºî¶È¤Ë¤Ê¤ê¤Þ¤¹¡£ºÇ½é¤Ë¡¢¥µ¡¼¥ÐÍѤÎÈëÌ©¸°¤òºîÀ®¤·¤Þ¤¹¡£

bash-3.00# openssl  genrsa  -rand  /var/adm/messages  -out  server.key  1024
271074 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...........++++++
.................................++++++
e is 65537 (0x10001)

¥µ¡¼¥ÐÍѤÎÈëÌ©¸°¤«¤é¥µ¡¼¥Ð¾ÚÌÀ½ñ¤Î CSR ¤òºîÀ®¤·¤Þ¤¹¡£CA ¾ÚÌÀ½ñ¤Î CSR ¤ÈƱÍͤˡ¢³Æ¼ï¾ðÊó¤òÂÐÏÃŪ¤ËÆþÎϤ·¤Þ¤¹¡£º£²ó¤Î Common Name ¤Ë¤Ï¥µ¡¼¥Ð¤Î¥Û¥¹¥È̾¤òÆþÎϤ·¤Þ¤¹¡£

bash-3.00# openssl  req  -new  -key  server.key  -out  server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Shinagawa
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Example KK
Organizational Unit Name (eg, section) []:Test Dept
Common Name (eg, YOUR name) []:sol10pc.example.com
Email Address []:webmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

¥µ¡¼¥ÐÍѤξÚÌÀ½ñ¤Ë½ð̾¤·¤Æȯ¹Ô¤¹¤ëÁ°¤Ë¡¢Ç§¾Ú¶É¤¬»ÈÍѤ¹¤ë¥·¥ê¥¢¥ë¥Ê¥ó¥Ð¡¼¤Î¥Õ¥¡¥¤¥ë¤òºîÀ®¤·¤Æ¤ª¤¯É¬Íפ¬¤¢¤ê¤Þ¤¹¡£

bash-3.00# echo  01  >  ca.srl

½àÈ÷¤¬¤Ç¤­¤¿¤Î¤Ç¡¢¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Þ¤¹¡£¤³¤³¤Ç¤Ï¡¢¡Ö-days 365¡×¤È¤·¤Æ1ǯ´ÖÍ­¸ú¤Î¾ÚÌÀ½ñ¤òȯ¹Ô¤·¤Æ¤¤¤Þ¤¹¡£

bash-3.00# openssl  x509  -req  -days  365  -CA  ca.crt  -CAkey  ca.key  -CAserial  ca.srl  -in  server.csr  -out server.crt
Signature ok
subject=/C=JP/ST=Tokyo/L=Shinagawa/O=Example KK/OU=Test Dept/CN=sol10pc.example.com/emailAddress=webmaster@example.com
Getting CA Private Key

ºîÀ®¤·¤¿server.crt¤Èserver.key¤ò°Ê²¼¤Î¤è¤¦¤Ë¥³¥Ô¡¼¤¹¤ë¡£

bash-3.00# cp  server.crt  /etc/apache2/ssl.crt
bash-3.00# cp  server.key  /etc/apache2/ssl.key


¤³¤ì¤Ç apache2 ¥µ¡¼¥Ó¥¹¤Ç SSL ¤òÍøÍѤ¹¤ë½àÈ÷¤¬À°¤¤¤Þ¤·¤¿¤¬¡¢°Ê²¼¤Î¤è¤¦¤Ë apache2 ¥µ¡¼¥Ó¥¹¤Î httpd/ssl ¥×¥í¥Ñ¥Æ¥£¤¬ false ¤ËÀßÄꤵ¤ì¤Æ¤¤¤ë¤¿¤á¡¢Ä̾ï¤Îµ¯Æ°¤Ç¤Ï apachectl ¥³¥Þ¥ó¥É¤Ç startssl °ú¿ô¤¬»ÈÍѤµ¤ì¤Þ¤»¤ó¡£
¡Ê»²¾È¡§/lib/svc/method/http-apache2 ¥Õ¥¡¥¤¥ë¡Ë

bash-3.00# svcprop  -p  httpd/ssl apache2
false

°Ê²¼¤Î¤è¤¦¤Ë httpd/ssl ¥×¥í¥Ñ¥Æ¥£¤ò true ¤ËÀßÄꤷ¤Æ apache2 ¥µ¡¼¥Ó¥¹¤òºÆµ¯Æ°¤·¤Þ¤¹¡£

bash-3.00# svccfg  -s  apache2
svc:/network/http:apache2> setprop  httpd/ssl  =  boolean:  true
svc:/network/http:apache2> end

bash-3.00# svcadm  refresh  apache2
bash-3.00# svcprop  -p  httpd/ssl  apache2
true
bash-3.00# svcadm  -v  restart  apache2
Action restart set for svc:/network/http:apache2.

°Ê²¼¤Î¤è¤¦¤Ë¥×¥í¥»¥¹¤ò¸«¤Æ¤â SSL ¤¬Í­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤¬¤ï¤«¤ê¤Þ¤¹¡£

bash-3.00# ps  -ef  |  grep  httpd
webservd  1961  1959   0 18:26:26 ?           0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd  1962  1959   0 18:26:26 ?           0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd  1963  1959   0 18:26:26 ?           0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd  1967  1959   0 18:27:23 ?           0:00 /usr/apache2/bin/httpd -k start -DSSL
    root  1959     1   0 18:26:25 ?           0:01 /usr/apache2/bin/httpd -k start -DSSL
webservd  1964  1959   0 18:26:26 ?           0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd  1960  1959   0 18:26:26 ?           0:00 /usr/apache2/bin/httpd -k start -DSSL

¡Ú¥¢¥ó¥±¡¼¥È¡Û
¤³¤Îµ­»ö¤Ï¤¿¤á¤Ë¤Ê¤ê¤Þ¤·¤¿¤«¡©
¡¡¡¡¡¡¤Ï¤¤¡¡¡¡/¡¡¡¡¤¤¤¤¤¨