カスタム検索
このエントリーをはてなブックマークに追加
tomo.gif (1144 ツバツイツト)line.gif (927 ツバツイツト)line.gif (927 ツバツイツト)line.gif (927 ツバツイツト)To previous pageTo home pageMailing to me

WindowsのApacheでSSLを使う設定

Created: 9 February 2008


"httpd.conf"を変更します。

インストール直後は、SSLモジュールが無効になっているので、以下のように変更し、SSLを有効に設定します。

           :

LoadModule ssl_module modules/mod_ssl.so

           :

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

           :


起動すると以下のエラーが出ます。

Syntax error on line 68 of C:/Apache2.2/conf/extra/httpd-ssl.conf:
Invalid SSLMutex argument file:C:/Apache2.2/logs/ssl_mutex (Valid SSLMutex mecha
nisms are: `none', `default'
)
Note the errors or messages above, and press the <ESC> key to exit. 16...           :


エラーメッセージのとおり、以下のように変更します。

           :

#SSLMutex  "file:C:/Apache2.2/logs/ssl_mutex"
SSLMutex  "default"

           :

OpenSSLのインストール

Windows版のOpenSSLは、以下からダウンロードできます。

http://www.openssl.org/related/binaries.html


バージョンは、apacheのバージョン番号と同じものをインストールします。
"apache_2.2.8-win32-x86-openssl-0.9.8g.msi"の場合は、"Win32OpenSSL-0_9_8g.exe"をインストールします。


証明書の作成

"C:\OpenSSL\bin\openssl.cnf" を開いて3箇所変更します。

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

     (途中略)

[ CA_default ]

dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = yes # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

     (途中略)

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
nsCertType = server

     (途中略)

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
nsCertType = sslCA, emailCA

     (途中略)

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 


CA用秘密鍵(cakey.pem)とCA用証明書(cacert.pem)の作成

C:\Program Files\Apache Software Foundation\Apache2.2\conf>perl C:\openssl\bin\CA.pl -newca
CA certificate filename (or enter to create)
<Enter>
Making CA certificate ...
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...............++++++
..............++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:********
Verifying - Enter PEM pass phrase:********
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Osaka
Locality Name (eg, city) []:Osaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Osaka
Organizational Unit Name (eg, section) []:Osaka
Common Name (eg, YOUR name) []:kai.tomo.ac
Email Address []:<Enter>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<Enter>
An optional company name []:<Enter>
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
8e:27:1c:b8:64:1a:eb:a3
Validity
Not Before: Feb 9 10:09:47 2008 GMT
Not After : Feb 8 10:09:47 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = Osaka
organizationalUnitName = Osaka
commonName = kai.tomo.ac
X509v3 extensions:
X509v3 Subject Key Identifier:
92:EB:7A:30:58:96:8B:7F:57:64:5A:DD:B2:84:A5:AE:DA:91:4F:89
X509v3 Authority Key Identifier:
keyid:92:EB:7A:30:58:96:8B:7F:57:64:5A:DD:B2:84:A5:AE:DA:91:4F:89
DirName:/C=JP/ST=Osaka/O=Sanyo/OU=Osaka/CN=kaiyasunet.bpi.co.jp
serial:8E:27:1C:B8:64:1A:EB:A3

X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until Feb 8 10:09:47 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

C:\Program Files\Apache Software Foundation\Apache2.2\conf>


サーバーCA証明書の作成

C:\Program Files\Apache Software Foundation\Apache2.2\conf>openssl x509 -in demoCA/cacert.pem -out demoCA/cacert.crt


ブラウザにインポートするためのca.derファイルの作成

C:\Program Files\Apache Software Foundation\Apache2.2\conf>openssl x509 -inform pem -in demoCA/cacert.pem -outform der -out demoCA/ca.der



サーバ用証明書作成用リクエストファイル(newreq.pem)の作成

C:\Program Files\Apache Software Foundation\Apache2.2\conf>perl C:\openssl\bin\C
A.pl -newreq-nodes

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..++++++
...............++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Osaka
Locality Name (eg, city) []:Osaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Osaka
Organizational Unit Name (eg, section) []:Osaka
Common Name (eg, YOUR name) []:kai.tomo.ac
Email Address []:<Enter>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<Enter>
An optional company name []:<Enter>
Request is in newreq.pem, private key is in newkey.pem

C:\Program Files\Apache Software Foundation\Apache2.2\conf>


サーバ用証明書(server.crt)の作成

C:\Program Files\Apache Software Foundation\Apache2.2\conf>perl C:\openssl\bin\C
A.pl -sign

Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:*******
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
8e:27:1c:b8:64:1a:eb:a4
Validity
Not Before: Feb 9 10:24:19 2008 GMT
Not After : Feb 8 10:24:19 2009 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
localityName = Osaka
organizationName = Osaka
organizationalUnitName = Osaka
commonName = kai.tomo.ac
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
26:44:3F:BC:FF:24:EB:25:7B:4D:27:53:C9:2F:D4:27:43:8A:31:5F
X509v3 Authority Key Identifier:
keyid:92:EB:7A:30:58:96:8B:7F:57:64:5A:DD:B2:84:A5:AE:DA:91:4F:8
9

Certificate is to be certified until Feb 8 10:24:19 2009 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

C:\Program Files\Apache Software Foundation\Apache2.2\conf>
 

コピーします。

C:\Program Files\Apache Software Foundation\Apache2.2\conf>openssl x509 -in newcert.pem -out server.crt

C:\Program Files\Apache Software Foundation\Apache2.2\conf>


"server.key"をコピーして作ります。

C:\Program Files\Apache Software Foundation\Apache2.2\conf>copy newkey.pem server.key
1 個のファイルをコピーしました。

C:\Program Files\Apache Software Foundation\Apache2.2\conf>

これで、Apacheを再起動すれば、ポート443 が開きます。


To previous pageTo home pageMailing to meJump to Top of pageline.gif (927 ツバツイツト)line.gif (927 ツバツイツト)tomo.gif (1144 ツバツイツト)
カスタム検索



このエントリーをはてなブックマークに追加