サイトの自己証明書
自己証明書を作成
><
# cd /usr/ports/www/apache13-modssl/
# make certificate
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
_________________________________________________________________
STEP 0: Decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:
_________________________________________________________________
STEP 1: Generating RSA private key (1024 bit) [server.key]
3699734 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.........++++++
..++++++
e is 65537 (0x10001)
_________________________________________________________________
STEP 2: Generating X.509 certificate signing request [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
1. Country Name (2 letter code) [XY]:[Enter]
2. State or Province Name (full name) [Snake Desert]:[Enter]
3. Locality Name (eg, city) [Snake Town]:[Enter]
4. Organization Name (eg, company) [Snake Oil, Ltd]:[Enter]
5. Organizational Unit Name (eg, section) [Webserver Team]:[Enter]
6. Common Name (eg, FQDN) [www.snakeoil.dom]:自己のURL
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:postmaster@自己のURL
8. Certificate Validity (days) [365]:[Enter]
_________________________________________________________________
STEP 3: Generating X.509 certificate signed by Snake Oil CA
[server.crt]
Certificate Version (1 or 3) [3]:[Enter]
Signature ok
subject=/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver
Team/CN=www.snakeoil.dom/em
ailAddress=www@snakeoil.dom
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake
Oil, Ltd/OU=Certificate Autho
rity/CN=Snake Oil CA/emailAddress=ca@snakeoil.dom
error 10 at 1 depth lookup:certificate has expired
OK
_________________________________________________________________
STEP 4: Enrypting RSA private key with a pass phrase for security
[server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:[Enter]
writing RSA key
Enter PEM pass phrase:パスフレーズ
Verifying - Enter PEM pass phrase:上のパスフレーズをもう一度
Fine, you're using an encrypted RSA private key.
_________________________________________________________________
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our demonstration-only Snake Oil CA) which later can replace
the conf/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
>
自己証明書のコピー
# cd /usr/ports/www/apache13-modssl/work/apache_1.3.xx/conf
# cp -Rp ssl.crt /usr/local/etc/apache/
# cp -Rp ssl.key /usr/local/etc/apache/
パスフレーズの省略
ApacheをSSL対応で起動するたびに、パスフレーズを聞いてくるのでOS起動時に自動的に起動することができない。そこで、パスフレーズ入力を省略できるようにする。
# cd /usr/local/etc/apache/conf/ssl.key
# cp -p server.key server.key.orig
# /usr/local/ssl/bin/openssl rsa -in server.key.orig -out server.key
read RSA key
Enter PEM pass phrase:<パスフレーズを入力>
writing RSA key
#
