ÀSÈ RedHat Apache T[oÌ\zû@
Richard Sigle, Richard.sigle@equifax.com
0.1, 2001-02-06
KURASHIKI Satoru (ouka@fx.sakura.ne.jp)
0.1J, 2002-02-22
±ÌKChÍAPKI Æ SSL ðêÉ®©·û@ðྷéæ¤ÉÓ}³êÄ
¢Ü·BÀSÈT[oð\z·é½ßÉÍASSL vgRªÇ¤@\µÄ¢
é©ðð·éKvª èÜ·B
______________________________________________________________________
Ú
1. ±ÌKChÌÚI/ÍÍ
1.1 Secure Sockets Layer (SSL) É¢Ä
1.2 tB[hobN
1.3 ì ƤW
1.4 Ó«
2. Secure Sockets Layer/Private Key Infrastructure Ö̵Ò
2.1 SSL/PKI ÌM«
2.2 SSL ÍǤ@\·éÌ©
2.2.1 SSL nhVFCNvgR
2.2.2 ZbV® (ÎÌ®)
2.2.3 öJ/駮ÌyA(ñÎÌR[h)
2.3 PKI ÌdgÝ
2.4 ؾ(x509 W)
2.5 fW^ؾÌ駮
2.6 fW^ؾÌöJ®
2.7 ؾ¼v(CSR)
3. ؾÉæéìÆ
3.1 駮Ìì¬
3.2 ؾ¼vÌì¬
3.3 ©Ø¾Ìì¬
3.4 EFuT[oÖÌؾÌCXg[
4. Apache Server ÌÝè
4.1 ZL
AÈ@[`zXgÌè`
4.1.1 SSL Engine
4.1.2 SSLCertificateFile
4.1.3 SSLCertificateKeyFile
4.1.4 SSLCACertificateFile
4.2 ؾÌá
4.2.1 T[oؾt@C
4.2.2 ؾt@CÌàe
4.2.3 駮t@C
4.2.4 駮t@CÌàe
4.3 Web T[oÌÄN®
5. guV
[eBO
5.1 T[oÍN®µ½æ¤É©¦éªAZL
ATCgÉANZXÅ«È¢
5.2 Certificate Name Check Warning is issued by the client's browser
5.3 NCAgÌuEUÉAؾªM³êĢȢؾs@Ö
5.4 SSLEngine on is an un-recognized command (Apache ÌN®)
5.5 "PEM pXt[Y" ðYêĵܢAǤâÁÄ»êðÄÝè·é©mè½¢B
6. pêW
______________________________________________________________________
1. ±ÌKChÌÚI/ÍÍ
±ÌKChÌÚIÍARedHat Linux Ì[Uª Apache EFuT[oðgÁ
ÄT[o(SSL)ؾðCXg[·éÌð请é±ÆÅ·BÚWÍA
ÔÆA½Ìê¨àðßñµÄêéèðÍÁ«è¦·±ÆÅ·I
ÅÉA SSL vgRÆfW^ؾÉ¢ÄmÁĨ׫±Æðà
¾µÜ·BÌo±ÅÍAModSSL Æ OpenSSL ðgÁÄ Apache EFuT[o
ð\z·é̪AÅàLvÈ\tgEFAÌgÝí¹Å·BOpenSSL ÍÄp
IÈûCuÅASSL v2/v3 Æ TLS v1 vgRðT|[gµÄ¢
Ü·B ModSSL ÍAApache API W
[ÅAApache Æ OpenSSL ÔÌC
^[tFCXƵĮì·éæ¤ÉìçêĢܷBÅåÌvÍA±êç 3
ÂÌpbP[Wªt[Å é±ÆÅ·B
»µÄ 4 Í©çÍA®Ì¶¬ÆAModSSL Æ OpenSSL ðgݱñÅRpC
³ê½ RedHat-Apache T[oÖÌؾÌCXg[ððÇÁÄ©Ä
¢«Ü·B 4 ÍÌèÍAApache ƧÚÉÖWµÄ¢é Stronghold â
Raven Æ¢Á½¤p SSL T[oÌpbP[WÉàKpÅ«éŵå¤B
xFÍAEquifax Secure Inc. Æ¢¤Ø¾s@ÖÌeNjJT|[
gZpÒÅ·BÅ·©çAÍ Equifax Secure Ìؾðg¢Ü·µAáÍ
Equifax Secure ÌؾðCXg[ÉKµ½`ÉÈÁĢܷBÆÍ
¢¦Aèø«Í¼Ìؾs@ÖÉæéؾÉàg¦é͸ŷB±Ì¶
ðª¦æµÄ¢½©çÆ¢ÁÄàAEquifax Secure Inc. ÍA±êçÌ
èðg¤±ÆÉæÁĶ¶é½@ÈéÊÉ¢ÄàA`±àÓCà¢Ü
¹ñB
ÇÒÉηéÌRgÍA±ÌX^C(²)Å·B.
áÍÊÌX^CŦµÜ·B.
xÈRgâAhoCXÍASGML \[XÌRgÆµÄ¢Ä è
Ü·B
1.1. Secure Sockets Layer (SSL) É¢Ä
SSL ÍATCP ÆAvP[VwÌÔÉ éAv[e[VwÌT[
rXÅ·B±êÍvbgtH[âAvP[VÉÍ˶µÜ¹ñB
SSL ÍNCAgÆT[oÔÌZL
AÈÊM`lðÇ·éðÚð
ÁĢܷB SSL ÍNCAgÆT[oÔÅ]³êéf[^ðû
·éAÍÈ@\ðñµÜ·B
1.2. tB[hobN
±ÌKChÉ¢ÄÌRgÍAÒ (richard.sigle@equifax.com) É
Äɨ袵ܷB
1.3. ì ƤW
Copyright (c) 2001 by Richard L. Sigle
Please freely copy and distribute this document in any format. It's
requested that corrections and/or comments be forwarded to the
document maintainer. You may create a derivative work and distribute
it provided that you:
o Send your derivative work (in the most suitable format such as
sgml) to the LDP <http://www.LinuxDoc.org/> (Linux Documentation
Project) or the like for posting on the Internet. If not the LDP,
then let the LDP know where it is available.
o License the derivative work with this same license or use GPL.
Include a copyright notice and at least a pointer to the license
used.
o Give due credit to previous authors and major contributors.
If you're considering making a derived work other than a translation,
it's requested that you discuss your plans with the current
maintainer.
1.4. Ó«
Þ±ÆÈÌhtgðÇñÅAAhoCXðê½ Tony Villasenor
É´ÓðB Tony ª¢È¯êÎA±Ì¶Í«ã°é±ÆªÅ«È©Á½Å
µå¤B
2. Secure Sockets Layer/Private Key Infrastructure Ö̵Ò
PKI ÍAöJ® (NCAgÉçêÜ·) Æ駮 (T[oãɶݵÜ
·) ©çÈéAñÎÌÌ®VXeÅ·BPKI ÍANCAgÆT[o̼
ûªÃ»/»É¯¶®ðg¤AÎÌÌ®VXeÆÍÙÈèÜ·B
2.1. SSL/PKI ÌM«
NWbgJ[hîñâãÃL^A@¥¶Ae-commerce AvP[V
Æ¢Á½AÅà@§ÉӵȯêÎÈçÈ¢ÌÊMÉàpÂ\Å é
æ¤ÉAÆ¢¤vð½·½ßÉ SSL ÍÝv³êܵ½BeAvP[
VÍA@§«â³êéæøÌ¿lÉæÁÄAȺÌÁ¥ÌÇêð (
é¢Í·×Äð) g¤©IðÅ«Ü·B
vCoV[
á¦ÎAA ©ç B Ö`B·é½ßÉAbZ[Wª»³êéƵ
Ü·BA Í B ÌöJ®ðgÁÄbZ[WðûµÜ·B±¤·é
ÆAB Í©ªÌ駮ðgÁıÌbZ[Wð»µÄÇޱƪ
Å«éBêÌl¨ÆÈèÜ·Bµ©µAA ª©ÌµÄ¢éÊèÌl¨Å
é©Íè©ÅÍ èܹñB
FØ
A ª©ÌµÄ¢éÊèÌl¨Å é±Æðm©ßé½ßÉÍAÛسê
½FتKvÅ·B±êÉ͵Ωè¡GÈûÌßöªKvÅ
·B±ÌêAA ©ç B ÖÌbZ[WÍAÅÉ A Ì駮ÅA
É B ÌöJ®Åû³êÜ·BB Íܸ©ªÌ駮ÅA¢ŠA
ÌöJ®Å»µÈ¯êÎÈèܹñB±êÅAB Í A ª©ÌµÄ
¢éÊèÌl¨¾ÆmMÅ«Ü·B¼ÌlÍNà A Ì駮Åû
µ½bZ[Wðìé±ÆÍÅ«È¢ÌÅ·©çB SSL ͱêðAØ
¾ (PKI) ðg¤±ÆÅB¬µÄ¢Ü·BؾÍA| ؾs@
Ö (CA)Ìæ¤È | §ÌT[hp[eB©çs³êAؾ³ê½
èÌöJ®ÉÁ¦ÄAfW^¼â^CX^vðÜñÅ¢Ü
·B³µ¢ SSL c[ðg¦ÎNÅੵ½fW^ؾðì¬
Å«Ü·ªA©µ½Ø¾ÅÍA¤ÊÉhÓð¥íêÄ¢é§ÌT
[hp[eBªs¤AáyÌdÝɯܷB
³T«
SSL ɨ¢ÄÍAMAC (Message Authentication Code: bZ[WFØ
R[h) ðK{ÌnbV
e[uÖÆÆàÉg¤±ÆųT«ªÛ
سêĢܷBbZ[W̶¬ÉAnbV
Öðg¤±ÆÅ
MAC ª¾çêA»ÌʪbZ[WÉÇÁ³êÜ·BbZ[Wªó
M³êéÆAbZ[WÉß±Üê½ MAC ðó¯ÆÁ½bZ[W
©çvZµ½Vµ¢ MACÆär·é±ÆÅAëªØ³êÜ·B±
êÅAæOÒÉæÁÄÏX³ê½bZ[WÍ·®É¾ç©ÉÈèÜ
·B
ÛFh~
ÛFh~ÍAICÌâèÆèÌÔA¼ûÌÊMÒð¨Ý¢©çÛ
ìµÜ·B±êÍAǿ穪Aîñ̤¿ÁèÌêªðçÈ©Á
½Aƾ¤Ìðh¬Ü·BÛFh~ÍAÇ¿ç¤É¢ÄàAùÉȳ
ê½âèÆèÌàeðüÏ·é±ÆðµÜ¹ñBfW^ÛFh~Í
`IÈ´oÅ¢¦ÎA_ñÉTC·éÌÆ¿Å·B
2.2. SSL ÍǤ@\·éÌ©
SSL vgRÍA2 ÂÌTuvgRðÜÝÜ· | SSL R[hvg
RÆ SSL nhVFCNvgRÅ·BSSL R[hvgRÍf[
^Ì`Ég¤tH[}bgðè`µÜ·BSSL nhVFCNvgRÉ
ÍA SSL R[hvgRÌpªÜÜêĢܷB±êÍ SSL »³ê½
T[oÆNCAgªÅÉ SSL Ú±ðm§·éÆ«ÉâèÆè·éêA
ÌbZ[Wð·Ép¢çêÜ·B±ÌbZ[Wð·ÍAȺÌ@\ðeÕ
É·é×Ýv³êĢܷB
o T[o©çNCAgÖÌFØBT[oؾÍAؾs@ÖÉ
æÁļ³êĨèAؾªóêĨç¸AM̽ª¬§µÄ¢é
±ÆðÛصܷB
o NCAgÆT[oªAoûªÆàÉT|[gµÄ¢éûAS
YAÂÜèTCt@[(cipher)ðI×éæ¤ÉµÜ·B
o CÓÅAT[oÉεÄNCAgðFØB
o ¤LÌé§ð¶¬·éÌÉAöJ®ÃZpðg¢Ü·B
o û³ê½ SSL Ú±ðm§µÜ·B
2.2.1. SSL nhVFCNvgR
nhVFCNvgRÍANCAgÆT[oÌóÔð²®·éÌÉg
íêÜ·BnhVFCNÌÔAȺÌCxgª¶µÜ· |
o NCAgÆT[oÌÔÅؾªð·³êÜ· (ñÎÌÌ®)BT[o
ÍöJ®ðNCAgÉèÜ·BT[oªØ¾ðgÁÄNCA
gÌFØðs¤æ¤Ýè³êÄ¢éÈçANCAgÍöJ®ðT[o
ÉèÜ·BؾÌLøúÀúðmFµAM³ê½Ø¾s@ÖÌ
fW^¼ð`FbNµÜ·BLøúÀúâfW^¼ªÔáÁÄ¢
êÎAuEUÍ[UÉxðoµÜ·B[UÍ»ê©çؾÌÛ
ÒðM·é±ÆàÅ«Ü·B
o ÉNCAgÍ_È® (ÎÌ®) 𶬵ܷB±êçÍÃ
»Æ MAC ÌvZÉgíêÜ·B±Ì®ÍAT[oÌöJ®Åû³êA
T[oÉçêÜ·B±ÌVµ¢ÎÌ®ÍAT[oÌݪ»Å«Ü
·BVµ¢ÎÌ®ÍANCAgÆT[oÔÅçêéf[^Ìû
ÉgíêÜ·B
F T[o - uEUÔFØÌãÉÎÌ®ðg¤±ÆÅA»ÌãÌ
ptH[}XªåÉüP³êÜ·B
o bZ[WÌûASYÆA³T«Ì½ßÌnbV
Öƪð
 (negotiate) ³êÜ·B±Ì²®ßöÍANCAgªT|[gµÄ
¢éASYÌêðT[oɦµAÉT[oªoûÅpÂ\È
Åà¢ÃðIÔAÆ¢¤æ¤ÉÀs³êÜ·BIð³ê½Ã»A
SYÆnbV
Ö̯ÊqÍA»ÝÌXe[^XÌÃû@Xyb
NtB[hÉÛ¶³êAR[hvgR©çp³êÜ·B
o ȺÌtB[hÍSÄAnhVFCNÌÔÉZbg³êÜ· |vg
RÌo[WAZbV IDAÃÌgA³kû@A»ê©ç 2 Â
Ì_l ClientHello.random Æ ServerHello.randomB
F IP AhXÍAe SSL Ú±ÉKvÉÈèÜ·B¼Ox[XÌ@[
`zXgÍAvP[VwÅð³êÜ·B SSL ªAvP[V
w̺ɶݵĢé±Æðv¢oµÜµå¤B
2.2.2. ZbV® (ÎÌ®)
o 40 rbgÍAàÆàÆAopÌàÌŵ½
o 56 rbgÍ DES Åp³êĢܷ
o 64 rbg® | CAST Åp³êĨèA56 rbgæè 256 {ÍÅ·
o 80 rbg® | CAST Åp³êĨèA56 rbgÌ 16,000,000{Í
Å· (»ÝÌZpÅÍAjé±ÆÍūܹñ)
o 128 rbg® | CAST â RC2 ÅgíêĨèA»ÝàA\ªÅ«é¢
ɨ¢ÄàAÔ
IÉ®ððÇ·é±ÆÍsÂ\Å·
2.2.3. öJ/駮ÌyA(ñÎÌR[h)
o 512-bit
o 768-bit
o 1024-bit
o 2048-bit
2.3. PKI ÌdgÝ
NCAgÆT[oÍA»ê¼êöJ®Æ駮ð¿Ü· (NCAg
ª©ªÌؾðÁĨèA»êªT[oÉv³êÈ¢ÀèANCA
gÌuEUÍ SSL ÌZbVpÉ®ÌyAð_ɶ¬µÜ·)B
MÒÍA©ªÌ駮ðgÁÄbZ[WðûµÜ·B±êÉæèA
bZ[WÌ\[XªFسêÜ·BÊÌÃÍAó¯èÌöJ®Åà¤ê
xû³êÜ·B±êÍAó¯èÌݪA©gÌ駮ðgÁÄbZ[W
ðÅÉðÇ·é±ÆªÅ«éæ¤É·é±ÆÅA@§«ðà½çµÜ·Bó
MÒÍAû³ê½bZ[Wð³çÉðÇ·é½ßAMÒÌöJ®ðg
¢Ü·BMÒÌݪ©ªÌ駮ÉANZXÅ«éÌÅAóMÒÍû³
ê½bZ[Wª»ÌMÒ©çÌàÌÅ éÆ¢¤±ÆðÛسêÜ·B
bZ[W_CWFXgÍAÖWÒàæOÒàAbZ[Wɽç©Ìüââ
ÏXð{µÄ¢È¢±ÆðmF·éÌÉp³êÜ·BbZ[W_CWFX
gÍAbZ[WÉnbV
Ö (wäƵÄmçêéA駮Ìê) ðg
¤±ÆžçêÜ·B_CWFXg (¼ÆÄÎêÜ·) ÍbZ[WÉYt
é¢ÍÇÁ³êÜ·B¼Ì·³Í (bZ[WÌ·³ÉÖç¸) êèÅA
駮ªàÂbZ[W_CWFXgÌ^Cv (md5 Í 128 rbgA sha1
Èç 160 rbgAÈÇ) ÉæèÜ·BbZ[Wð½Á½ 1 rbgÏXµ½
¾¯Åà¼Ì·³ÍÏ»·éÌÅAbZ[WªÏX³ê½±ÆªØ¾³ê
Ü·B
2.4. ؾ(x509 W)
fW^ؾÍC^[lbgã̶ÝðMÅ«éæ¤ÉµÜ·BfW^
¼ÍA§ÌæOÒÅ éؾs@ÖÉæÁħسê½A[UÌ
ÛØðÜÝÜ·B
wIÈASYÆl (®) ªf[^ðÇßÈ¢`Éû·é½ßÉg
íêÜ·Bf[^ÌÉÍ 2 ÂßÌ®ªp¢çêA±êÍâIÈAS
YÆlðg¢Ü·B 2 ÂÌ®ÍÖAïçê½lðÁĢȯêÎÈ
ç¸A®ÌyA ÆÄÎêÜ·B
FITU-T Ì© X.509 [CCI88c] Í X.509 ؾÌL@ÌÝÈç¸A
X.500 fBNgÖÌFØT[rXÌdlðèßĢܷBؾÍAÎÛ
Ì([UÌ)¼OÆ[UÌöJ®ÆÌÂȪèðFØ·é½ßÉAsÒÉ
æÁļ³êÜ·BSSLv3 Í 1994 NÉÌð³êܵ½Bo[W 2 Æ
3 ÌåÈá¢ÍAg£tB[hªÇÁ³ê½±ÆÅ·B±ÌtB[hÉæ
èAPÈé®Æ¼OÌÂȪ辯ÅÈAÇÁÌîñð`B·é±ÆªÅ«
éæ¤ÉÈèAæè_îÉÈèÜ·BWIÈg£ÅÍAÎÛÆsÒÌA
®AFØ|V[îñA®Ìp§ÀÈǪÜÜêÜ·B
X.509 ؾÍA±êçÌtB[hÅ\¬³êÜ· |
o o[W
o VAÔ
o ¼ASY ID
o sÒ¼
o LøúÀ
o ÎÛÌ([UÌ)¼O
o ÎÛÌöJ®îñ
o sÒÅL̯Êq(o[W 2 Æ 3 ÌÝ)
o ÎÛÅL̯Êq(o[W 2 Æ 3 ÌÝ)
o g£(o[W 3 ÌÝ)
o ãLtB[hÉ¢Ä̼
2.5. fW^ؾÌ駮
駮ÍAfW^ؾÉß±ÜêÄܹ͢ñB駮ÍÇñÈT[o
îñàà¿Ü¹ñB駮ªÂÌÍÃîñÆwäÅ·B±êÍ©ªÌVX
eãÅ[Jɶ¬³êAÀSÈ«ÌÜÜÅȯêÎÈèܹñBé§
®ªë¯É³ç³êêÎAÁQÒÍA{¿IÉ»ÌZL
eBVXeÌR
[hðèɵ½±ÆÉÈèÜ·BNCAgÆT[oÔÌMÍATó³
êAðdzê¾Ü·B±¤¢Á½ã_ªAtriple DES ZpðgÁÄû³
ê½é§®ðìé±Æª§³êÄ¢éRÅ·B·éÆt@CÍû³
êApX[hÅÛì³êÜ·B±êÉæèA³mÈpXt[YȵÉg¤
±ÆªÙÆñÇsÂ\ÉÈèÜ·B
gUNVÌZL
eBÍA»Ì駮É˶µÜ·B±Ì®ªëÁ
½lèÉí½Á½çANÅàÈPɻ̮ðìÁÄAZL
eBðjé½
ßÉgpÅ«Ü·B뤢®ÍAT[oÖÌbZ[Wª³@ÈnbJ[É
æÁÄTó³êAì³êéÔ𵫩ËܹñB®SÉZL
AÈVXe
ÅÍA¼ÌðmÅ«A®Ì¡»ðWQ·éæ¤ÉÈÁĢȯêÎÈèÜ
¹ñB
2.6. fW^ؾÌöJ®
öJ®ÍfW^ؾÉß±ÜêĨèAZL
AÈÚ±ªv³ê½
ÉAT[o©çNCAgÖçêÜ·B±ÌßöÉæèAؾðgÁÄ
T[oÌg³ªmF³êÜ·BöJ®Í®S«AMß«ðصAé§Ìf[
^]ð·é½ßÉf[^ðû·éÌÉàgíêÜ·B
2.7. ؾ¼v(CSR)
CSR Íؾs@֪ؾð쬷éÌÉKvÆÈéîñðÜÞàÌÅ
·B CSR ÍA駮ÉεÄâIÈASYAT[oÌg³ðؾ·
éîñðà¿Ü·B±ÌîñÉÍAABAgDAêʼ(hC¼)AA
æÆ¢Á½îñªÜÜêÜ·ªAÀè³êéí¯ÅÍ èܹñB
3. ؾÉæéìÆ
±êÈ~ÌßÅÍA駮t@CÌì¬Aؾ¼vA»ê©ç©Ø
¾ðÜÞè𨳦ܷBؾs@ÖÉæÁļ³ê½Ø¾ðü
è·éÂàèÈçAؾ¼v (CSR) ð쬷éKvª èÜ·B é
¢ÍA©Ø¾ð쬷é±ÆàÅ«Ü·B
3.1. 駮Ìì¬
駮ðìéÉÍAOpenSSL c[LbgªCXg[³êÄ¢ÄA
Apache pÉÝè³êÄ¢éKvª èÜ·B±±©çÌáÅÍAftHg
Ì /usr/local/ssl/bin fBNgÉ é OpenSSL ÌR}hCc[
ðg¢Ü·BáÅÍAOpenSSL ÌR}hCc[ª éfBNg
ª $PATH ÉÇÁ³êÄ¢é±ÆðzèµÄ¢Ü·B
gv DES ÃW (§) ðgÁÄ駮ðìéÉÍA±ÌR}hð
g¢Ü· |
openssl genrsa -des3 -out filename.key 1024
pXt[Yðü͵AܽÄüÍ·éæ¤ÉßçêÜ·Bgv DES
ðg¤±Æɵ½ÈçASSL T[oðR[hX^[gÅN®³¹éxÉpX
[hðßçêÜ·B(ÄN®R}hðg¤êÍApX[hÍ·©ê
ܹñB) ÁÉVXeðxÝÌÔÉN®¹ËÎÈçÈ¢êA±ÌpX[
hüͪ¤´Á½¢Æv¤©àµêܹñBܽAVXeÍùÉ\ªÉS
¾ÆmMµÄ¢é©àµêܹñBÅ·©çApX[hüͪȢæ¤ÉI
ð·é (]ÁÄgv DES ûðgí¸É) ÈçAȺÌR}hðÀ
sµÄ¾³¢BtÉAPÉ 512 bit Ì®ðìè½¢ÈçAR}hÌÅã
É é 1024 ðíÁľ³¢B·éÆ OpenSSL ÍftHgÌ 512 bit Å
®ðìèÜ·B¬³È®ðg¤ÆAµÎ©èÈèÜ·ªAÀS«àáº
µÜ·B
駮ðgv DES ûȵÅ쬷éÉÍA±ÌR}hðg¢Ü·
|
openssl genrsa -out filename.key 1024
ù¶Ì駮ÉpX[hðÇÁ·éÉÍA±ÌR}hðg¢Ü· |
openssl -in filename.key -des3 -out newfilename.key
ù¶Ì駮©çpX[hðí·éÉÍA±ÌR}hðg¢Ü· |
openssl -in filename.key -out newfilename.key
ÓFÊrwèµÈ¯êÎA駮ÍJgfBNgÉ쬳êÜ·B
±êðæ赤ÉÍ 3 ÂÌÈPÈû@ª èÜ·BOpenSSL ªpXÉüÁÄ
¢êÎA®t@CðÛ¶·é½ßÉIñ¾fBNg©çÀs·é±Æª
Å«Ü· (Apache ÌCXg[É RPM ðgÁ½êÌftHgÍ
/etc/httpd/conf/ssl.key ÅA\[Xt@C©çCXg[µ½ÌÈç
/usr/local/apache/conf/ssl.key Å·)BÊðÍA®ªì¬³ê½fBNg
©çA³µ¢fBNgÖÆt@CðRs[·é±ÆÅ·B³çÉAå
ȱÆð¾¢Yêܵ½ªAR}hÌÀsÉpXðwè·é±ÆªÅ«
Ü· (eg. openssl genrsa -out /etc/httpd/conf/ssl.key/filename.key
1024)BÉiÞOÉìƪIíÁÄ¢êÎAû@ÍÇêÅà\¢Ü¹ñB
OpenSSL c[LbgÉ¢ÄÌæèÚµ¢îñÍA±±©Ä¾³¢ |
OpenSSL Website <http://www.openssl.org/>
3.2. ؾ¼vÌì¬
ؾs@ÖÉæÁļ³ê½Ø¾ðüè·éÉÍAؾ¼v
(CSR) ð쬷éKvª èÜ·BÚIÍA駮ðÛ²ÆÁ½èAµ¢Ì
ïµ¢îñðë¯É³çµ½è·é±ÆÈAؾð쬷éÉ«éîñð
ؾs@ÖÉé±ÆÅ·BCSR ÍAá¦ÎhC¼ânæîñÆ¢Á
½AؾÉÜÜêéîñààÁĢܷB
o CSR ðìéàÆÌ駮ðmFµÜ·B±ÌR}hðü͵ľ³¢
|
openssl req -new -key filename.key -out filename.csr
o næîñA¤Ê¼ (hC¼)AgDîñÈÇÌüÍðßçêÜ·BK
vƳêéÚÆAsKØÈGgÌîñðAÌpµæ¤ÆµÄ¢é CA
Éâ¢í¹Ä¾³¢B
o CSR ð CA Ìw¦É]ÁÄèÜ·B
o Vµ¢Ø¾ðÒ¿ÂÂA é¢Í©Ø¾ð쬵ľ³¢B©
ؾÍؾs@Ö©çؾðó¯ÆéÜÅgp·é±ÆªÅ«Ü
·B
ÓF駮Æv(ó:CSR)ð¯É쬷éÉÍAÌR}hðg¢Ü
·B
openssl genrsa -des3 -out filename.key 1024
3.3. ©Ø¾Ìì¬
CA ̼µ½Ø¾ðüèµæ¤ÆµÄ¢éÈçA©Ø¾ðìéKvÍ
èܹñBÆÍ¢¦A©Ø¾Ìì¬Í½¢ÖñÈPÅ·BKvÈÌÍA
駮ÆZL
Aɵ½¢T[o̼O (®SCühC¼) Å·Bnæî
ñâ¤Ê¼ (hC¼)AgDîñÈÇðuËçêÜ·BOpenSSL ÅÍA±
±Å©ÈèÌ©Rª««Ü·Bؾª³íÉ@\·é½ßÉBêKvÈîñ
ÍA¤Ê¼ (hC¼) Å·B±êªÈ©Á½èA¯½èµÄ¢é
ÆACertificate Name Check xðuEU©çó¯é±ÆÉÈèÜ·B
©Ø¾ð쬷éÉÍ |
openssl req -new -key filename.key -x509 -out filename.crt
3.4. EFuT[oÖÌؾÌCXg[
±êçÌw¦É]ÁÄ¢½çA¡ÜÅÌƱëA±±ÜÅÅÍÁÉâèÍN«
ĢȢ͸ŷBCSR ðؾs@ÖÉÁÄAܾؾðó¯ÆÁÄ
¢È¢ÈçA¿åÁÆêxݵܵå¤I ©Ø¾ðgÁÄ¢é©Aؾ
ðó¯Æè¸ÝÈçAÉiñÅà\¢Ü¹ñB
o 駮t@CªAg¤Æß½êÉ é±ÆðmFµÄ¾³¢B±
áÍ RedHat RPM ÉæéCXg[ÌftHg
lA/etc/httpd/conf/ssl.key Éî¢Ä¢Ü·B
o CA ª¼µ½A é¢Í©Ìؾªwè³ê½fBNgÉ é±
ÆðmFµÄ¾³¢BJèԵܷªAÍ RPM ÌftHgÅ é
/etc/httpd/conf/ssl.crt ðg¢Ü·Bܾ»±ÉȯêÎA»±Ézu
µÄ¾³¢B
o àµACXg[·éÔؾ (ܽÍ[gؾ) ª éÈçA
»êà /etc/httpd/conf/ssl.crt fBNgÉRs[µÄ¾³¢B
o ÍAhttpd.conf t@CðÒW·éKvª èÜ·BÌXeb
vA``Apache Server ÌÝè'' ÉiÞOÉA±Ìt@CÌobNAbv
ðìÁľ³¢B
4. Apache Server ÌÝè
SSL ðT|[g·é½ßÉÍAApache ÍÇÁÌ API W
[ðg¤æ¤É
Ýè³êéKvª èÜ·B½Ì SSL \tgEFApbP[WªpÅ«
Ü·BÌáÅÍAModSSL Æ OpenSSL pÉÝè³ê½ Apache ð³ÉµÄ¢
Ü·B±êçÌv_NgðT|[g·é¦ØêÈ¢ç¢Ì[O
Xgâj
[XO[vª èÜ·B Apache EFuT[oð³ÉµÄ¢é¢
©̤p SSL pbP[WÉàA±êçÌèø«ªLp¾Æv¤©àµê
ܹñB
¢Â©ªÉüêĨ׫±Æª èÜ· | ¯¶T[oÉ¡Ì@[
`zXgð½Äé±ÆªÅ«Ü·B¯¶ IP AhXÅA¼Ox[XÌ
@[`zXgð½½Äé±ÆªÅ«Ü·B¯¶ IP AhXÅA¼O
x[XÌ@[`zXgð½ÆAZL
AÈ@[`zXgð 1
½Äé±ÆàÅ«Ü·B½¾µ | ¯¶ IP AhXÅA¡ÌZL
AÈ
@[`zXgð½Äé±ÆÍūܹñB½Ìlª±¤uËéŵå
¤ | ½ÌH ÆB¦Í±¤Å· | SSL ÍAvP[Vw̺Å@\
µÜ·B¼Ox[XÌzXgÍAAvP[VwÜÅÍè`³êĢܹ
ñB
ÁÉA¯¶ SOCKET (IP AhX + |[g) É¢ÄA¡ÌZL
AÈ
@[`zXgð½Äé±ÆÍūܹñBftHgÅÍAZL
AÈ
zXgÍ|[g 443 ðg¢Ü·B@[`zXgª¯¶ IP AhXÅ
ÙÈé|[gÔðg¤±ÆÅAÊÌ\Pbgð쬷éæ¤ÉÝèðÏX·
é±ÆÍÅ«Ü·B±Ìû@ÉͽÌssª èÜ·BêÔ¾mÈss
ÍAftHg|[gðgÁĢȢêAZL
ATCgÖÌANZXÉ
¨¢ÄAURL É|[gÔðÜßÈÄÍÈçÈ¢±ÆÅ·B
á¦ÎF
o ftHg|[gðg¤TCgAwww.something.com
ÍAhttps://www.something.com ÅANZXÅ«Ü·
o |[g 8888 ðg¤TCgÅÍAhttps://www.something.com:8888 ÅAN
ZXÅ«Ü·B
à¤êÂÌssÍA½³ñÌ|[gðg¤ÆA|[gðk¬ÜíénbJ
[Éæè@ïð^¦é±ÆÉÈéAÆ¢¤±ÆÅ·BÅãÉAIñ¾|[gª
½©¼ÅgíêÄ¢éÆAÕËâ誶·é±ÆÉÈèÜ·B
4.1. ZL
AÈ@[`zXgÌè`
@[`zXgÌÝuÍASÈPÅ·BZL
AÈ@[`zXg
ðÝè·éî{ðA¢µÄ¢«Ü·B
±êçÌáɨ¢ÄA.crt Æ .key t@Cg£qðg¢Ü·B±êÍAl
XÈt@CÆ̬ðð¯éAÂlIÈû@Å·BApache ðg¤ÈçAD
«Èg£qðg¦Ü·µA é¢Íg£qȵÉàÅ«Ü·B
ZL
AÈ@[`zXgÍSÄAÊíÍ httpd.conf t@CÌöÉ
zu³êéA<IfDefine SSL> Æ </IfDefine SSL> ÉïܳêéKvª èÜ
·B
ZL
AÈ@[`zXgÌáÅ· |
<VirtualHost 172.18.116.42:443>
DocumentRoot /etc/httpd/htdocs
ServerName www.somewhere.com
ServerAdmin someone@somewhere.com
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/etc/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /etc/httpd/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
SSL É¢ÄÅàdvÈfBNeBuÍASSLEngine on,
SSLCertificateFile, SSLCertificateKeyFile, »ê©ç½ÌêÅ
SSLCACertificateFile Å·B
4.1.1. SSL Engine
"SSLEngine on"| ±êÍASSL ðJn·é½ßÌ ModSSL R}hÅ·B
4.1.2. SSLCertificateFile
SSLCertificateFile ÍAApache Éؾt@CÌÝÆA»êªÈñÆ¢
¤¼OÈÌ©ðw¦µÜ·BãÌáÅÍA"server.crt" ªØ¾t@C¼
ƵĦ³êĢܷB±êÍAApache ÆêÉ ModSSL ðÝèµ½ÉÇ
Á³êéftHgÅ·BÂlIÉÍAftHg̼Oðg¤±Æͨ©ß
µÜ¹ñBÊ|ÈÌð±ç¦ÄAؾÉT[o¼.crt (hC¼.crt) Æ
¼t¯Ä¾³¢B¯¶æ¤ÉAftHgÌ /etc/httpd/conf/ssl.crt â
/usr/local/apache/conf/ssl.crt ÆÍÊÌfBNgðg¤±ÆàÅ«Ü
·B
4.1.3. SSLCertificateKeyFile
SSLCertificateKeyFile ÍAApache É駮̼OÆ»ÌÝðw¦µÜ
·B±±Åwè³ê½fBNgÍ root ÌݪÇÝ/« ÀðÁÄ¢
éKvª èÜ·B¼ÉÍNà±ÌfBNgÉANZX·é׫ÅÍ è
ܹñB
4.1.4. SSLCACertificateFile
SSLCACertificateFile fBNeBuÍAApache ÉÔؾÌêðw¦
µÜ·B±ÌfBNeBuÍAgpµÄ¢é CA ÉæÁÄKv¾Á½èsK
v¾Á½èµÜ·B±Ìؾª{¿IÉMÌÖÆÈèÜ·B
Ôؾ | ؾs@ÖÍA ȽÆÙÆñǯ¶û@Åؾð¾Ü
·B±êÍAÔؾƵÄmçêĢܷB±êÍAî{IÉÍÔؾ
ÌÒªA¢¤àÌÅ·BEFuuEUÍAe[X²ÆÉXV³ê
éA"MÅ«é" ؾs@ÖÌXgðÁĢܷBؾs@Öª
SVµ¢ÈçA»ÌÔؾÍAuEUÌMÅ«é CA XgÉÍ
üÁĢȢŵå¤BÙÆñÇÌlª©ªÌuEUð»¤pÉÉAbvf
[gµ½èµÈ¢Æ¢¤Àð±êÆí¹éÆA±¤ÈèÜ· | CA ª©
®IÉMÅ«éàÌƵÄF¯³êéÉÍAN©©èÜ·BðôÍA
SSLCACertificateFile fBNeBuðgÁÄAT[oÉÔؾðC
Xg[·é±ÆÅ·B½¢Ä¢A"M³ê½" CA ÍÔؾðsµÄ
¢Ü·Bൻ¤ÅȯêÎASSLCertificateChainFile fBNeBuðg
íËÎÈçÈ¢©àmêܹñªA±êÍܸȢ±ÆÅ·B
4.2. ؾÌá
4.2.1. T[oؾt@C
-----BEGIN CERTIFICATE-----
MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1
MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS
RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1
c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG
q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ
QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z
dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB
Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD
BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA
A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7
oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3
j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH
-----END CERTIFICATE-----
4.2.2. ؾt@CÌàe
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1516 (0x5ec)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Equifax Secure Inc, CN=Equifax Secure E-Business CA
Validity
Not Before: Jul 12 15:21:01 2000 GMT
Not After : Jun 2 22:42:34 2001 GMT
Subject: C=us, ST=ga, L=atlanta, O=Equifax, OU=Rick, CN=172.18.116.44/Email=richard.sigle@equifax.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31:
cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57:
03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2:
6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c:
a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca:
5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d:
d8:a9:e8:59:3c:c2:61:c5:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Netscape Cert Type:
SSL Server
X509v3 Authority Key Identifier:
keyid:5B:E0:A8:75:1C:78:02:47:71:AB:CE:27:32:E7:24:88:42:28:48:56
Signature Algorithm: md5WithRSAEncryption
87:53:74:e9:e1:a6:10:56:8c:fa:63:0e:7b:72:ff:76:4b:79:
0e:49:2a:58:ed:71:7a:bf:77:61:fa:e8:74:04:37:8c:d3:6a:
9a:3d:80:76:7a:c3:64:30:e7:1b:40:25:4e:2a:81:8b:e5:ac:
76:a4:38:67:cc:3f:93:43:e1:1d:c3:8d:ba:ed:cc:d7:aa:a4:
ab:d3:84:77:7c:8f:26:f6:dd:ba:3b:6a:99:81:e1:9e:7e:0f:
ca:a6:ff:c0:c3:59:6e:dc:a6:03:23:bf:8f:24:ff:15:ad:ac:
0d:85:fc:38:bf:d1:24:2d:1a:d3:72:55:12:95:5f:65:f0:60:
df:b1
4.2.3. 駮t@C
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,124F61450D85A480
ELz64SV+tFSRybsHjY9NH7CP7yDHXP6xcd9FY6MVgQykTkq2h0n7j+tmpfUPbStT
6jCgm/dTYM9mpkQ3jYZBALiVD5JNJ9t1dWisxQXY/nsak8LSTN7LhUtZSfk5xSmV
Zsl4gwQS20UdBzFiJ+4qDajP/pzocSdSuQvxIHq7UzNwJsW8UYxR3I1qrDgyNXKS
db41BWH4QdNtE0p+pi9VndDzXktqZGHEvtrQTV+39DV/dwOdnGBpYBETljMO5X6t
D42xcVs0Doa1vZ6PiMCkwFNPXsPlKHZtHwEL4I3CQdiH4E0oYh3klBzlXBY4YldN
A+s4xU44FpXp5xwt9nnVPUKHPo+NpdaRK7dAcRNO3GN3+ek1ggzvEjjuWKes3RQh
PlHPuF7VWo4KeaTfTIwJWfGxz4nvwlVByPJ6Z73Mn0VcDXCkVm6+h3PLlYL0FMqM
baUyQPpw6bhfW71FO/IIQxz3R1EqkxW7OHv74uuYl8kjHXf3S6qRZEGUG/zOGLGr
mI5s2qnU69HlBObFkc6WQq0QxMq4PiUi7HhCLMkH8+wBsNNMnb75+7lQKkEhdOeE
iUMKe5kgQqfd9w8jsBH5nu+J/nCfvPdp0isQW+P3/Rrh6YMwdKnlVfNZWdGiTzpQ
ngThAGq5lit4uf4zdTIYYrs+T9I5ltjj0KgCUD4VL5/7OfnR3gcphpbHXQf0E2cz
Qwq7q7ppKwCf/x92pHi8oVevlV5Dx9NQbGhEOA5pooqD6S2xZBbPLzkUKWDEO2il
oBZ5L1jClR5jjdF2U61w7aRrL0t6luDU/aRv/fcoYes=
-----END RSA PRIVATE KEY-----
4.2.4. 駮t@CÌàe
read RSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus:
00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31:
cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57:
03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2:
6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c:
a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca:
5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45:
12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a:
5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d:
d8:a9:e8:59:3c:c2:61:c5:b3
publicExponent: 65537 (0x10001)
privateExponent:
00:b6:57:7d:3b:58:24:1e:a9:1b:85:e9:9c:9e:5f:
d3:3d:69:0c:21:93:37:bf:2b:2c:da:e1:6c:74:48:
cb:c7:0f:60:5f:50:74:8a:44:45:be:54:5c:5d:4e:
45:58:f6:f1:a8:b5:af:46:f2:ec:c2:bc:43:bd:28:
44:b7:ad:13:d3:ca:de:59:24:e8:fa:f8:e5:5f:45:
38:2c:a0:a3:de:98:13:d8:80:38:e1:47:53:4c:ea:
e4:66:c3:82:93:89:c3:90:83:44:e1:13:4f:74:76:
e2:c0:89:97:77:5f:33:d8:7d:27:21:52:55:c2:d7:
dc:01:f9:bc:21:8d:a3:f5:c1
prime1:
00:e3:2d:6b:5e:05:6b:e1:46:e6:ab:ae:f3:8b:d0:
5f:94:5c:6f:f5:47:46:1d:4e:66:d3:7e:98:18:e0:
2c:0d:08:ca:b7:29:72:af:53:62:30:ec:be:26:1f:
cc:5a:ed:65:62:65:70:1e:18:19:61:e3:77:00:a7:
3a:9e:4e:12:93
prime2:
00:e2:69:56:78:e8:39:ff:17:db:cc:39:d7:7f:70:
41:dc:c5:59:43:16:c1:84:4c:ae:e7:5d:8a:c5:4b:
da:88:8e:03:99:7c:88:f2:8a:13:31:57:44:e0:b5:
c8:0a:60:b0:05:de:f6:9e:f2:00:ec:37:21:8d:3b:
dc:8e:c9:d4:61
exponent1:
1a:ad:6a:be:4f:c4:ab:5f:b8:16:d1:24:a8:76:7f:
c2:dc:58:09:65:a5:46:2b:be:c7:77:46:45:25:8e:
06:b9:d1:94:50:b9:b6:fd:03:ba:db:12:39:47:e2:
a7:8a:d9:2d:04:dc:75:ac:3e:ce:cf:f7:59:8c:49:
c5:ed:45:21
exponent2:
2d:4e:fd:32:06:ef:0c:40:7f:08:d8:8e:6a:7f:51:
7e:d7:b3:6c:3c:92:8f:62:35:22:31:d3:02:76:92:
8d:ff:35:73:32:bb:c9:25:9e:7f:a2:42:33:61:cd:
5d:5e:49:fb:72:ca:11:b6:c6:3e:7f:2d:e4:b0:95:
0b:b2:12:21
coefficient:
50:52:09:22:cb:fb:b2:b8:58:85:ab:1d:82:b9:6e:
d0:f6:dc:e8:ce:a6:5d:a1:ff:c8:4d:3b:2b:1c:19:
64:f0:c4:4a:bc:b2:1d:2b:2d:09:59:83:a3:9a:89:
f8:db:2c:2c:8a:bd:fd:a3:16:51:76:aa:ce:ea:85:
6b:1c:9f:f7
4.3. Web T[oÌÄN®
EFuT[oðÄN®·éXNvgÍA¨»ç
/usr/local/sbin©A/usr/sbin (httpd Æ¢¤XNvg¼Å)A é¢Í
/usr/local/apache/bin (apachectl Æ¢¤XNvg¼Å) É éŵå
¤B SSL ðLøɵÄT[oðN®µÄ¢È¢ÈçAT[oðâ~µÄAN
®³¹éKvª èÜ·BJnAÄN®Aâ~̽ßÉA©ªpÌJX^}C
Yµ½XNvgð¢Äà\¢Ü¹ñBSSL GWªN®·éÀèAâè
Í èܹñB
R}hÍ |
httpd stop
httpd startssl
httpd restart
é¢Í
apachectl stop
apachectl startssl
apachectl restart
5. guV
[eBO
¶µ¤éA 調Èâèð¢Â©¢Ä¨«Ü·B
5.1. T[oÍN®µ½æ¤É©¦éªAZL
ATCgÉANZXÅ«È¢
error_log t@Cð`FbNµÄ¾³¢B@[`zXgªG[
Oðæ¤ÉÝèµÄ¢È¢ÈçAl¦¼µ½ûª¢¢©àmêܹñBá
¦µ½ SSL @[`zXgÍAG[Ot@CÉo͵ܷB½
ªA2, 3 ÌxÆAOÌÅãÉG[ª èAî{IÉÍ駮ªØ¾
ÆêvµÈ¢AÆ¢¤àeŵå¤B
áF
[Tue Nov 21 09:09:02 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
OpenSSL/0.9.6 configured -- resuming normal operations
[Tue Nov 21 09:09:16 2000] [notice] caught SIGTERM, shutting down
[Tue Nov 21 14:39:54 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1
OpenSSL/0.9.6 configured -- resuming normal operations
[Tue Nov 21 14:40:31 2000] [notice] caught SIGTERM, shutting down
[Tue Nov 21 14:43:53 2000] [error] mod_ssl: Init: (esi.fin.equifax.com:443)
Unable to configure RSA server private key (OpenSSL library error follows)
[Tue Nov 21 14:43:53 2000] [error] OpenSSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
ãLÌG[bZ[Wð¾½ÈçAâèÍ®ÆؾªêvµÈ¢±ÆÅ
·BftHgÌ server.keyt@CðgÁĢȢ±ÆðmFµÄ¾³
¢BܽAhttpd.conf t@Cð`FbNµÄAfBNeBuª³µ¢é
§®ÆؾðwµÄ¢é©ÌmFà·é׫ŷB
mF̽ßA駮Æؾ̮ª³mÅA¨Ý¢ÉÎðȵĢé±Æð
²×é±ÆàÅ«Ü·B±Ì½ßÉÍAºÌR}hðgÁÄ駮ð^[~
iEBhEÉ»µAÊÌEBhEÅؾð»µÄ¾³¢B
är·éÌÍA®»ê¼êÌW
[ÆÀÌÅ·B®ÌW
[ÆÀ̪
ؾ̻êÆêv·éÈçÎA»ÌؾƮª³µÎÉÈÁÄ¢éÆ¢
¦Ü·B
If all else fails, create a new private key, CSR or self-signed
certificate. Before you do this, check your CA's re-issue policy.
You may be charged for a re-issue.
To view the contents of the certificate:
openssl x509 -noout -text -in filename.crt
To view the contents of the private key:
openssl rsa -noout -text -in filename.key
5.2. Certificate Name Check Warning is issued by the client's browser
The most common cause for this is omitting the "www" at the beginning
of the domain name when creating the CSR. The name defined by the
"ServerName" directive for that virtual host must match the domain
name presented by the certificate exactly or the browser will let the
client know. The exception is a wild card certificate. A wild card
certificate's domain name field would look like *.somedomain.com.
This enables you to use one certificate for any number of sub-domains
of somedomain.com (e.g. host1.somedomain.com and
host2.somedomain.com).
5.3. NCAgÌuEUÉAؾªM³êĢȢؾs@Ö
If you are using a self-signed certificate, you will get this warning.
Your clients will be given the option to trust your certificate or
not. If you have a CA signed certificate and are getting the
untrusted warning, you probably need to install their intermediate
(root) certificate.
5.4. SSLEngine on is an un-recognized command (Apache ÌN®)
±ÌG[bZ[WÍAApache ÆêÉ ModSSL ðRpCµÈ©Á½
êɶµÜ·B@[`zXgÅ SSL ðg¤ÌÉAÊÌfBN
eBuðg¤ SSL pbP[Wà èÜ·BÊÌfBNeBuðg¤pbP
[WðgÁÄ¢éê±ÌG[bZ[Wðܽ©é±ÆÉÈèÜ·B
5.5. "PEM pXt[Y" ðYêĵܢAǤâÁÄ»êðÄÝè·é©
mè½¢B
±ÌpXt[YðÄÝè·éû@Í èܹñBð·éÉÍApXt[
Yð¯¦Ä¨©AVµ¢é§®ð쬷鵩 èܹñB»¤·éÆAV
µ¢Ø¾ðæ¾·é©AVµ¢©Ø¾ð쬷éKvªÅÄéŵå
¤B
6. pêW
FØ
T[oâNCAgA[UÆ¢Á½lbg[Nã̶ÝðA¾m
ɯêÅ éÆؾ·é±ÆBSSL ̶¬ÅÍAFØÍT[oÆNC
Agɨ¯éؾÌÆßöð¢¢Ü·B
ANZX§ä
lbg[NÌæÖÌANZXð§À·é±ÆBÊí Apache ̶¬Å
ÍA é URL ÖÌANZXð§À·é±ÆB
ASY
Àçê½èÅâèðð·é½ß̾Èè®A é¢ÍK¥ÌgB
û̽ßÌASYÍAÊí cipher ÆÄÎêÜ·B(óF
{¶ÅÍAcipher àÃAÈÇÆóµÄÜ·B)
ؾ
T[oâNCAgÆ¢Á½lbg[NGeBeBðFØ·éÌ
ÉgíêéAf[^R[hBؾÍA»ÌLÒ (subject ÆÄÎ
êÜ·) Ƽð·éؾs@Ö (issuer ÆÄÎêÜ·) ÉÖ·
é X.509 ÌîñfÐAÁ¦ÄLÒÌé§®Æ CA ÉæÁÄ쬳ê
½¼ðÜÝÜ·Blbg[NGeBeBͱêç̼ðØ·
éÌÉA CA Ìؾðg¢Ü·B
FØ@Ö (CA)
M³êÄ¢éæOÒ@ÖÅAlbg[NGeBeBªÀSÈèi
ÅFسêé½ßÉA»Ìؾɼ·é̪ÚIÅ·B¼Ìlbg
[NGeBeBͼð`FbNµÄA CA ªØ¾Ì^ÑèƵ
ÄFسêÄ¢é±ÆðmF·é±ÆªÅ«Ü·B
ؾ¼v (CSR)
FØ@ÖÉño³êé¼³êĢȢؾÅA»Ì CA ؾÌé
§®Å¼³êÜ·BCSR ͼ³êé±ÆÅ^ÌؾÆÈèÜ·B
TCt@
f[^Ìû̽ßÉg¤ASYâVXeBá¦ÎADES,
IDEA, RC4 ÈÇÅ·B(óF´¶Ì~XÆzèµÄóÉèðÁ¦Ä¢
Ü·)
ö
vCeLXgÉÃ@ð{µ½ÊB
ÝèfBNeBu
vO̮ɨ¢ÄA1 ÂÈã̤Êðì·éÝè½
ßBApache ̶¬ÅÍAÝèt@CÌÅÌJÉ çäé½ß
ª«Ü·B
û | ÎÌ
NCAgÆT[oªAf[^Ìûƻɯ¶®ðp¢Ü
·B
û | ñÎÌ
®ÌyA (öJ®Æ駮) Å\¬³êÜ·BPKI ÍñÎÌÃÅ·B
fW^¼
û³ê½bZ[WÆÆàÉM³êéf[^ÅAì¬ÒÌؾð
µAüâ³êĢȢ±ÆðmFµÜ·B
HTTPS
(ÀSÈ)nCp[eLXg]vgRÅAWorld Wide Web ɨ¯
éWÌû³ê½ÊMJjYÅ·B±êÍAÀÛÉÍPÈé
HTTP over SSL Å·B
bZ[W_CWFXg
bZ[WÌnbV
ÅAbZ[WÌàeª]ÉÏX³êÄ¢È
¢±ÆðmF·é½ßÉp³êÜ·B
ÛFh~
(CÓÌæOÒ@Ö©çCÓÌÉmFÂ\È) U¢sÂ\ÈÖWÆA
{¨Å é±Æª¢mxÅf¾Å«éFØÆÌoûɨ¢ÄAf[^
̳T«ÆN¹ÆªØ¾³êÄ¢éT[rXB
±êÍûè@ÉæÁÄB¬³ê½Á¿ÅAÂl é¢ÍÀÌÉAf
[^ÉÖ·éÁèÌs®ðæêÈ¢æ¤É·é (á¦ÎÛFÖ~âF
Ø(o©)Ì@\A`±EÓuEÏCÈÇÌؾA é¢ÍL Ìؾ
ÈÇ)B
OpenSSL
I[v\[XÌ SSL/TLS c[LbgÅ·B
http://www.openssl.org/ <http://www.openssl.org/> QÆB
pXt[Y
駮t@CðÛì·éPêâZ¶BFسêÈ¢[UªA»êç
ðûÉg¤Ìðh¬Ü·B½¢Ä¢ÍATCt@[ÉεÄgíê
éAû/»Ìé§Ì®ÆÈèÜ·B
½¶
û³êĢȢeLXgB
駮
öJ®ÃVXeɨ¯éé§Ì®ÅAÍ¢½bZ[WÌ»
ÆAoÄ¢bZ[WÖ̼ÉgíêÜ·B
öJ®
öJ®ÃVXeãɨ¢ÄANÅàpÅ«é®ÅA»ÌLÒ¶
ÄbZ[WÌûÆA»ÌLÒÉæé¼Ì»ÉgíêÜ
·B
öJ®Ã
é®ðûAÊÌ®ð»Ég¤AñÎÌÈûVXe̤
âAvP[VBηé±êçÌ®Ìgª®yAð\¬µÜ
·BñÎÌÃÆàÄÎêÜ·B
Secure Sockets Layer (SSL)
êÊIÈÊMFØÆ TCP/IP lbg[NzµÌû̽ßÉAlb
gXP[vR~
jP[VYÐÉæÁÄ쬳ê½vgRBÅ
àL¼Èp@Í HTTPSA·Èí¿ HTTP over SSL Å·B
ZbV
SSL ÊMɨ¯éReLXgîñB
SSLeay
Eric A. Young <eay@aus.rsa.com> ªJµ½AÅÉ SSL/TLS ðÀ
µ½CuBhttp://www.ssleay.org/
<http://www.ssleay.org/> QÆB
ÎÌÃ@
ûƻ̼ûÉAPêÌ駮ðg¤A¤âAvP[V
B
gX|[gwZL
eB (TLS)
SSL ÌãpvgRÅAêÊIÈÊMFØÆ TCP/IP lbg[Nz
µÌû̽ßÉAC^[lbgZp]cï (IETF) ÉæÁÄì¬
³êܵ½B TLS Ìo[W 1 ÍASSL Ìo[W 3 ÆÙÆñ
ǯêÅ·B
jtH[\[XP[^ (URL)
World Wide Web ãÌlXÈ\[XÌÊuð¦·A³K̯ÊqB
àÁÆàL¼È URL ÌXL[ÍA http Å·BSSL Í https Æ¢¤
XL[ðp¢Ü·B
X.509
ÛÊMA (ITU-T) ª§·éFØؾÌXL[ÅA SSL/TLS Ì
FØÉp¢çêÜ·B
ITU-T
X.509 [CCI88c] ©ÍAX.509 ÌؾL@¾¯ÅÈ X.500 fBN
gÌFØT[rXðè`µÜ·BX.509 ÌfBNgFØÍAé§
®ÅàöJ®ÅàÀÂ\ÅAãÒÍöJ®Ø¾ÉîÃàÌÅ·B
WÅÍAÁèÌûASYÍwè³êĢܹñªAWÉ
®·éQl¶ÅÍA RSA ASYÉ¢ÄྪȳêÄ¢
Ü·B
