ÀSÈ RedHat Apache T[oÌ\zû@ Richard Sigle, Richard.sigle@equifax.com 0.1, 2001-02-06 KURASHIKI Satoru (ouka@fx.sakura.ne.jp) 0.1J, 2002-02-22 ±ÌKChÍAPKI Æ SSL ðêÉ®©·û@ðྷéæ¤ÉÓ}³êÄ ¢Ü·BÀSÈT[oð\z·é½ßÉÍASSL vgRªÇ¤@\µÄ¢ é©ðð·éKvª èÜ·B ______________________________________________________________________ Ú 1. ±ÌKChÌÚI/ÍÍ 1.1 Secure Sockets Layer (SSL) É墀 1.2 tB[hobN 1.3 ì ƤW 1.4 Ó« 2. Secure Sockets Layer/Private Key Infrastructure ÖÌµÒ 2.1 SSL/PKI ÌM« 2.2 SSL ÍǤ@\·éÌ© 2.2.1 SSL nhVFCNvgR 2.2.2 ZbV® (ÎÌ®) 2.2.3 öJ/駮ÌyA(ñÎÌR[h) 2.3 PKI ÌdgÝ 2.4 ؾ(x509 W) 2.5 fW^ؾÌ駮 2.6 fW^ؾÌöJ® 2.7 ؾ¼v(CSR) 3. ؾÉæéìÆ 3.1 駮Ìì¬ 3.2 ؾ¼vÌì¬ 3.3 ©Ø¾Ìì¬ 3.4 EFuT[oÖÌؾÌCXg[ 4. Apache Server ÌÝè 4.1 ZL AÈ@[`zXgÌè` 4.1.1 SSL Engine 4.1.2 SSLCertificateFile 4.1.3 SSLCertificateKeyFile 4.1.4 SSLCACertificateFile 4.2 ؾÌá 4.2.1 T[oؾt@C 4.2.2 ؾt@CÌàe 4.2.3 駮t@C 4.2.4 駮t@CÌàe 4.3 Web T[oÌÄN® 5. guV [eBO 5.1 T[oÍN®µ½æ¤É©¦éªAZL ATCgÉANZXÅ«È¢ 5.2 Certificate Name Check Warning is issued by the client's browser 5.3 NCAgÌuEUÉAؾªM³êĢȢؾs@Ö 5.4 SSLEngine on is an un-recognized command (Apache ÌN®) 5.5 "PEM pXt[Y" ðYêĵܢAǤâÁÄ»êðÄÝè·é©mè½¢B 6. pêW ______________________________________________________________________ 1. ±ÌKChÌÚI/ÍÍ ±ÌKChÌÚIÍARedHat Linux Ì[Uª Apache EFuT[oðgÁ ÄT[o(SSL)ؾðCXg[·éÌð请é±ÆÅ·BÚWÍA ÔÆA½Ìê¨àðßñµÄêéèðÍÁ«è¦·±ÆÅ·I ÅÉA SSL vgRÆfW^ؾÉ¢ÄmÁĨ׫±Æðà ¾µÜ·BÌo±ÅÍAModSSL Æ OpenSSL ðgÁÄ Apache EFuT[o ð\z·é̪AÅàLvÈ\tgEFAÌgÝí¹Å·BOpenSSL ÍÄp IÈûCuÅASSL v2/v3 Æ TLS v1 vgRðT|[gµÄ¢ Ü·B ModSSL ÍAApache API W [ÅAApache Æ OpenSSL ÔÌC ^[tFCXƵĮì·éæ¤ÉìçêĢܷBÅåÌvÍA±êç 3 ÂÌpbP[Wªt[Å é±ÆÅ·B »µÄ 4 Í©çÍA®Ì¶¬ÆAModSSL Æ OpenSSL ðgݱñÅRpC ³ê½ RedHat-Apache T[oÖÌؾÌCXg[ððÇÁÄ©Ä ¢«Ü·B 4 ÍÌèÍAApache ƧÚÉÖWµÄ¢é Stronghold â Raven Æ¢Á½¤p SSL T[oÌpbP[WÉàKpÅ«éŵå¤B xFÍAEquifax Secure Inc. Æ¢¤Ø¾s@ÖÌeNjJT|[ gZpÒÅ·BÅ·©çAÍ Equifax Secure Ìؾðg¢Ü·µAáÍ Equifax Secure ÌؾðCXg[ÉKµ½`ÉÈÁĢܷBÆÍ ¢¦Aèø«Í¼Ìؾs@ÖÉæéؾÉàg¦é͸ŷB±Ì¶ ðª¦æµÄ¢½©çÆ¢ÁÄàAEquifax Secure Inc. ÍA±êçÌ èðg¤±ÆÉæÁĶ¶é½@ÈéÊÉ¢ÄàA`±àÓCà¢Ü ¹ñB ÇÒÉηéÌRgÍA±ÌX^C(²)Å·B. áÍÊÌX^CŦµÜ·B. xÈRgâAhoCXÍASGML \[XÌRgÆµÄ¢Ä è Ü·B 1.1. Secure Sockets Layer (SSL) É墀 SSL ÍATCP ÆAvP[VwÌÔÉ éAv[e[VwÌT[ rXÅ·B±êÍvbgtH[âAvP[VÉÍ˶µÜ¹ñB SSL ÍNCAgÆT[oÔÌZL AÈÊM`lðÇ·éðÚð ÁĢܷB SSL ÍNCAgÆT[oÔÅ]³êéf[^ðû ·éAÍÈ@\ðñµÜ·B 1.2. tB[hobN ±ÌKChÉ¢ÄÌRgÍAÒ (richard.sigle@equifax.com) É Äɨ袵ܷB 1.3. ì ƤW Copyright (c) 2001 by Richard L. Sigle Please freely copy and distribute this document in any format. It's requested that corrections and/or comments be forwarded to the document maintainer. You may create a derivative work and distribute it provided that you: o Send your derivative work (in the most suitable format such as sgml) to the LDP <http://www.LinuxDoc.org/> (Linux Documentation Project) or the like for posting on the Internet. If not the LDP, then let the LDP know where it is available. o License the derivative work with this same license or use GPL. Include a copyright notice and at least a pointer to the license used. o Give due credit to previous authors and major contributors. If you're considering making a derived work other than a translation, it's requested that you discuss your plans with the current maintainer. 1.4. Ó« Þ±ÆÈÌhtgðÇñÅAAhoCXðê½ Tony Villasenor É´ÓðB Tony ª¢È¯êÎA±Ì¶Í«ã°é±ÆªÅ«È©Á½Å µå¤B 2. Secure Sockets Layer/Private Key Infrastructure ÖÌµÒ PKI ÍAöJ® (NCAgÉçêÜ·) Æ駮 (T[oãÉ¶ÝµÜ ·) ©çÈéAñÎÌÌ®VXeÅ·BPKI ÍANCAgÆT[o̼ ûªÃ»/»É¯¶®ðg¤AÎÌÌ®VXeÆÍÙÈèÜ·B 2.1. SSL/PKI ÌM« NWbgJ[hîñâãÃL^A@¥¶Ae-commerce AvP[V Æ¢Á½AÅà@§ÉӵȯêÎÈçÈ¢ÌÊMÉàpÂ\Å é æ¤ÉAÆ¢¤vð½·½ßÉ SSL ÍÝv³êܵ½BeAvP[ VÍA@§«â³êéæøÌ¿lÉæÁÄAȺÌÁ¥ÌÇêð ( é¢Í·×Äð) g¤©IðÅ«Ü·B vCoV[ á¦ÎAA ©ç B Ö`B·é½ßÉAbZ[Wª»³êéƵ Ü·BA Í B ÌöJ®ðgÁÄbZ[WðûµÜ·B±¤·é ÆAB Í©ªÌ駮ðgÁıÌbZ[Wð»µÄÇޱƪ Å«éBêÌl¨ÆÈèÜ·Bµ©µAA ª©ÌµÄ¢éÊèÌl¨Å é©Íè©ÅÍ èܹñB FØ A ª©ÌµÄ¢éÊèÌl¨Å é±Æðm©ßé½ßÉÍAÛØ³ê ½FتKvÅ·B±êÉ͵Ωè¡GÈûÌßöªKvÅ ·B±ÌêAA ©ç B ÖÌbZ[WÍAÅÉ A Ì駮ÅA É B ÌöJ®Åû³êÜ·BB Íܸ©ªÌ駮ÅA¢ŠA ÌöJ®Å»µÈ¯êÎÈèܹñB±êÅAB Í A ª©ÌµÄ ¢éÊèÌl¨¾ÆmMÅ«Ü·B¼ÌlÍNà A Ì駮Åû µ½bZ[Wðìé±ÆÍÅ«È¢ÌÅ·©çB SSL ͱêðAØ ¾ (PKI) ðg¤±ÆÅB¬µÄ¢Ü·BؾÍA| ؾs@ Ö (CA)Ìæ¤È | §ÌT[hp[eB©çs³êAؾ³ê½ èÌöJ®ÉÁ¦ÄAfW^¼â^CX^vðÜñÅ¢Ü ·B³µ¢ SSL c[ðg¦ÎNÅੵ½fW^ؾðì¬ Å«Ü·ªA©µ½Ø¾ÅÍA¤ÊÉhÓð¥íêÄ¢é§ÌT [hp[eBªs¤AáyÌdÝɯܷB ³T« SSL ɨ¢ÄÍAMAC (Message Authentication Code: bZ[WFØ R[h) ðK{ÌnbV e[uÖÆÆàÉg¤±ÆųT«ªÛ سêĢܷBbZ[W̶¬ÉAnbV Öðg¤±ÆÅ MAC ª¾çêA»ÌʪbZ[WÉÇÁ³êÜ·BbZ[Wªó M³êéÆAbZ[WÉß±Üê½ MAC ðó¯ÆÁ½bZ[W ©çvZµ½Vµ¢ MACÆär·é±ÆÅAëªØ³êÜ·B± êÅAæOÒÉæÁÄÏX³ê½bZ[WÍ·®É¾ç©ÉÈèÜ ·B ÛFh~ ÛFh~ÍAICÌâèÆèÌÔA¼ûÌÊMÒð¨Ý¢©çÛ ìµÜ·B±êÍAǿ穪Aîñ̤¿ÁèÌêªðçÈ©Á ½Aƾ¤Ìðh¬Ü·BÛFh~ÍAÇ¿ç¤É¢ÄàAùÉȳ ê½âèÆèÌàeðüÏ·é±ÆðµÜ¹ñBfW^ÛFh~Í `IÈ´oÅ¢¦ÎA_ñÉTC·éÌÆ¿Å·B 2.2. SSL ÍǤ@\·éÌ© SSL vgRÍA2 ÂÌTuvgRðÜÝÜ· | SSL R[hvg RÆ SSL nhVFCNvgRÅ·BSSL R[hvgRÍf[ ^Ì`Ég¤tH[}bgðè`µÜ·BSSL nhVFCNvgRÉ ÍA SSL R[hvgRÌpªÜÜêĢܷB±êÍ SSL »³ê½ T[oÆNCAgªÅÉ SSL Ú±ðm§·éÆ«ÉâèÆè·éêA ÌbZ[Wð·Ép¢çêÜ·B±ÌbZ[Wð·ÍAȺÌ@\ðeÕ É·é×Ýv³êĢܷB o T[o©çNCAgÖÌFØBT[oؾÍAؾs@ÖÉ æÁļ³êĨèAؾªóêĨç¸AM̽ª¬§µÄ¢é ±ÆðÛصܷB o NCAgÆT[oªAoûªÆàÉT|[gµÄ¢éûAS YAÂÜèTCt@[(cipher)ðI×éæ¤ÉµÜ·B o CÓÅAT[oÉεÄNCAgðFØB o ¤LÌé§ð¶¬·éÌÉAöJ®ÃZpðg¢Ü·B o û³ê½ SSL Ú±ðm§µÜ·B 2.2.1. SSL nhVFCNvgR nhVFCNvgRÍANCAgÆT[oÌóÔð²®·éÌÉg íêÜ·BnhVFCNÌÔAȺÌCxgª¶µÜ· | o NCAgÆT[oÌÔÅؾªð·³êÜ· (ñÎÌÌ®)BT[o ÍöJ®ðNCAgÉèÜ·BT[oªØ¾ðgÁÄNCA gÌFØðs¤æ¤Ýè³êÄ¢éÈçANCAgÍöJ®ðT[o ÉèÜ·BؾÌLøúÀúðmFµAM³ê½Ø¾s@ÖÌ fW^¼ð`FbNµÜ·BLøúÀúâfW^¼ªÔáÁÄ¢ êÎAuEUÍ[UÉxðoµÜ·B[UÍ»ê©çؾÌÛ ÒðM·é±ÆàÅ«Ü·B o ÉNCAgÍ_È® (ÎÌ®) 𶬵ܷB±êçÍà »Æ MAC ÌvZÉgíêÜ·B±Ì®ÍAT[oÌöJ®Åû³êA T[oÉçêÜ·B±ÌVµ¢ÎÌ®ÍAT[oÌݪ»Å«Ü ·BVµ¢ÎÌ®ÍANCAgÆT[oÔÅçêéf[^Ìû ÉgíêÜ·B F T[o - uEUÔFØÌãÉÎÌ®ðg¤±ÆÅA»ÌãÌ ptH[}XªåÉüP³êÜ·B o bZ[WÌûASYÆA³T«Ì½ßÌnbV Öƪð  (negotiate) ³êÜ·B±Ì²®ßöÍANCAgªT|[gµÄ ¢éASYÌêðT[oɦµAÉT[oªoûÅpÂ\È Åà¢ÃðIÔAÆ¢¤æ¤ÉÀs³êÜ·BIð³ê½Ã»A SYÆnbV Ö̯ÊqÍA»ÝÌXe[^XÌÃû@Xyb NtB[hÉÛ¶³êAR[hvgR©çp³êÜ·B o ȺÌtB[hÍSÄAnhVFCNÌÔÉZbg³êÜ· |vg RÌo[WAZbV IDAÃÌgA³kû@A»ê©ç 2  Ì_l ClientHello.random Æ ServerHello.randomB F IP AhXÍAe SSL Ú±ÉKvÉÈèÜ·B¼Ox[XÌ@[ `zXgÍAvP[VwÅð³êÜ·B SSL ªAvP[V w̺ɶݵĢé±Æðv¢oµÜµå¤B 2.2.2. ZbV® (ÎÌ®) o 40 rbgÍAàÆàÆAopÌàÌŵ½ o 56 rbgÍ DES Åp³êĢܷ o 64 rbg® | CAST Åp³êĨèA56 rbgæè 256 {ÍÅ· o 80 rbg® | CAST Åp³êĨèA56 rbgÌ 16,000,000{Í Å· (»ÝÌZpÅÍAjé±ÆÍūܹñ) o 128 rbg® | CAST â RC2 ÅgíêĨèA»ÝàA\ªÅ«é¢ ɨ¢ÄàAÔ IÉ®ððÇ·é±ÆÍsÂ\Å· 2.2.3. öJ/駮ÌyA(ñÎÌR[h) o 512-bit o 768-bit o 1024-bit o 2048-bit 2.3. PKI ÌdgÝ NCAgÆT[oÍA»ê¼êöJ®Æ駮ð¿Ü· (NCAg ª©ªÌؾðÁĨèA»êªT[oÉv³êÈ¢ÀèANCA gÌuEUÍ SSL ÌZbVpÉ®ÌyAð_ɶ¬µÜ·)B MÒÍA©ªÌ駮ðgÁÄbZ[WðûµÜ·B±êÉæèA bZ[WÌ\[XªFسêÜ·BÊÌÃÍAó¯èÌöJ®Åà¤ê xû³êÜ·B±êÍAó¯èÌݪA©gÌ駮ðgÁÄbZ[W ðÅÉðÇ·é±ÆªÅ«éæ¤É·é±ÆÅA@§«ðà½çµÜ·Bó MÒÍAû³ê½bZ[Wð³çÉðÇ·é½ßAMÒÌöJ®ðg ¢Ü·BMÒÌݪ©ªÌ駮ÉANZXÅ«éÌÅAóMÒÍû³ ê½bZ[Wª»ÌMÒ©çÌàÌÅ éÆ¢¤±ÆðÛسêÜ·B bZ[W_CWFXgÍAÖWÒàæOÒàAbZ[Wɽç©Ìüââ ÏXð{µÄ¢È¢±ÆðmF·éÌÉp³êÜ·BbZ[W_CWFX gÍAbZ[WÉnbV Ö (wäƵÄmçêéA駮Ìê) ðg ¤±ÆžçêÜ·B_CWFXg (¼ÆÄÎêÜ·) ÍbZ[WÉYt é¢ÍÇÁ³êÜ·B¼Ì·³Í (bZ[WÌ·³ÉÖç¸) êèÅA 駮ªàÂbZ[W_CWFXgÌ^Cv (md5 Í 128 rbgA sha1 Èç 160 rbgAÈÇ) ÉæèÜ·BbZ[Wð½Á½ 1 rbgÏXµ½ ¾¯Åà¼Ì·³ÍÏ»·éÌÅAbZ[WªÏX³ê½±ÆªØ¾³ê Ü·B 2.4. ؾ(x509 W) fW^ؾÍC^[lbgã̶ÝðMÅ«éæ¤ÉµÜ·BfW^ ¼ÍA§ÌæOÒÅ éؾs@ÖÉæÁħسê½A[UÌ ÛØðÜÝÜ·B wIÈASYÆl (®) ªf[^ðÇßÈ¢`Éû·é½ßÉg íêÜ·Bf[^ÌÉÍ 2 ÂßÌ®ªp¢çêA±êÍâIÈAS YÆlðg¢Ü·B 2 ÂÌ®ÍÖAïçê½lðÁĢȯêÎÈ ç¸A®ÌyA ÆÄÎêÜ·B FITU-T Ì© X.509 [CCI88c] Í X.509 ؾÌL@ÌÝÈç¸A X.500 fBNgÖÌFØT[rXÌdlðèßĢܷBؾÍAÎÛ Ì([UÌ)¼OÆ[UÌöJ®ÆÌÂȪèðFØ·é½ßÉAsÒÉ æÁļ³êÜ·BSSLv3 Í 1994 NÉÌð³êܵ½Bo[W 2 Æ 3 ÌåÈá¢ÍAg£tB[hªÇÁ³ê½±ÆÅ·B±ÌtB[hÉæ èAPÈé®Æ¼OÌÂȪ辯ÅÈAÇÁÌîñð`B·é±ÆªÅ« éæ¤ÉÈèAæè_îÉÈèÜ·BWIÈg£ÅÍAÎÛÆsÒÌA ®AFØ|V[îñA®Ìp§ÀÈǪÜÜêÜ·B X.509 ؾÍA±êçÌtB[hÅ\¬³êÜ· | o o[W o VAÔ o ¼ASY ID o sÒ¼ o LøúÀ o ÎÛÌ([UÌ)¼O o ÎÛÌöJ®îñ o sÒÅL̯Êq(o[W 2 Æ 3 ÌÝ) o ÎÛÅL̯Êq(o[W 2 Æ 3 ÌÝ) o g£(o[W 3 ÌÝ) o ãLtB[hÉ¢Ä̼ 2.5. fW^ؾÌ駮 駮ÍAfW^ؾÉß±ÜêÄܹ͢ñB駮ÍÇñÈT[o îñàà¿Ü¹ñB駮ªÂÌÍÃîñÆwäÅ·B±êÍ©ªÌVX eãÅ[Jɶ¬³êAÀSÈ«ÌÜÜÅȯêÎÈèܹñBé§ ®ªë¯É³ç³êêÎAÁQÒÍA{¿IÉ»ÌZL eBVXeÌR [hðèɵ½±ÆÉÈèÜ·BNCAgÆT[oÔÌMÍATó³ êAðdzê¾Ü·B±¤¢Á½ã_ªAtriple DES ZpðgÁÄû³ ê½é§®ðìé±Æª§³êÄ¢éRÅ·B·éÆt@CÍû³ êApX[hÅÛì³êÜ·B±êÉæèA³mÈpXt[YȵÉg¤ ±ÆªÙÆñÇsÂ\ÉÈèÜ·B gUNVÌZL eBÍA»Ì駮É˶µÜ·B±Ì®ªëÁ ½lèÉí½Á½çANÅàÈPɻ̮ðìÁÄAZL eBðjé½ ßÉgpÅ«Ü·B뤢®ÍAT[oÖÌbZ[Wª³@ÈnbJ[É æÁÄTó³êAì³êéÔ𵫩ËܹñB®SÉZL AÈVXe ÅÍA¼ÌðmÅ«A®Ì¡»ðWQ·éæ¤ÉÈÁĢȯêÎÈèÜ ¹ñB 2.6. fW^ؾÌöJ® öJ®ÍfW^ؾÉß±ÜêĨèAZL AÈÚ±ªv³ê½ ÉAT[o©çNCAgÖçêÜ·B±ÌßöÉæèAؾðgÁÄ T[oÌg³ªmF³êÜ·BöJ®Í®S«AMß«ðصAé§Ìf[ ^]ð·é½ßÉf[^ðû·éÌÉàgíêÜ·B 2.7. ؾ¼v(CSR) CSR Íؾs@֪ؾð쬷éÌÉKvÆÈéîñðÜÞàÌÅ ·B CSR ÍA駮ÉεÄâIÈASYAT[oÌg³ðؾ· éîñðà¿Ü·B±ÌîñÉÍAABAgDAêʼ(hC¼)AA æÆ¢Á½îñªÜÜêÜ·ªAÀè³êéí¯ÅÍ èܹñB 3. ؾÉæéìÆ ±êÈ~ÌßÅÍA駮t@CÌì¬Aؾ¼vA»ê©ç©Ø ¾ðÜÞè𨳦ܷBؾs@ÖÉæÁļ³ê½Ø¾ðü è·éÂàèÈçAؾ¼v (CSR) ð쬷éKvª èÜ·B é ¢ÍA©Ø¾ð쬷é±ÆàÅ«Ü·B 3.1. 駮Ìì¬ é§®ðìéÉÍAOpenSSL c[LbgªCXg[³êÄ¢ÄA Apache pÉÝè³êÄ¢éKvª èÜ·B±±©çÌáÅÍAftHg Ì /usr/local/ssl/bin fBNgÉ é OpenSSL ÌR}hCc[ ðg¢Ü·BáÅÍAOpenSSL ÌR}hCc[ª éfBNg ª $PATH ÉÇÁ³êÄ¢é±ÆðzèµÄ¢Ü·B gv DES ÃW (§) ðgÁÄ駮ðìéÉÍA±ÌR}hð g¢Ü· | openssl genrsa -des3 -out filename.key 1024 pXt[Yðü͵AܽÄüÍ·éæ¤ÉßçêÜ·Bgv DES ðg¤±Æɵ½ÈçASSL T[oðR[hX^[gÅN®³¹éxÉpX [hðßçêÜ·B(ÄN®R}hðg¤êÍApX[hÍ·©ê ܹñB) ÁÉVXeðxÝÌÔÉN®¹ËÎÈçÈ¢êA±ÌpX[ hüͪ¤´Á½¢Æv¤©àµêܹñBܽAVXeÍùÉ\ªÉS ¾ÆmMµÄ¢é©àµêܹñBÅ·©çApX[hüͪȢæ¤ÉI ð·é (]ÁÄgv DES ûðgí¸É) ÈçAȺÌR}hðÀ sµÄ¾³¢BtÉAPÉ 512 bit Ì®ðìè½¢ÈçAR}hÌÅã É é 1024 ðíÁľ³¢B·éÆ OpenSSL ÍftHgÌ 512 bit Å ®ðìèÜ·B¬³È®ðg¤ÆAµÎ©èÈèÜ·ªAÀS«àẠµÜ·B 駮ðgv DES ûȵÅ쬷éÉÍA±ÌR}hðg¢Ü· | openssl genrsa -out filename.key 1024 ù¶Ì駮ÉpX[hðÇÁ·éÉÍA±ÌR}hðg¢Ü· | openssl -in filename.key -des3 -out newfilename.key ù¶Ì駮©çpX[hðí·éÉÍA±ÌR}hðg¢Ü· | openssl -in filename.key -out newfilename.key ÓFÊrwèµÈ¯êÎA駮ÍJgfBNgÉ쬳êÜ·B ±êðæ赤ÉÍ 3 ÂÌÈPÈû@ª èÜ·BOpenSSL ªpXÉüÁÄ ¢êÎA®t@CðÛ¶·é½ßÉIñ¾fBNg©çÀs·é±Æª Å«Ü· (Apache ÌCXg[É RPM ðgÁ½êÌftHgÍ /etc/httpd/conf/ssl.key ÅA\[Xt@C©çCXg[µ½ÌÈç /usr/local/apache/conf/ssl.key Å·)BÊðÍA®ªì¬³ê½fBNg ©çA³µ¢fBNgÖÆt@CðRs[·é±ÆÅ·B³çÉAå ȱÆð¾¢Yêܵ½ªAR}hÌÀsÉpXðwè·é±ÆªÅ« Ü· (eg. openssl genrsa -out /etc/httpd/conf/ssl.key/filename.key 1024)BÉiÞOÉìƪIíÁÄ¢êÎAû@ÍÇêÅà\¢Ü¹ñB OpenSSL c[LbgÉ¢ÄÌæèÚµ¢îñÍA±±©Ä¾³¢ | OpenSSL Website <http://www.openssl.org/> 3.2. ؾ¼vÌì¬ Ø¾s@ÖÉæÁļ³ê½Ø¾ðüè·éÉÍAؾ¼v (CSR) ð쬷éKvª èÜ·BÚIÍA駮ðÛ²ÆÁ½èAµ¢Ì ïµ¢îñðë¯É³çµ½è·é±ÆÈAؾð쬷éÉ«éîñð ؾs@ÖÉé±ÆÅ·BCSR ÍAá¦ÎhC¼ânæîñÆ¢Á ½AؾÉÜÜêéîñààÁĢܷB o CSR ðìéàÆÌ駮ðmFµÜ·B±ÌR}hðü͵ľ³¢ | openssl req -new -key filename.key -out filename.csr o næîñA¤Ê¼ (hC¼)AgDîñÈÇÌüÍðßçêÜ·BK vƳêéÚÆAsKØÈGgÌîñðAÌpµæ¤ÆµÄ¢é CA Éâ¢í¹Ä¾³¢B o CSR ð CA Ìw¦É]ÁÄèÜ·B o Vµ¢Ø¾ðÒ¿ÂÂA é¢Í©Ø¾ð쬵ľ³¢B© ؾÍؾs@Ö©çؾðó¯ÆéÜÅgp·é±ÆªÅ«Ü ·B ÓF駮Æv(ó:CSR)ð¯É쬷éÉÍAÌR}hðg¢Ü ·B openssl genrsa -des3 -out filename.key 1024 3.3. ©Ø¾Ìì¬ CA ̼µ½Ø¾ðüèµæ¤ÆµÄ¢éÈçA©Ø¾ðìéKvÍ èܹñBÆÍ¢¦A©Ø¾Ìì¬Í½¢ÖñÈPÅ·BKvÈÌÍA 駮ÆZL Aɵ½¢T[o̼O (®SCühC¼) Å·Bnæî ñâ¤Ê¼ (hC¼)AgDîñÈÇðuËçêÜ·BOpenSSL ÅÍA± ±Å©ÈèÌ©Rª««Ü·Bؾª³íÉ@\·é½ßÉBêKvÈîñ ÍA¤Ê¼ (hC¼) Å·B±êªÈ©Á½èA¯½èµÄ¢é ÆACertificate Name Check xðuEU©çó¯é±ÆÉÈèÜ·B ©Ø¾ð쬷éÉÍ | openssl req -new -key filename.key -x509 -out filename.crt 3.4. EFuT[oÖÌؾÌCXg[ ±êçÌw¦É]ÁÄ¢½çA¡ÜÅÌƱëA±±ÜÅÅÍÁÉâèÍN« ĢȢ͸ŷBCSR ðؾs@ÖÉÁÄAܾؾðó¯ÆÁÄ ¢È¢ÈçA¿åÁÆêxݵܵå¤I ©Ø¾ðgÁÄ¢é©Aؾ ðó¯Æè¸ÝÈçAÉiñÅà\¢Ü¹ñB o 駮t@CªAg¤Æß½êÉ é±ÆðmFµÄ¾³¢B± áÍ RedHat RPM ÉæéCXg[ÌftHg lA/etc/httpd/conf/ssl.key Éî¢Ä¢Ü·B o CA ª¼µ½A é¢Í©Ìؾªwè³ê½fBNgÉ é± ÆðmFµÄ¾³¢BJèԵܷªAÍ RPM ÌftHgÅ é /etc/httpd/conf/ssl.crt ðg¢Ü·Bܾ»±ÉȯêÎA»±Ézu µÄ¾³¢B o àµACXg[·éÔؾ (ܽÍ[gؾ) ª éÈçA »êà /etc/httpd/conf/ssl.crt fBNgÉRs[µÄ¾³¢B o ÍAhttpd.conf t@CðÒW·éKvª èÜ·BÌXeb vA``Apache Server ÌÝè'' ÉiÞOÉA±Ìt@CÌobNAbv ðìÁľ³¢B 4. Apache Server ÌÝè SSL ðT|[g·é½ßÉÍAApache ÍÇÁÌ API W [ðg¤æ¤É Ýè³êéKvª èÜ·B½Ì SSL \tgEFApbP[WªpÅ« Ü·BÌáÅÍAModSSL Æ OpenSSL pÉÝè³ê½ Apache ð³ÉµÄ¢ Ü·B±êçÌv_NgðT|[g·é¦ØêÈ¢ç¢Ì[O Xgâj [XO[vª èÜ·B Apache EFuT[oð³ÉµÄ¢é¢ ©̤p SSL pbP[WÉàA±êçÌèø«ªLp¾Æv¤©àµê ܹñB ¢Â©ªÉüêĨ׫±Æª èÜ· | ¯¶T[oÉ¡Ì@[ `zXgð½Äé±ÆªÅ«Ü·B¯¶ IP AhXÅA¼Ox[XÌ @[`zXgð½½Äé±ÆªÅ«Ü·B¯¶ IP AhXÅA¼O x[XÌ@[`zXgð½ÆAZL AÈ@[`zXgð 1 ½Äé±ÆàÅ«Ü·B½¾µ | ¯¶ IP AhXÅA¡ÌZL AÈ @[`zXgð½Äé±ÆÍūܹñB½Ìlª±¤uËéÅµå ¤ | ½ÌH ÆB¦Í±¤Å· | SSL ÍAvP[Vw̺Å@\ µÜ·B¼Ox[XÌzXgÍAAvP[VwÜÅÍè`³êĢܹ ñB ÁÉA¯¶ SOCKET (IP AhX + |[g) É¢ÄA¡ÌZL AÈ @[`zXgð½Äé±ÆÍūܹñBftHgÅÍAZL AÈ zXgÍ|[g 443 ðg¢Ü·B@[`zXgª¯¶ IP AhXÅ ÙÈé|[gÔðg¤±ÆÅAÊÌ\Pbgð쬷éæ¤ÉÝèðÏX· é±ÆÍÅ«Ü·B±Ìû@ÉͽÌssª èÜ·BêÔ¾mÈss ÍAftHg|[gðgÁĢȢêAZL ATCgÖÌANZXÉ ¨¢ÄAURL É|[gÔðÜßÈÄÍÈçÈ¢±ÆÅ·B á¦ÎF o ftHg|[gðg¤TCgAwww.something.com ÍAhttps://www.something.com ÅANZXÅ«Ü· o |[g 8888 ðg¤TCgÅÍAhttps://www.something.com:8888 ÅAN ZXÅ«Ü·B à¤êÂÌssÍA½³ñÌ|[gðg¤ÆA|[gðk¬ÜíénbJ [Éæè@ïð^¦é±ÆÉÈéAÆ¢¤±ÆÅ·BÅãÉAIñ¾|[gª ½©¼ÅgíêÄ¢éÆAÕËâ誶·é±ÆÉÈèÜ·B 4.1. ZL AÈ@[`zXgÌè` @[`zXgÌÝuÍASÈPÅ·BZL AÈ@[`zXg ðÝè·éî{ðA¢µÄ¢«Ü·B ±êçÌáɨ¢ÄA.crt Æ .key t@Cg£qðg¢Ü·B±êÍAl XÈt@CÆ̬ðð¯éAÂlIÈû@Å·BApache ðg¤ÈçAD «Èg£qðg¦Ü·µA é¢Íg£qȵÉàÅ«Ü·B ZL AÈ@[`zXgÍSÄAÊíÍ httpd.conf t@CÌöÉ zu³êéA<IfDefine SSL> Æ </IfDefine SSL> ÉïܳêéKvª èÜ ·B ZL AÈ@[`zXgÌáÅ· | <VirtualHost 172.18.116.42:443> DocumentRoot /etc/httpd/htdocs ServerName www.somewhere.com ServerAdmin someone@somewhere.com ErrorLog /etc/httpd/logs/error_log TransferLog /etc/httpd/logs/access_log SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt <Files ~ "\.(cgi|shtml)$"> SSLOptions +StdEnvVars </Files> <Directory "/etc/httpd/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /etc/httpd/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> SSL É¢ÄÅàdvÈfBNeBuÍASSLEngine on, SSLCertificateFile, SSLCertificateKeyFile, »ê©ç½ÌêÅ SSLCACertificateFile Å·B 4.1.1. SSL Engine "SSLEngine on"| ±êÍASSL ðJn·é½ßÌ ModSSL R}hÅ·B 4.1.2. SSLCertificateFile SSLCertificateFile ÍAApache Éؾt@CÌÝÆA»êªÈñÆ¢ ¤¼OÈÌ©ðw¦µÜ·BãÌáÅÍA"server.crt" ªØ¾t@C¼ ƵĦ³êĢܷB±êÍAApache ÆêÉ ModSSL ðÝèµ½ÉÇ Á³êéftHgÅ·BÂlIÉÍAftHg̼Oðg¤±Æͨ©ß µÜ¹ñBÊ|ÈÌð±ç¦ÄAؾÉT[o¼.crt (hC¼.crt) Æ ¼t¯Ä¾³¢B¯¶æ¤ÉAftHgÌ /etc/httpd/conf/ssl.crt â /usr/local/apache/conf/ssl.crt ÆÍÊÌfBNgðg¤±ÆàÅ«Ü ·B 4.1.3. SSLCertificateKeyFile SSLCertificateKeyFile ÍAApache É駮̼OÆ»ÌÝðw¦µÜ ·B±±Åwè³ê½fBNgÍ root ÌݪÇÝ/« ÀðÁÄ¢ éKvª èÜ·B¼ÉÍNà±ÌfBNgÉANZX·é׫ÅÍ è ܹñB 4.1.4. SSLCACertificateFile SSLCACertificateFile fBNeBuÍAApache ÉÔؾÌêðw¦ µÜ·B±ÌfBNeBuÍAgpµÄ¢é CA ÉæÁÄKv¾Á½èsK v¾Á½èµÜ·B±Ìؾª{¿IÉMÌÖÆÈèÜ·B Ôؾ | ؾs@ÖÍA ȽÆÙÆñǯ¶û@Åؾð¾Ü ·B±êÍAÔؾƵÄmçêĢܷB±êÍAî{IÉÍÔؾ ÌÒªA¢¤àÌÅ·BEFuuEUÍAe[X²ÆÉXV³ê éA"MÅ«é" ؾs@ÖÌXgðÁĢܷBؾs@Öª SVµ¢ÈçA»ÌÔؾÍAuEUÌMÅ«é CA XgÉÍ üÁĢȢŵå¤BÙÆñÇÌlª©ªÌuEUð»¤pÉÉAbvf [gµ½èµÈ¢Æ¢¤Àð±êÆí¹éÆA±¤ÈèÜ· | CA ª© ®IÉMÅ«éàÌƵÄF¯³êéÉÍAN©©èÜ·BðôÍA SSLCACertificateFile fBNeBuðgÁÄAT[oÉÔؾðC Xg[·é±ÆÅ·B½¢Ä¢A"M³ê½" CA ÍÔؾðsµÄ ¢Ü·Bൻ¤ÅȯêÎASSLCertificateChainFile fBNeBuðg íËÎÈçÈ¢©àmêܹñªA±êÍܸȢ±ÆÅ·B 4.2. ؾÌá 4.2.1. T[oؾt@C -----BEGIN CERTIFICATE----- MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1 MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1 c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7 oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3 j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH -----END CERTIFICATE----- 4.2.2. ؾt@CÌàe Certificate: Data: Version: 3 (0x2) Serial Number: 1516 (0x5ec) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Equifax Secure Inc, CN=Equifax Secure E-Business CA Validity Not Before: Jul 12 15:21:01 2000 GMT Not After : Jun 2 22:42:34 2001 GMT Subject: C=us, ST=ga, L=atlanta, O=Equifax, OU=Rick, CN=172.18.116.44/Email=richard.sigle@equifax.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31: cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57: 03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2: 6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c: a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca: 5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45: 12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a: 5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45: 12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a: 5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d: d8:a9:e8:59:3c:c2:61:c5:b3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment Netscape Cert Type: SSL Server X509v3 Authority Key Identifier: keyid:5B:E0:A8:75:1C:78:02:47:71:AB:CE:27:32:E7:24:88:42:28:48:56 Signature Algorithm: md5WithRSAEncryption 87:53:74:e9:e1:a6:10:56:8c:fa:63:0e:7b:72:ff:76:4b:79: 0e:49:2a:58:ed:71:7a:bf:77:61:fa:e8:74:04:37:8c:d3:6a: 9a:3d:80:76:7a:c3:64:30:e7:1b:40:25:4e:2a:81:8b:e5:ac: 76:a4:38:67:cc:3f:93:43:e1:1d:c3:8d:ba:ed:cc:d7:aa:a4: ab:d3:84:77:7c:8f:26:f6:dd:ba:3b:6a:99:81:e1:9e:7e:0f: ca:a6:ff:c0:c3:59:6e:dc:a6:03:23:bf:8f:24:ff:15:ad:ac: 0d:85:fc:38:bf:d1:24:2d:1a:d3:72:55:12:95:5f:65:f0:60: df:b1 4.2.3. 駮t@C -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,124F61450D85A480 ELz64SV+tFSRybsHjY9NH7CP7yDHXP6xcd9FY6MVgQykTkq2h0n7j+tmpfUPbStT 6jCgm/dTYM9mpkQ3jYZBALiVD5JNJ9t1dWisxQXY/nsak8LSTN7LhUtZSfk5xSmV Zsl4gwQS20UdBzFiJ+4qDajP/pzocSdSuQvxIHq7UzNwJsW8UYxR3I1qrDgyNXKS db41BWH4QdNtE0p+pi9VndDzXktqZGHEvtrQTV+39DV/dwOdnGBpYBETljMO5X6t D42xcVs0Doa1vZ6PiMCkwFNPXsPlKHZtHwEL4I3CQdiH4E0oYh3klBzlXBY4YldN A+s4xU44FpXp5xwt9nnVPUKHPo+NpdaRK7dAcRNO3GN3+ek1ggzvEjjuWKes3RQh PlHPuF7VWo4KeaTfTIwJWfGxz4nvwlVByPJ6Z73Mn0VcDXCkVm6+h3PLlYL0FMqM baUyQPpw6bhfW71FO/IIQxz3R1EqkxW7OHv74uuYl8kjHXf3S6qRZEGUG/zOGLGr mI5s2qnU69HlBObFkc6WQq0QxMq4PiUi7HhCLMkH8+wBsNNMnb75+7lQKkEhdOeE iUMKe5kgQqfd9w8jsBH5nu+J/nCfvPdp0isQW+P3/Rrh6YMwdKnlVfNZWdGiTzpQ ngThAGq5lit4uf4zdTIYYrs+T9I5ltjj0KgCUD4VL5/7OfnR3gcphpbHXQf0E2cz Qwq7q7ppKwCf/x92pHi8oVevlV5Dx9NQbGhEOA5pooqD6S2xZBbPLzkUKWDEO2il oBZ5L1jClR5jjdF2U61w7aRrL0t6luDU/aRv/fcoYes= -----END RSA PRIVATE KEY----- 4.2.4. 駮t@CÌàe read RSA key Enter PEM pass phrase: Private-Key: (1024 bit) modulus: 00:c8:eb:93:26:97:ca:00:ce:4c:e4:f3:fd:43:31: cd:53:ed:b4:8a:ad:93:84:dc:7a:48:39:b5:28:57: 03:7f:a9:ac:3e:58:6a:7a:e3:52:3e:1e:52:58:a2: 6f:23:ad:bb:84:d8:88:ed:6d:a5:da:08:6b:c8:6c: a5:4c:34:67:d8:46:1c:ca:20:50:b0:e8:54:7f:ca: 5e:ef:09:ff:6e:8d:a6:2b:02:f5:54:0f:c2:d0:45: 12:ad:66:e7:8b:dd:68:be:64:a4:9b:69:bd:a4:1a: 5a:2f:3b:6e:73:84:d8:d6:17:bd:12:39:34:fa:3d: d8:a9:e8:59:3c:c2:61:c5:b3 publicExponent: 65537 (0x10001) privateExponent: 00:b6:57:7d:3b:58:24:1e:a9:1b:85:e9:9c:9e:5f: d3:3d:69:0c:21:93:37:bf:2b:2c:da:e1:6c:74:48: cb:c7:0f:60:5f:50:74:8a:44:45:be:54:5c:5d:4e: 45:58:f6:f1:a8:b5:af:46:f2:ec:c2:bc:43:bd:28: 44:b7:ad:13:d3:ca:de:59:24:e8:fa:f8:e5:5f:45: 38:2c:a0:a3:de:98:13:d8:80:38:e1:47:53:4c:ea: e4:66:c3:82:93:89:c3:90:83:44:e1:13:4f:74:76: e2:c0:89:97:77:5f:33:d8:7d:27:21:52:55:c2:d7: dc:01:f9:bc:21:8d:a3:f5:c1 prime1: 00:e3:2d:6b:5e:05:6b:e1:46:e6:ab:ae:f3:8b:d0: 5f:94:5c:6f:f5:47:46:1d:4e:66:d3:7e:98:18:e0: 2c:0d:08:ca:b7:29:72:af:53:62:30:ec:be:26:1f: cc:5a:ed:65:62:65:70:1e:18:19:61:e3:77:00:a7: 3a:9e:4e:12:93 prime2: 00:e2:69:56:78:e8:39:ff:17:db:cc:39:d7:7f:70: 41:dc:c5:59:43:16:c1:84:4c:ae:e7:5d:8a:c5:4b: da:88:8e:03:99:7c:88:f2:8a:13:31:57:44:e0:b5: c8:0a:60:b0:05:de:f6:9e:f2:00:ec:37:21:8d:3b: dc:8e:c9:d4:61 exponent1: 1a:ad:6a:be:4f:c4:ab:5f:b8:16:d1:24:a8:76:7f: c2:dc:58:09:65:a5:46:2b:be:c7:77:46:45:25:8e: 06:b9:d1:94:50:b9:b6:fd:03:ba:db:12:39:47:e2: a7:8a:d9:2d:04:dc:75:ac:3e:ce:cf:f7:59:8c:49: c5:ed:45:21 exponent2: 2d:4e:fd:32:06:ef:0c:40:7f:08:d8:8e:6a:7f:51: 7e:d7:b3:6c:3c:92:8f:62:35:22:31:d3:02:76:92: 8d:ff:35:73:32:bb:c9:25:9e:7f:a2:42:33:61:cd: 5d:5e:49:fb:72:ca:11:b6:c6:3e:7f:2d:e4:b0:95: 0b:b2:12:21 coefficient: 50:52:09:22:cb:fb:b2:b8:58:85:ab:1d:82:b9:6e: d0:f6:dc:e8:ce:a6:5d:a1:ff:c8:4d:3b:2b:1c:19: 64:f0:c4:4a:bc:b2:1d:2b:2d:09:59:83:a3:9a:89: f8:db:2c:2c:8a:bd:fd:a3:16:51:76:aa:ce:ea:85: 6b:1c:9f:f7 4.3. Web T[oÌÄN® EFuT[oðÄN®·éXNvgÍA¨»ç /usr/local/sbin©A/usr/sbin (httpd Æ¢¤XNvg¼Å)A é¢Í /usr/local/apache/bin (apachectl Æ¢¤XNvg¼Å) É éÅµå ¤B SSL ðLøɵÄT[oðN®µÄ¢È¢ÈçAT[oðâ~µÄAN ®³¹éKvª èÜ·BJnAÄN®Aâ~̽ßÉA©ªpÌJX^}C Yµ½XNvgð¢Äà\¢Ü¹ñBSSL GWªN®·éÀèAâè Í èܹñB R}hÍ | httpd stop httpd startssl httpd restart é¢Í apachectl stop apachectl startssl apachectl restart 5. guV [eBO ¶µ¤éA 調Èâèð¢Â©¢Ä¨«Ü·B 5.1. T[oÍN®µ½æ¤É©¦éªAZL ATCgÉANZXÅ«È¢ error_log t@Cð`FbNµÄ¾³¢B@[`zXgªG[ Oðæ¤ÉÝèµÄ¢È¢ÈçAl¦¼µ½ûª¢¢©àmêܹñBá ¦µ½ SSL @[`zXgÍAG[Ot@CÉo͵ܷB½ ªA2, 3 ÌxÆAOÌÅãÉG[ª èAî{IÉÍ駮ªØ¾ ÆêvµÈ¢AÆ¢¤àeŵå¤B áF [Tue Nov 21 09:09:02 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 configured -- resuming normal operations [Tue Nov 21 09:09:16 2000] [notice] caught SIGTERM, shutting down [Tue Nov 21 14:39:54 2000] [notice] Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 configured -- resuming normal operations [Tue Nov 21 14:40:31 2000] [notice] caught SIGTERM, shutting down [Tue Nov 21 14:43:53 2000] [error] mod_ssl: Init: (esi.fin.equifax.com:443) Unable to configure RSA server private key (OpenSSL library error follows) [Tue Nov 21 14:43:53 2000] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch ãLÌG[bZ[Wð¾½ÈçAâèÍ®ÆؾªêvµÈ¢±ÆÅ ·BftHgÌ server.keyt@CðgÁĢȢ±ÆðmFµÄ¾³ ¢BܽAhttpd.conf t@Cð`FbNµÄAfBNeBuª³µ¢é §®ÆؾðwµÄ¢é©ÌmFà·é׫ŷB mF̽ßA駮Æؾ̮ª³mÅA¨Ý¢ÉÎðȵĢé±Æð ²×é±ÆàÅ«Ü·B±Ì½ßÉÍAºÌR}hðgÁÄ駮ð^[~ iEBhEÉ»µAÊÌEBhEÅؾð»µÄ¾³¢B är·éÌÍA®»ê¼êÌW [ÆÀÌÅ·B®ÌW [ÆÀ̪ ؾ̻êÆêv·éÈçÎA»ÌؾƮª³µÎÉÈÁÄ¢éÆ¢ ¦Ü·B If all else fails, create a new private key, CSR or self-signed certificate. Before you do this, check your CA's re-issue policy. You may be charged for a re-issue. To view the contents of the certificate: openssl x509 -noout -text -in filename.crt To view the contents of the private key: openssl rsa -noout -text -in filename.key 5.2. Certificate Name Check Warning is issued by the client's browser The most common cause for this is omitting the "www" at the beginning of the domain name when creating the CSR. The name defined by the "ServerName" directive for that virtual host must match the domain name presented by the certificate exactly or the browser will let the client know. The exception is a wild card certificate. A wild card certificate's domain name field would look like *.somedomain.com. This enables you to use one certificate for any number of sub-domains of somedomain.com (e.g. host1.somedomain.com and host2.somedomain.com). 5.3. NCAgÌuEUÉAؾªM³êĢȢؾs@Ö If you are using a self-signed certificate, you will get this warning. Your clients will be given the option to trust your certificate or not. If you have a CA signed certificate and are getting the untrusted warning, you probably need to install their intermediate (root) certificate. 5.4. SSLEngine on is an un-recognized command (Apache ÌN®) ±ÌG[bZ[WÍAApache ÆêÉ ModSSL ðRpCµÈ©Á½ êɶµÜ·B@[`zXgÅ SSL ðg¤ÌÉAÊÌfBN eBuðg¤ SSL pbP[Wà èÜ·BÊÌfBNeBuðg¤pbP [WðgÁÄ¢éê±ÌG[bZ[Wðܽ©é±ÆÉÈèÜ·B 5.5. "PEM pXt[Y" ðYêĵܢAǤâÁÄ»êðÄÝè·é© mè½¢B ±ÌpXt[YðÄÝè·éû@Í èܹñBð·éÉÍApXt[ Yð¯¦Ä¨©AVµ¢é§®ð쬷鵩 èܹñB»¤·éÆAV µ¢Ø¾ðæ¾·é©AVµ¢©Ø¾ð쬷éKvªÅÄéÅµå ¤B 6. pêW FØ T[oâNCAgA[UÆ¢Á½lbg[Nã̶ÝðA¾m ɯêÅ éÆؾ·é±ÆBSSL ̶¬ÅÍAFØÍT[oÆNC Agɨ¯éؾÌÆßöð¢¢Ü·B ANZX§ä lbg[NÌæÖÌANZXð§À·é±ÆBÊí Apache ̶¬Å ÍA é URL ÖÌANZXð§À·é±ÆB ASY Àçê½èÅâèðð·é½ß̾Èè®A é¢ÍK¥ÌgB û̽ßÌASYÍAÊí cipher ÆÄÎêÜ·B(óF {¶ÅÍAcipher àÃAÈÇÆóµÄÜ·B) ؾ T[oâNCAgÆ¢Á½lbg[NGeBeBðFØ·éÌ ÉgíêéAf[^R[hBؾÍA»ÌLÒ (subject ÆÄÎ êÜ·) Ƽð·éؾs@Ö (issuer ÆÄÎêÜ·) ÉÖ· é X.509 ÌîñfÐAÁ¦ÄLÒÌé§®Æ CA ÉæÁÄì¬³ê ½¼ðÜÝÜ·Blbg[NGeBeBͱêç̼ðØ· éÌÉA CA Ìؾðg¢Ü·B FØ@Ö (CA) M³êÄ¢éæOÒ@ÖÅAlbg[NGeBeBªÀSÈèi ÅFسêé½ßÉA»Ìؾɼ·é̪ÚIÅ·B¼Ìlbg [NGeBeBͼð`FbNµÄA CA ªØ¾Ì^ÑèƵ ÄFسêÄ¢é±ÆðmF·é±ÆªÅ«Ü·B ؾ¼v (CSR) FØ@ÖÉño³êé¼³êĢȢؾÅA»Ì CA ؾÌé §®Å¼³êÜ·BCSR ͼ³êé±ÆÅ^ÌؾÆÈèÜ·B TCt@ f[^Ìû̽ßÉg¤ASYâVXeBá¦ÎADES, IDEA, RC4 ÈÇÅ·B(óF´¶Ì~XÆzèµÄóÉèðÁ¦Ä¢ Ü·) ö vCeLXgÉÃ@ð{µ½ÊB ÝèfBNeBu vO̮ɨ¢ÄA1 ÂÈã̤Êðì·éÝè½ ßBApache ̶¬ÅÍAÝèt@CÌÅÌJÉ çäé½ß ª«Ü·B û | ÎÌ NCAgÆT[oªAf[^Ìûƻɯ¶®ðp¢Ü ·B û | ñÎÌ ®ÌyA (öJ®Æ駮) Å\¬³êÜ·BPKI ÍñÎÌÃÅ·B fW^¼ û³ê½bZ[WÆÆàÉM³êéf[^ÅAì¬ÒÌؾð µAüâ³êĢȢ±ÆðmFµÜ·B HTTPS (ÀSÈ)nCp[eLXg]vgRÅAWorld Wide Web ɨ¯ éWÌû³ê½ÊMJjYÅ·B±êÍAÀÛÉÍPÈé HTTP over SSL Å·B bZ[W_CWFXg bZ[WÌnbV ÅAbZ[WÌàeª]ÉÏX³êÄ¢È ¢±ÆðmF·é½ßÉp³êÜ·B ÛFh~ (CÓÌæOÒ@Ö©çCÓÌÉmFÂ\È) U¢sÂ\ÈÖWÆA {¨Å é±Æª¢mxÅf¾Å«éFØÆÌoûɨ¢ÄAf[^ ̳T«ÆN¹ÆªØ¾³êÄ¢éT[rXB ±êÍûè@ÉæÁÄB¬³ê½Á¿ÅAÂl é¢ÍÀÌÉAf [^ÉÖ·éÁèÌs®ðæêÈ¢æ¤É·é (á¦ÎÛFÖ~âF Ø(o©)Ì@\A`±EÓuEÏCÈÇÌؾA é¢ÍL Ìؾ ÈÇ)B OpenSSL I[v\[XÌ SSL/TLS c[LbgÅ·B http://www.openssl.org/ <http://www.openssl.org/> QÆB pXt[Y 駮t@CðÛì·éPêâZ¶BFسêÈ¢[UªA»êç ðûÉg¤Ìðh¬Ü·B½¢Ä¢ÍATCt@[ÉεÄgíê éAû/»Ìé§Ì®ÆÈèÜ·B ½¶ û³êĢȢeLXgB 駮 öJ®ÃVXeɨ¯éé§Ì®ÅAÍ¢½bZ[WÌ» ÆAoÄ¢bZ[WÖ̼ÉgíêÜ·B öJ® öJ®ÃVXeãɨ¢ÄANÅàpÅ«é®ÅA»ÌLÒ¶ ÄbZ[WÌûÆA»ÌLÒÉæé¼Ì»ÉgíêÜ ·B öJ®Ã é®ðûAÊÌ®ð»Ég¤AñÎÌÈûVXe̤ âAvP[VBηé±êçÌ®Ìgª®yAð\¬µÜ ·BñÎÌÃÆàÄÎêÜ·B Secure Sockets Layer (SSL) êÊIÈÊMFØÆ TCP/IP lbg[NzµÌû̽ßÉAlb gXP[vR~ jP[VYÐÉæÁÄ쬳ê½vgRBÅ àL¼Èp@Í HTTPSA·Èí¿ HTTP over SSL Å·B ZbV SSL ÊMɨ¯éReLXgîñB SSLeay Eric A. Young <eay@aus.rsa.com> ªJµ½AÅÉ SSL/TLS ðÀ µ½CuBhttp://www.ssleay.org/ <http://www.ssleay.org/> QÆB ÎÌÃ@ ûƻ̼ûÉAPêÌ駮ðg¤A¤âAvP[V B gX|[gwZL eB (TLS) SSL ÌãpvgRÅAêÊIÈÊMFØÆ TCP/IP lbg[Nz µÌû̽ßÉAC^[lbgZp]cï (IETF) ÉæÁÄì¬ ³êܵ½B TLS Ìo[W 1 ÍASSL Ìo[W 3 ÆÙÆñ ǯêÅ·B jtH[\[XP[^ (URL) World Wide Web ãÌlXÈ\[XÌÊuð¦·A³K̯ÊqB àÁÆàL¼È URL ÌXL[ÍA http Å·BSSL Í https Æ¢¤ XL[ðp¢Ü·B X.509 ÛÊMA (ITU-T) ª§·éFØؾÌXL[ÅA SSL/TLS Ì FØÉp¢çêÜ·B ITU-T X.509 [CCI88c] ©ÍAX.509 ÌؾL@¾¯ÅÈ X.500 fBN gÌFØT[rXðè`µÜ·BX.509 ÌfBNgFØÍAé§ ®ÅàöJ®ÅàÀÂ\ÅAãÒÍöJ®Ø¾ÉîÃàÌÅ·B WÅÍAÁèÌûASYÍwè³êĢܹñªAWÉ ®·éQl¶ÅÍA RSA ASYÉ¢ÄྪȳêÄ¢ Ü·B