Apache+SSL環境を構築する

aptitude show openssl
 
パッケージ: openssl
状態: インストール済み
自動的にインストールされた: yes
バージョン: 0.9.8g-15+lenny11
優先度: 任意
セクション: utils
メンテナ: Debian OpenSSL Team
<pkg-openssl-devel@lists.alioth.debian.org>
展開サイズ: 2408k
依存: libc6 (= 2.7-1), libssl0.9.8 (= 0.9.8f-5), zlib1g (= 1:1.1.4)
提案: ca-certificates
競合: ssleay ( 0.9.2b)
説明: Secure Socket Layer (SSL) バイナリおよび関連暗号化ツール
 本パッケージには、openssl バイナリおよび関連ツールが含まれます。 
 
 これは、OpenSSL による SSL の実装の一部です。 
 
 次のような暗号化操作を実行したい場合、本パッケージが必要です。
 * RSA、DH および DSA 鍵パラメータの作成;
 * X.509 認証、CSR および CRL の作成;
 * メッセージダイジェストの計算;
 * 暗号による暗号化並びに複号;
 * SSL/TLS クライアントおよびサーバのテスト;
 * S/MIME 署名又は暗号化されたメールの処理;
</pkg-openssl-devel@lists.alioth.debian.org>

バックアップ
cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnfBAK
 
vi /etc/ssl/openssl.cnf
 
[ usr_cert ]
 
# These extensions are added when 'ca' signs a request.
 
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
 
basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType                    = server
  ↓コメントを外す
nsCertType                    = server,client
 
：
：
[ v3_ca ]
 
# Extensions for a typical CA
 
# PKIX recommendation.
 
subjectKeyIdentifier=hash
 
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
 
# Some might want this also
# nsCertType = sslCA, emailCA
  ↓コメントを外す
nsCertType = sslCA, emailCA

 cd /usr/lib/ssl/misc/
./CA.sh -newca
↑
これで作るとFireFoxとかでエラーになるので
これで作る
↓
cd /usr/lib/ssl/misc/
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/cakey.pem
 
出来たか確認
root@brokendish:/etc/apache2/ssl# pwd
/etc/apache2/ssl
root@brokendish:/etc/apache2/ssl# ll
合計 16
drwxr-xr-x 2 root root 4096 2011-06-21 00:50 .
drwxr-xr-x 8 root root 4096 2011-06-20 13:46 ..
lrwxrwxrwx 1 root root    9 2011-06-21 00:50 6Xe85a30 -> cakey.pem
-rw------- 1 root root 1522 2011-06-21 00:50 cakey.pem

openssl x509 -inform pem -in /etc/apache2/ssl/cakey.pem -outform der -out /home/hoge/ca.der

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/010-default-ssl
mv /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/BK-default-ssl

vi /etc/apache2/sites-available/010-default-ssl
 
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
 
        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        SSLCertificateFile    /etc/apache2/ssl/cacert.crt
        SSLCertificateKeyFile /etc/apache2/ssl/cakey.pem
 
　　　　　　　↓
 
        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        SSLCertificateFile    /etc/apache2/ssl/cakey.pem
        SSLCertificateKeyFile /etc/apache2/ssl/6Xe85a30

a2enmod ssl

a2dismod ssl

a2ensite 010-default-ssl

/etc/init.d/apache2 restart