• Äɲ䵤줿¹Ô¤Ï¤³¤Î¿§¤Ç¤¹¡£
  • ºï½ü¤µ¤ì¤¿¹Ô¤Ï¤³¤Î¿§¤Ç¤¹¡£
  • Server/Apache/SSL ¤Ø¹Ô¤¯¡£
#contents

*¤Ï¤¸¤á¤Ë [#ee5ad33d]

*CACert [#wbda2c08]

*WebÍѾÚÌÀ½ñ [#e7ffefa5]
**¥Ç¥£¥ì¥¯¥È¥ê¤Î½àÈ÷ [#r40e7d33]
¥­¡¼¤òÃÖ¤¯¤¿¤á¤Î¥Ç¥£¥ì¥¯¥È¥ê¤òÍÑ°Õ¤·¤Þ¤¹¡£
 # mkdir /usr/local/certs/local.domain/ssl.key/
 # mkdir /usr/local/certs/local.domain/ssl.crt/
 # chmod 700 /usr/local/certs/local.domain/
 # cd /usr/local/certs/local.domain/

**¸°¤Î½àÈ÷ [#uad4fe3c]

***ÈëÌ©¸° [#w2dcd245]
 # openssl genrsa -rand /var/log/messages -des3 -out ./ssl.key/server.key 1024
¤³¤³¤Ç¤Ï¡¢¥Ñ¥¹¥Õ¥ì¡¼¥º¤ÎÆþÎϤ¬µá¤á¤é¤ì¤Þ¤¹¡£

***¾ÚÌÀ½ñ¿½ÀÁ¥Ç¡¼¥¿(CSR) [#c3c5f993]
 # openssl req -new -key ./ssl.key/server.key  -out ./ssl.key/server.csr
¤³¤³¤Ç¤Ï¡¢ÁÈ¿¥¤Î¾ðÊó¤òÆþÎϤ·¤Þ¤¹¡£
-Country Name (2 letter code) [AU]:~
¹ñ̾¤Ç¤¹¡£ÆüËܤʤé''JP''¡£
-State or Province Name (full name) [Some-State]:~
¸©¡¦½£Ì¾¤Ç¤¹¡£''Ibaraki''
-Locality Name (eg, city) []:~
ÅÔ»Ô̾¤Ç¤¹¡£''Tsukuba''
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:~
ÁÈ¿¥Ì¾¤Ç¤¹¡£
-Organizational Unit Name (eg, section) []:~
ÁÈ¿¥Æâ¤ÎÉô½ð̾¤Ç¤¹¡£''Admin''
-Common Name (eg, YOUR name) []:~
¥µ¡¼¥Ð̾¤òFQDN¤Ç»ØÄꤷ¤Þ¤¹¡£''local.domain''¡Ê¤³¤Î̾Á°¤È¥µ¡¼¥Ð̾¤¬°ìÃפ·¤Ê¤¤¤È¡¢¥Ö¥é¥¦¥¶¤ä¥á¡¼¥é¤Ç¥¨¥é¡¼¤¬½Ð¤Þ¤¹¡Ë
-Email Address []:~
´ÉÍý¼Ô¤Î¥á¡¼¥ë¥¢¥É¥ì¥¹¤Ç¤¹¡£
~

¶õÍó¤Î¾ì¹ç¤Ï¡¢¥Ç¥Õ¥©¥ë¥È¤ÎÃͤ¬ÂåÆþ¤µ¤ì¤Þ¤¹~
~
ºÇ¸å¤Ë¡¢Àè¤Û¤É»ØÄꤷ¤¿¥Ñ¥¹¥Õ¥ì¡¼¥º¤ÎÆþÎϤ¬µá¤á¤é¤ì¤Þ¤¹¡£

***¥µ¡¼¥Ð¾ÚÌÀ½ñ¤Î¿½ÀÁ¤È¼èÆÀ [#acf4616e]
 # cat ./ssl.key/server.csr
¥Õ¥¡¥¤¥ë¤ÎÆâÍƤòɽ¼¨¤·¡¢¥³¥Ô¡¼¤·¤Þ¤¹¡£

¼¡¤Ë¡¢¥³¥Ô¡¼¤·¤¿ÆâÍƤò¡¢'''²¼¤ËCSR¤ò¥Ú¡¼¥¹¥È¤·¤Æ¤¯¤À¤µ¤¤¡£'''²¼Éô¤Î¥Æ¥­¥¹¥È¥Ü¥Ã¥¯¥¹¤ËŽ¤êÉÕ¤±¡¢'''Submit'''¤·¤Þ¤¹¡£
#ref(server_new_1.png)
¤·¤Ð¤é¤¯¤¹¤ë¤È¡¢°Ê²¼¤ÎÍͤËɽ¼¨¤µ¤ì¡¢¾ÚÌÀ½ñ¤¬ÍÑ°Õ¤µ¤ì¤Þ¤¹¡£
#ref(server_new_2.png)
ºÇ¸å¤Ë¡¢É½¼¨¤µ¤ì¤¿¾ÚÌÀ½ñÆâÍƤò¡¢¥Õ¥¡¥¤¥ë¤ËÍî¤È¤·¤Þ¤¹¡£~
'''-----BEGIN CERTIFICATE-----'''¤«¤é'''-----END CERTIFICATE-----'''¤Þ¤Ç¤ÎÆâÍƤò¤¹¤Ù¤Æ¥³¥Ô¡¼¤·¤Æ¡¢¥¨¥Ç¥£¥¿Åù¤ËŽ¤êÉÕ¤±¤Þ¤¹¡£
 # emacs ./ssl.crt/server.crt

***¥Ñ¥¹¥Õ¥ì¡¼¥º¤Î¾Êά [#v0d3d348]
 # mv ./ssl.key/server.key ./ssl.key/server.key.org
 # openssl rsa -in ./ssl.key/server.key.org -out ./ssl.key/server.key

***httpd.conf¤Î½¤Àµ [#o07ef248]
 # emacs /etc/httpd/conf/httpd.conf
½¤ÀµÅÀ
 # diff httpd.conf httpd.conf.org
 1088c1088
 < SSLCertificateFile /usr/local/certs/local.domain/ssl.crt/server.crt
 ---
 > SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
 1096c1096
 < SSLCertificateKeyFile /usr/local/certs/local.domain/ssl.key/server.key
 ---
 > SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key


*¥á¡¼¥ëÍѾÚÌÀ½ñ¤ÎÀ¸À® [#y3a4fa03]
 # cd /usr/local/certs/local.domain/
 # (cat ./ssl.crt/server.crt ; cat ./ssl.key/server.key) > mail.pem

**courier-imapÀßÄê¥Õ¥¡¥¤¥ë¤Î½¤Àµ [#rd663d46]
 # emacs /usr/lib/courier-imap/etc/imapd-ssl
½¤ÀµÅÀ
 # diff imapd-ssl imapd-ssl.dist
 149,150c149
 < TLS_CERTFILE=/usr/local/certs/local.domain/mail.pem
 < #TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem
 ---
 > TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem

¤½¤Î¤¢¤È¡¢copurier-imap¤òºÆµ¯Æ°¤·¤Þ¤¹¡£
 # /sbin/service courier-imap restart

***Ãí°Õ [#k0efe2cd]
mail.pem¥Õ¥¡¥¤¥ë¤ÎÆâÍƤϡ¢¾ÚÌÀ½ñ¤ÎÉôʬ¡¢¸°¤ÎÉôʬ¡¢¥Õ¥¡¥¤¥ë¤ÎºÇ¸åÈø¤½¤ì¤¾¤ì¤Î¶èÀÚ¤ê¤Ë²þ¹Ô¤òÆþ¤ì¤Æ²¼¤µ¤¤¡£~

courier-imap¤òµ¯Æ°¤·¤¿ºÝ¤Ë¡¢''/var/log/maillog''¤Ë¡¢'''...:PEM_read_bio:bad end line'''¤È¸À¤¦¥¨¥é¡¼¤¬½Ð¤Æ¡¢sslÈǤÎimap¡¢pop¤Îµ¯Æ°¤Ë¼ºÇÔ¤·¤Þ¤¹¡£¡Ê¤·¤«¤â¡¢'''/sbin/service courier-imap restart'''¤Ç¤Ï¡¢¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ë¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸¤¬É½¼¨¤µ¤ì¤Þ¤»¤ó¤Î¤ÇÌñ²ð¤Ç¤¹¡Ë

 -----BEGIN CERTIFICATE-----
 ...
 -----END CERTIFICATE-----[²þ¹Ô]
 -----BEGIN RSA PRIVATE KEY-----
 ...
 -----END RSA PRIVATE KEY-----[²þ¹Ô]
 [²þ¹Ô]

*»²¹Í [#t7fec881]
http://www.fkimura.com/apache13.html~
http://www.aconus.com/~oyaji/www/certs_linux.htm~

RIGHT:2005-09-19 (·î) 11:40:15
----
[[²È¥µ¡¼¥Ð´ÉÍýÄ¢]]
¥È¥Ã¥×   ÊÔ½¸ º¹Ê¬ ÍúÎò źÉÕ Ê£À½ ̾Á°Êѹ¹ ¥ê¥í¡¼¥É   ¿·µ¬ °ìÍ÷ ¸¡º÷ ºÇ½ª¹¹¿·   ¥Ø¥ë¥×   ºÇ½ª¹¹¿·¤ÎRSS