・apache 1.3.26 をインストール (mod_ssl 2.8.10) $ tar xzf apache_1.3.26.tar.gz $ tar xzf mod_ssl-2.8.10-1.3.26.tar.gz $ cd mod_ssl-2.8.10-1.3.26 mod_ssl-2.8.10-1.3.26$ ./configure --with-apache=../apache_1.3.26 --with-ssl=/usr/local/ssl --prefix=/usr/local/apache-smod_ssl-2.8.10-1.3.26$ cd ../apache_1.3.26 apache_1.3.26$ make
Configuring mod_ssl/2.8.10 for Apache/1.3.26 + Apache location: ../apache_1.3.26 (Version 1.3.26) + OpenSSL location: /usr/local/ssl + Auxiliary patch tool: ./etc/patch/patch (local) + Applying packages to Apache source tree: o Extended API (EAPI) o Distribution Documents o SSL Module Source o SSL Support o SSL Configuration Additions o SSL Module Documentation o Addons Done: source extension and patches successfully applied. Configuring for Apache, Version 1.3.26 + using installation path layout: Apache (config.layout) Creating Makefile Creating Configuration.apaci in src Creating Makefile in src + configured for Linux platform + setting C compiler to gcc + setting C pre-processor to gcc -E + checking for system header files + adding selected modules o ssl_module uses ConfigStart/End + SSL interface: mod_ssl/2.8.10 + SSL interface build type: OBJ + SSL interface compatibility: enabled + SSL interface experimental code: disabled + SSL interface conservative code: disabled + SSL interface vendor extensions: disabled + SSL interface plugin: Built-in SDBM + SSL library path: /usr/local/ssl + SSL library version: OpenSSL 0.9.6c 21 dec 2001 + SSL library type: installed package (stand-alone) + enabling Extended API (EAPI) + using system Expat + checking sizeof various data types + doing sanity check on compiler and options Creating Makefile in src/support Creating Makefile in src/regex Creating Makefile in src/os/unix Creating Makefile in src/ap Creating Makefile in src/main Creating Makefile in src/modules/standard Creating Makefile in src/modules/ssl Now proceed with the following commands: $ cd ../apache_1.3.26 $ make $ make certificate $ make installapache_1.3.26$ make certificate
(省略) +---------------------------------------------------------------------+ | Before you install the package you now should prepare the SSL | | certificate system by running the 'make certificate' command. | | For different situations the following variants are provided: | | | | % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) | | % make certificate TYPE=test (test cert signed by Snake Oil CA) | | % make certificate TYPE=custom (custom cert signed by own CA) | | % make certificate TYPE=existing (existing cert) | | CRT=/path/to/your.crt [KEY=/path/to/your.key] | | | | Use TYPE=dummy when you're a vendor package maintainer, | | the TYPE=test when you're an admin but want to do tests only, | | the TYPE=custom when you're an admin willing to run a real server | | and TYPE=existing when you're an admin who upgrades a server. | | (The default is TYPE=test) | | | | Additionally add ALGO=RSA (default) or ALGO=DSA to select | | the signature algorithm used for the generated certificate. | | | | Use 'make certificate VIEW=1' to display the generated data. | | | | Thanks for using Apache & mod_ssl. Ralf S. Engelschall | | rse@engelschall.com | | www.engelschall.com | +---------------------------------------------------------------------+ make[1]: 出ます ディレクトリ `apache_1.3.26' <=== srcapache_1.3.26$ su apache_1.3.26# make install
make[1]: 入ります ディレクトリ `apache_1.3.26/src' SSL Certificate Generation Utility (mkcert.sh) Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. Generating test certificate signed by Snake Oil CA [TEST] WARNING: Do not use this for real-life/production systems ______________________________________________________________________ STEP 0: Decide the signature algorithm used for certificate The generated X.509 CA certificate can contain either RSA or DSA based ingredients. Select the one you want to use. Signature Algorithm ((R)SA or (D)SA) [R]:[ENTER] ______________________________________________________________________ STEP 1: Generating RSA private key (1024 bit) [server.key] 49762 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .......++++++ .....++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 2: Generating X.509 certificate signing request [server.csr] Using configuration from .mkcert.cfg You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:JP 2. State or Province Name (full name) [Snake Desert]:Saitama 3. Locality Name (eg, city) [Snake Town]:Saitama-city 4. Organization Name (eg, company) [Snake Oil, Ltd]:Rouge Network 5. Organizational Unit Name (eg, section) [Webserver Team]:Internet Section 6. Common Name (eg, FQDN) [www.snakeoil.dom]:s.example.com 7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:admin@s.example.com 8. Certificate Validity (days) [365]:[ENTER] ______________________________________________________________________ STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] Certificate Version (1 or 3) [3]:[ENTER] Signature ok subject= 表示が長すぎるので分割しました。実際は 1 行です /C=JP /ST=Saitama /L=Saitama-city /O=Rouge Network /OU=Internet Section /CN=s.example.com /Email=admin@s.example.com Getting CA Private Key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY 表示が長すぎるので分割しました。実際は 1 行です /ST=Snake Desert /L=Snake Town /O=Snake Oil, Ltd /OU=Certificate Authority /CN=Snake Oil CA /Email=ca@snakeoil.dom error 10 at 1 depth lookup:certificate has expired OK ______________________________________________________________________ STEP 4: Enrypting RSA private key with a pass phrase for security [server.key] The contents of the server.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]:[ENTER] read RSA key writing RSA key Enter PEM pass phrase:************ パスフレーズを入力する Verifying password - Enter PEM pass phrase:************ パスフレーズを入力する (確認用) Fine, you're using an encrypted RSA private key. ______________________________________________________________________ RESULT: Server Certification Files o conf/ssl.key/server.key The PEM-encoded RSA private key file which you configure with the 'SSLCertificateKeyFile' directive (automatically done when you install via APACI). KEEP THIS FILE PRIVATE! o conf/ssl.crt/server.crt The PEM-encoded X.509 certificate file which you configure with the 'SSLCertificateFile' directive (automatically done when you install via APACI). o conf/ssl.csr/server.csr The PEM-encoded X.509 certificate signing request file which you can send to an official Certificate Authority (CA) in order to request a real server certificate (signed by this CA instead of our demonstration-only Snake Oil CA) which later can replace the conf/ssl.crt/server.crt file. WARNING: Do not use this for real-life/production systems make[1]: 出ます ディレクトリ `apache_1.3.26/src'apache_1.3.26# exit apache_1.3.26$ cd .. ・apache を mod_perl 付きに変更 $ tar xzf mod_perl-1.27.tar.gz $ cd mod_perl-1.27 mod_perl-1.27$ perl Makefile.PL USE_APACI=1 APACHE_PREFIX=/usr/local/apache-s EVERYTHING=1 ADD_MODULE=proxy,rewrite,auth_dbm,ssl
(省略) +--------------------------------------------------------+ | You now have successfully built and installed the | | Apache 1.3 HTTP server. To verify that Apache actually | | works correctly you now should first check the | | (initially created or preserved) configuration files | | | | /usr/local/apache-s/conf/httpd.conf | | | and then you should be able to immediately fire up | | Apache the first time by running: | | | | /usr/local/apache-s/bin/apachectl start | | | Or when you want to run it with SSL enabled use: | | | | /usr/local/apache-s/bin/apachectl startssl | | | Thanks for using Apache. The Apache Group | | http://www.apache.org/ | +--------------------------------------------------------+mod_perl-1.27$ make mod_perl-1.27$ su mod_perl-1.27# make install
Will configure via APACI Configure mod_perl with ../apache_1.3.26/src ? [y] [ENTER] Shall I build httpd in ../apache_1.3.26/src for you? [y] [ENTER] (省略)mod_perl-1.27# /usr/local/apache-s/bin/apachectl startssl apache を SSL モードで起動
(省略) +--------------------------------------------------------+ | You now have successfully built and installed the | | Apache 1.3 HTTP server. To verify that Apache actually | | works correctly you now should first check the | | (initially created or preserved) configuration files | | | | /usr/local/apache-s/conf/httpd.conf | | | and then you should be able to immediately fire up | | Apache the first time by running: | | | | /usr/local/apache-s/bin/apachectl start | | | Or when you want to run it with SSL enabled use: | | | | /usr/local/apache-s/bin/apachectl startssl | | | Thanks for using Apache. The Apache Group | | http://www.apache.org/ | +--------------------------------------------------------+ make[1]: 出ます ディレクトリ `apache_1.3.26' Appending installation info to /usr/lib/perl5/5.6.0/i386-linux/perllocal.pod