1.mod_ssl のインストール（既に、opensslがインストール済みであること）を行う。

% cd /opt/local/src % wget http://www.modssl.org/source/mod_ssl-2.8.9-1.3.26.tar.gz % gzip -cd mod_ssl-2.8.9-1.3.26.tar.gz | tar xf - % cd mod_ssl-2.8.9-1.3.26 % ./configure --with-apache=../apache_1.3.26 --with-ssl=../openssl-0.9.6c    成功すると下記の様なメッセージがでる    Creating Makefile in src/support    Creating Makefile in src/os/unix    Creating Makefile in src/ap    Creating Makefile in src/main    Creating Makefile in src/modules/standard    Creating Makefile in src/modules/ssl    Now proceed with the following commands:     $ cd ../apache_1.3.26     $ make     $ make certificate     $ make install

2.Apache の再コンパイルを行う。※ make install は、まだ行わない。

% cd /opt/local/src/apache_1.3.26 % env SSL_BASE=/opt/local/src/openssl-0.9.6c env CFLAGS=-O3 \     ./configure --prefix=/opt/local/apache \          --enable-module=most --enable-shared=max \          --enable-module=ssl % make

3.証明書を発行する。

% make certificate

4.証明書の発行を行うために、いくつかの設問に答えていきます。赤印が答えた内容です。

make[1]: Entering directory `/opt/local/src/apache_1.3.26/src' SSL Certificate Generation Utility (mkcert.sh) Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. Generating test certificate signed by Snake Oil CA [TEST] WARNING: Do not use this for real-life/production systems ______________________________________________________________________ STEP 0: Decide the signature algorithm used for certificate The generated X.509 CA certificate can contain either RSA or DSA based ingredients. Select the one you want to use. Signature Algorithm ((R)SA or (D)SA) [R]:R ______________________________________________________________________ STEP 1: Generating RSA private key (1024 bit) [server.key] 1559677 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..................++++++ ...............++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 2: Generating X.509 certificate signing request [server.csr] Using configuration from .mkcert.cfg You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name             (2 letter code) [XY]:JP 2. State or Province Name   (full name) [Snake Desert]:Tokyo 3. Locality Name            (eg, city) [Snake Town]:Akasaka 4. Organization Name        (eg, company) [Snake Oil, Ltd]:Hoge 5. Organizational Unit Name (eg, section) [Webserver Team]:Network Administrator 6. Common Name              (eg, FQDN) [www.snakeoil.dom]:www.sea-bird.org 7. Email Address            (eg, name@FQDN) [www@snakeoil.dom]:webmaster@sea-bird.org 8. Certificate Validity     (days) [365]:1000 ______________________________________________________________________ STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] Certificate Version (1 or 3) [3]:3 Signature ok subject=/C=JP/ST=Tokyo/L=Setagaya/O=rain/OU=Network Administrator/CN=www.sea-bird.org/Email=webmaster@sea-bird.org Getting CA Private Key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/Email=ca@snakeoil.dom error 10 at 1 depth lookup:certificate has expired OK ______________________________________________________________________ STEP 4: Enrypting RSA private key with a pass phrase for security [server.key] The contents of the server.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]:Y read RSA key writing RSA key Enter PEM pass phrase: ← 証明書作成で使用する文字列（必ず、覚えておくこと） Verifying password - Enter PEM pass phrase: 証明書作成で使用する文字列を再度入力する Fine, you're using an encrypted RSA private key. ______________________________________________________________________ RESULT: Server Certification Files o conf/ssl.key/server.key   The PEM-encoded RSA private key file which you configure   with the 'SSLCertificateKeyFile' directive (automatically done   when you install via APACI). KEEP THIS FILE PRIVATE! o conf/ssl.crt/server.crt   The PEM-encoded X.509 certificate file which you configure   with the 'SSLCertificateFile' directive (automatically done   when you install via APACI). o conf/ssl.csr/server.csr   The PEM-encoded X.509 certificate signing request file which   you can send to an official Certificate Authority (CA) in order   to request a real server certificate (signed by this CA instead   of our demonstration-only Snake Oil CA) which later can replace   the conf/ssl.crt/server.crt file. WARNING: Do not use this for real-life/production systems make[1]: Leaving directory `/opt/local/src/apache_1.3.23/src'

5.Apacheのインストールし直しとSSL用のドキュメントルートディレクトリの作成を行う。

% su # make install # cd /opt/local/apache # mkdir ssl-cgi-bin

6.http.conf ファイルの修正を行う。

% su # cd /opt/local/apache/conf # vi httpd.conf    LoadModule ssl_module libexec/libssl.so    AddModule mod_ssl.c    #    # Listen: Allows you to bind Apache to specific IP addresses and/or    # ports, in addition to the default. See also the <VirtualHost>    # directive.    #    #Listen 3000    #Listen 12.34.56.78:80    Listen 80    # Apache+mod-ssl    Listen 443    <VirtualHost _default_:443>       DocumentRoot "/opt/local/apache/ssl-cgi-bin"       SSLEngine On       SSLCertificateKeyFile /opt/local/apache/conf/ssl.key/server.key       SSLCertificateFile /opt/local/apache/conf/ssl.crt/server.crt       CustomLog /opt/local/apache/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x%{SSL_CIPHER}x \"%r\" %b"    </VirtualHost>

7.秘密鍵の複合化を行う。

% su # cd /opt/local/apache/conf/ssl.key # mv server.key default_server.key # /usr/local/bin/openssl rsa -in default_server.key -out server.key read RSA key Enter PEM pass phrase: ← 証明書の作成で入力した文字列を入力する writing RSA key # chmod 400 server.key

8.ssl-apache を起動してみる・・・・・しかし

# /opt/local/apache/bin/apachectl startssl   [Sun Mar 17 16:18:47 2002] [warn] Loaded DSO libexec/libdav.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)    [Sun Mar 17 16:18:47 2002] [warn] Loaded DSO libexec/mod_encmssjis.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI)    [Sun Mar 17 16:18:47 2002] [warn] Loaded DSO libexec/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) およ？ mod_関係が crash？こわれた？ どないして？

9.mod_ssl を入れる場合、他のmod関係は "-DEAPI"を付加して再コンパイルが必要 らしい・・・泪

mod_dav   % cd /opt/local/src/mod_dav-1.0.3-1.3.6   % env CFLAGS="-O3 -DEAPI" \       ./configure --with-apxs=/opt/local/apache/bin/apxs \         --with-apache=/opt/local/apache --with-expat=/usr/local   % make   % su   # make install mod_encmssjis   % cd /opt/local/src/mod_encmssjis   % env CFLAGS="-O3 -DEAPI" /opt/local/apache/bin/apxs -c mod_encmssjis.c   % su   # /opt/local/apache/bin/apxs -i mod_encmssjis.so mod_php4   % cd /opt/local/src/php-4.1.2   % env CFLAGS="-O3 -DEAPI" \       ./configure --with-pgsql --with-apxs=/opt/local/apache/bin/apxs \         --with-pgsql=/opt/local/pgsql

10.気をとりなおして・・・再度 ssl-apache を起動してみる・・・・・またもや (>_<)

# /opt/local/apache/bin/apachectl startssl   [Sun Mar 17 18:02:00 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA rivate key (OpenSSL library error follows)   [Sun Mar 17 18:02:00 2002] [error] OpenSSL: error:24064064:random number enerator:SSLEAY_RAND_BYTES:PRNG not seeded   [Sun Mar 17 18:02:00 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib random（乱数）発生するデバイスが無い？ ほえ？

11.３分調べたら・・・ありました。Intel-Soalris8 では、ランダム発生デバイスが無いそうなんです。しかたありません ANDIrand を入れましょう。

% cd /opt/local/pkg % wget http://www.cosy.sbg.ac.at/~andi/SUNrand/pkg/ANDIrand-0.7-5.8-x86-1.pkg # pkgadd -d ANDIrand-0.7-5.8-x86-1.pkg

12.三度 （＾◇＾）  今度は、無事okで立ち上がりました。証明書がちゃんと発行されていないサイトで危ないかもよ？いいの？ってきかれますがかまわず ok ！ アクセスできましたね。

https://localhost/