패키지 설치
apache 1.x 환경에서는 mod_ssl까지 설치, apache 2.x 환경에서는 mod_ssl 설치를 생략한다.
(apache 2.x 에는 기본적으로 mod_ssl 모듈이 포함되어 있음)
1. 패키지 설치
openssl: http://www.openssl.org/source/
mod_ssl: http://www.modssl.org/source/
# openssl
./config ; make ; make test ; make install;
# mod_ssl 컴파일
./configure --with-apache=../apache_1.3.37 --with-ssl=/usr/local/ssl;
여기서 --with-apache=../apache_1.3.37 은 소스 디렉토리를 말하며 (설치 디렉토리 아님)
mod_ssl 에 대하여 make, make install 은 할 필요가 없다.
apache-1.3.x 환경
1. 설치
# apache 컴파일
./configure --prefix=/usr/local/apache --enable-module=so --enable-shared=max ?enable-module=rewrite --enable-module=ssl --enable-shared=rewrite --enable-shared=ssl;
# make ; make certificate ; make install
# /etc/rc.d/init.d/apachectl에 아래내용삽입 과정
---------- /etc/rc.d/init.d/apachectl ----------
# chkconfig: - 92 92
# description: Apache Web Server
echo "--- /etc/rc.d/init.d/apachectl_smile ---" >> /usr/local/apache/bin/apachectl;
echo "# chkconfig: - 92 92 " >> /usr/local/apache/bin/apachectl;
echo "# description: Apache Web Server" >> /usr/local/apache/bin/apachectl;
cp /us r/local/apache/bin/apachectl /etc/rc.d/init.d/apachectl_smile;
chkconfig --add apachectl_smile;
chkconfig --level 345 apachectl_smile on;
------------------------------------------------
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
httpd.conf 위내용찾아서 아래줄에 아래내용삽입
AddType application/x-httpd-php .php .php3 .htm .html .phtml .cgi
AddType application/x-httpd-php-source .phps
<Directory "/home/*">
AllowOverride All
Options +ExecCGI
Order allow,deny
Allow from all
</Directory>
2. 설정
###### key / csr / crt 값생성 ######
# key생성
openssl genrsa -des3 1024 > /usr/local/apache/conf/localhost.key
혹은 openssl genrsa -des3 -out /usr/local/apache/conf/localhost.key 1024
openssl rsa -noout -text -in /usr/local/apache/conf/localhost.key
-> 암호입력 (인증서 설치시 필요)
# csr생성
# key를 받아서 csr생성시 아래내용수행 (ssl인증기관등에서 받은 키를 csr 생성)
openssl req -new -key /usr/local/apache/conf/localhost.key > /usr/local/apache/conf/localhost.csr
혹은
openssl req -new -key localhost.key -out localhost.csr > key 값 입력했던 암호입력 / 인증서를 신청하기위한 정보등을 입력해야함
openssl req -noout -text -in localhost.csr
# key / csr 은 백업본을 보관
# ssl인증기관에 인증서 신청시 필요한과정중 메일로 csr값을 보내야하는상황
cat /usr/local/apache/conf/localhost.csr
첫줄과 -----BEGIN NEW CERTIFICATE REQUEST-----
끝줄 -----END NEW CERTIFICATE REQUEST-----
까지 포함하여 복사후 메모장에 붙여넣기한후 해당파일을 ssl 인증기관업체 메일로 발송
# crt 생성
openssl req -x509 -days 365 -key /usr/local/apache/conf/localhost.key
-in /usr/local/apache/conf/localhost.csr > /usr/local/apache/conf/localhost.crt
# apache 설정
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
<VirtualHost 100.100.100.100:443>
DocumentRoot /home/abc/public_html
ServerName www.abc.com
ServerAlias abc.com
ServerAdmin root@abc.com
ErrorLog logs/abc.com-error_log
TransferLog logs/abc.com-access_log
SSLEngine on
SSLCertificateFile /home/abc/www.abc.com.crt
SSLCertificateKeyFile /home/abc/abc.key
SSLCACertificateFile /home/QuickTrustSSL_Bundle.crt
<Files ~ ".(cgi|shtml|phtml|php|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/home/abc/public_html">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>
apache-2.x 환경
1. 설치
./configure --prefix=/usr/local/apache --enable-modules=so --enable-mods-shared=all --enable-modules=shared --enable-ssl --enable-rewrite ;
make ;
make install ;
###### key / csr / crt 값생성 ######
1) key생성
관리를 위해 키파일을 모아놓을 디렉토리 생성
mkdir /usr/local/apache/conf/ssl
key생성
[root@ns /]# openssl genrsa -des3 1024 > /usr/local/apache/conf/ssl/adminplay.com.key
Generating RSA private key, 1024 bit long modulus
.........................................++++++
.....................................++++++
e is 65537 (0x10001)
Enter pass phrase:(암호입력)
Verifying - Enter pass phrase:(암호입력)
2) csr생성
key를 받아서 csr생성시 아래내용 수행
[root@ns /]# openssl req -new -key /usr/local/apache/conf/ssl/adminplay.com.key > /usr/local/apache/conf/ssl/adminplay.com.csr
Enter pass phrase for /usr/local/apache/conf/ssl/adminplay.com.key:(설정한 암호입력)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:KR
State or Province Name (full name) [Berkshire]:Gyeonggi-do
Locality Name (eg, city) [Newbury]:Sujeong-gu
Organization Name (eg, company) [My Company Ltd]:Adminplay
Organizational Unit Name (eg, section) []:Adminplay
Common Name (eg, your name or your server's hostname) []:www.adminplay.com
Email Address []:dg_kim@naver.com
# ssl인증기관에 인증서 신청시 필요한과정중 메일로 csr값을 보내야하는상황
[root@ns /]# cat /usr/local/apache/conf/ssl/adminplay.com.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAktSMRQwEgYDVQQIEwtHeWVvbmdnaS1k
bzETMBEGA1UEBxMKU3VqZW9uZy1ndTESMBAGA1UEChMJQWRtaW5wbGF5MRIwEAYD
.
.
생략
.
.
kB0ErApRuF/EsAUnk7favGGMM0+08AZ2lVXydLLNlK10/76Qo8WGPWZlWEL0Jkko
PzLnJv60tQ4HZvh22ewPD125XG5EZVqZWKWmBwQC132/ejti9Oh4uRVWavAFqsHK
NZk=
-----END CERTIFICATE REQUEST-----
첫줄과 -----BEGIN NEW CERTIFICATE REQUEST-----
끝줄 -----END NEW CERTIFICATE REQUEST-----
까지 포함하여 복사후 메모장에 붙여넣기한후 해당파일을 ssl 인증기관업체 메일로 발송
######### 등록 ###################
보안서버 를 검색 여러곳에서 SSL 등록을 행하고 있다..
등록및 인증서를 발급받는다..
3) 임시 crt 생성 (서버 자체에서 임시 인증서 생성 - test 목적)
openssl req -x509 -days 365 -key /usr/local/apache/conf/ssl/adminplay.com.key -in /usr/local/apache/conf/ssl/adminplay.com.csr > /usr/local/apache/conf/ssl/adminplay.com.crt
2. 실행
apachectl startssl 시 암호입력없이 하는 방법
sslPassPhraseDialog build -> sslPassPhraseDialog exec:/filename 으로 변경하고 filename 에 아래내용을 넣는다.
#!/bin/sh echo password(ssl시작시암호)
