This page is a very terse set of instructions for:
This page is a very terse set of instructions for:
A proper step-by-step guide is on the way, but for now this is what I have up. This is not for the faint of heart, and I won't provide much support for this yet.
---------------------------------------------------------------------------- Required RPMs ---------------------------------------------------------------------------- - expat-1.0-2 (for XML/WDDX support) (http://www.rpmfind.net/RPM) - MySQL-3.22.25-1 (http://www.mysql.com) - MySQL-client-3.22.25-1 (http://www.mysql.com) - MySQL-devel-3.22.25-1 (http://www.mysql.com) - imap-4.6-3 (http://www.rpmfind.net/RPM) - imap-devel-4.6-3 (http://www.rpmfind.net/RPM) ---------------------------------------------------------------------------- Required TAR sources ---------------------------------------------------------------------------- - download openssl-0.9.4.tar.gz (http://www.openssl.org) - download mod_ssl-2.4.2-1.3.9.tar.gz (http://www.modssl.org) - download apache_1.3.9.tar.gz (http://www.apache.org) - download php-3.0.12.tar.gz (http://www.php.net) ---------------------------------------------------------------------------- Extract Sources ---------------------------------------------------------------------------- $ tar -zxf openssl-0.9.4.tar.gz $ tar -zxf mod_ssl-2.4.2-1.3.9.tar.gz $ tar -zxf apache_1.3.6.tar.gz $ tar -zxf php-3.0.12.tar.gz ---------------------------------------------------------------------------- Build OpenSSL (to /usr/local/ssl) ---------------------------------------------------------------------------- $ cd openssl-0.9.4 $ ./config -fpic $ make $ make test $ su # make install # exit $ cd .. ---------------------------------------------------------------------------- ** REDHAT 6.0 USERS ** you have to modify the Apache source and remove the block of code containing calls to ndbm. Otherwise Apache won't compile, I'm not sure if you need to do this with Apache 1.3.9, but you have to for Apache 1.3.6. For more details, see the Redhat SRPM for Apache 1.3.6 and look at their patch files. ---------------------------------------------------------------------------- $ vi apache_1.3.9/src/helpers/find-dbm-lib - take out the lines in the if-else block containing ndbm ---------------------------------------------------------------------------- Install mod_ssl ---------------------------------------------------------------------------- $ cd mod_ssl-2.4.2-1.3.9 $ ./configure \ --with-apache=../apache_1.3.9 \ --with-ssl=/usr/local/ssl \ --prefix=/usr/local/apache \ --datadir=/home/httpd \ --enable-module=most \ --enable-shared=max \ --disable-module=auth_dbm \ --disable-rule=SSL_COMPAT \ --disable-rule=WANTHSREGEX $ cd .. ---------------------------------------------------------------------------- Install Apache (to /usr/local/apache) ---------------------------------------------------------------------------- $ cd apache_1.3.9 $ make $ make certificate TYPE=custom $ su # make install # exit $ cd .. ---------------------------------------------------------------------------- Configure and build PHP3 (with APXS) ---------------------------------------------------------------------------- $ cd php-3.0.12 $ ./configure \ --with-apxs=/usr/local/apache/bin/apxs \ --with-config-file-path=/usr/local/apache/conf \ --enable-safe-mode \ --enable-debug=no \ --with-mysql \ --with-xml \ --with-system-regex \ --with-imap $ make $ su # make install # cp php3.ini-dist /usr/local/apache/conf/php3.ini # exit $ cd .. ---------------------------------------------------------------------------- Files of Interest ---------------------------------------------------------------------------- /usr/local/apache/conf/php3.ini /usr/local/apache/logs/* /etc/logrotate.d/apache - Redhat users create one to rotate your logs /usr/local/ssl/*
See http://www.modssl.org/docs/2.3/ssl_faq.html for more info
----------------------------------------------------------------------------
Add OpenSSL to path
----------------------------------------------------------------------------
$ PATH=$PATH:/usr/local/ssl/bin
----------------------------------------------------------------------------
Create Certificate Authority (CA)
----------------------------------------------------------------------------
Create RSA private key
$ openssl genrsa -des3 -out ca.key 1024
- foo foo ba ba
Create self-signed CA certificate
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
------------------------------------------------------------------------
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Province
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Org
Common Name (eg, YOUR name) []:My Name
Email Address []:ca@mycompany.com
------------------------------------------------------------------------
----------------------------------------------------------------------------
Create SSL Certificate
----------------------------------------------------------------------------
Create RSA private key
$ openssl genrsa -des3 -out server.key 1024
- mary mary quite contrary
Decrypt private key (so that Apache can start w/o asking for password)
$ mv server.key server.key.secure
$ openssl rsa -in server.key.secure -out server.key
$ chown 400 server.key
Create a Certificate Signing Request (CSR)
$ openssl req -new -days 365 -key server.key -out server.csr
------------------------------------------------------------------------
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Province
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Org
Common Name (eg, YOUR name) []:www.mycompany.com
Email Address []:webmaster@mycompany.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
------------------------------------------------------------------------
NOTE: The Common Name should be the exact hostname of your site, so if
your site is accessible via http://www.mycompany.com then the common
name should be www.mycompany.com. If these do not match, the user's
web browser will complain that the certificate name does not match the
hostname.
----------------------------------------------------------------------------
Sign SSL Certificate
----------------------------------------------------------------------------
Use the sign.sh script from the mod_ssl distribution (pkg.contrib/sign.sh)
$ sign.sh server.csr
------------------------------------------------------------------------
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'Province'
localityName :PRINTABLE:'City'
organizationName :PRINTABLE:'My Company'
organizationalUnitName:PRINTABLE:'My Org'
commonName :PRINTABLE:'www.mycompany.com'
emailAddress :IA5STRING:'webmaster@mycompany.com'
Certificate is to be certified until Jul 13 06:00:41 2000 GMT (365 days)
Sign the certificate? [y/n]:y
------------------------------------------------------------------------
----------------------------------------------------------------------------
Use Certificates in Apache
----------------------------------------------------------------------------
Copy .crt and .key files to Apache directories
$ cp server.crt /usr/local/apache/conf/ssl.crt
$ cp server.key /usr/local/apache/conf/ssl.key
Edit http.conf, for example add:
<IfDefine SSL>
<VirtualHost 127.0.0.1:443>
DocumentRoot /home/httpd/private
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>