<!-- jeedosaquin -->
<span class="x-small">Last Update: "2008/09/01 17:39:07 makoto"
</span>
<h2>www</h2>
<h3>apache</h3>
<h4>rc.d</h4>
<div class="shell">ttyp0:makoto@umax  11:57:43/050605(...3.99.3/All)> sudo cp /usr/pkg/share/examples/rc.d/apache /etc/rc.d
Password:
</div>
<h4>httpd.conf</h4>
<h4>start</h4>
<div class="shell">ttyp0:makoto@umax  11:57:47/050605(...3.99.3/All)> sudo /etc/rc.d/apache start
Starting apache.</div>

<a name="MKCERT"></a>
<h4>mkcert</h4>
ssl 用の鍵を作る mkcert は www/ap-ssl または www/apache2 に含まれています。
<pre>
www/ap-ssl/PLIST:sbin/mkcert
www/ap-ssl/PLIST:share/doc/mod_ssl/README.mkcert
www/ap-ssl/PLIST:share/mod_ssl/gid-mkcert.sh
www/apache2/PLIST:sbin/mkcert
</pre>
mkcert は shell 手続ですが、man も mkcert --help 等としても説明が得られません。
説明の正しい表示方法は単に mkcert と入力することです。
<pre>
ttyp1:makoto@st4200 23:13:14/061225(/export/pkgsrc)> mkcert
Usage:
        mkcert.sh [-t type] [-a algo] [-c crtfile ] [-k keyfile] [-v]

Options:
        -t type         Type of certificates to generate.  Valid types are:
                            dummy      self-signed Snake Oil cert
                            test       test cert signed by Snake Oil CA
<span class="blue">                            custom     custom cert signed by own CA</span>
                            existing   existing cert

        -a algo         Signature algorithm for generated certificate.  Valid
                        algorithms are RSA or DSA.

        -c crtfile      Path to an existing certificate

        -k keyfile      Path to an existing key file

        -v              Display the certificate and key, then exit.

ttyp1:makoto@st4200 23:33:38/061225(/export/pkgsrc)> 
</pre>
例えば、次のように開始します。
<pre>
 sudo mkcert -t custom -a DSA
</pre>
正常に終了した場合には、次のような表示になります。
<pre>
RESULT: CA and Server Certification Files

o  /usr/pkg/etc/httpd/ssl.key/ca.key
   The PEM-encoded DSA private key file of the CA which you can
   use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o  /usr/pkg/etc/httpd/ssl.crt/ca.crt
   The PEM-encoded X.509 certificate file of the CA which you use to
   sign other servers or clients. When you sign clients with it (for
   SSL client authentication) you can configure this file with the
   'SSLCACertificateFile' directive.

o  /usr/pkg/etc/httpd/ssl.key/server.key
   The PEM-encoded DSA private key file of the server which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  /usr/pkg/etc/httpd/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file of the server which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  /usr/pkg/etc/httpd/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request of the server file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our own CA) which later can replace the /usr/pkg/etc/httpd/ssl.crt/server.crt
   file.

Congratulations that you establish your server with real certificates.

ttyp1:makoto@st4200 23:54:59/061225(/export/pkgsrc)> 
</pre>
これで次のようなものが作られます。
<pre>
ttyp2:root@rjn  17:37:32/080901(/usr/pkg)# find . -cmin -10 -ls
    512 Sep  1 17:36 ./etc/httpd/ssl.crt
   1424 Sep  1 17:36 ./etc/httpd/ssl.crt/ca.crt
   1383 Sep  1 17:36 ./etc/httpd/ssl.crt/server.crt
    512 Sep  1 17:36 ./etc/httpd/ssl.csr
    985 Sep  1 17:36 ./etc/httpd/ssl.csr/ca.csr
    976 Sep  1 17:36 ./etc/httpd/ssl.csr/server.csr
    512 Sep  1 17:37 ./etc/httpd/ssl.key
    736 Sep  1 17:37 ./etc/httpd/ssl.key/ca.key
    736 Sep  1 17:37 ./etc/httpd/ssl.key/server.key
    512 Sep  1 17:35 ./etc/httpd/ssl.prm
    455 Sep  1 17:35 ./etc/httpd/ssl.prm/ca.prm
    512 Sep  1 17:35 ./etc/httpd/ssl.crl
</pre>
<h4>startssl</h4>
何故か 
<pre>
sudo /etc/rc.d/apache startssl 
</pre>
は効かないので、
<pre>
sudo /usr/pkg/sbin/apachectl startssl 
</pre>
を使います。