InstantSSLの導入

導入時期

• www.brc.riken.jp
  HP-UX 11
  2003-12-19から
• www2.brc.riken.jp
  linux 2.4
  2004-10-22から

導入手順

1. Creating a CSR
   

   % openssl req -new -nodes -keyout myserver.key -out server.csr
   Using configuration from /usr/lib/ssl/openssl.cnf
   Generating a 1024 bit RSA private key
   ...........++++++
   ......++++++
   writing new private key to 'myserver.key'
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]: JP
   State or Province Name (full name) [Some-State]: Ibaraki
   Locality Name (eg, city) []: Tsukuba
   Organization Name (eg, company) [Internet Widgits Pty Ltd]: RIKEN
   Organizational Unit Name (eg, section) []: HogeHoge
   Common Name (eg, YOUR name) []: www.brc.riken.jp
   Email Address []: hogehoge@hogehoge.brc.riken.jp
   
   Please enter the following 'extra' attributes to be sent with your certificate request
   
   A challenge password []: 
   An optional company name []:
   -----

2. InstantSSLの購入
   できたserver.csrを購入ページの'Copy and paste your CSR into this box'に貼り付け
   クレジットカードで支払い
   
3. サイト情報の登録
   英文の登記簿が無かったので、ログインして'IdAuthority'にサイト説明を書き込む。(登記簿を英訳してFAXしても良いらしい。)
   Webサイトの説明と法人の説明を適当に書き込む。
   約２週間を要した。(2つめのwww2.brc.riken.jpは即日発行だった。)
   
4. Installing a Certificate
   

   # cd /etc/apache
   # mkdir ssl.key ssl.crt
   # cd ssl.crt/
   COMODO からe-mailで届いたpublic keyを全部移す
   
   # ls
   ComodoSecurityServicesCA.crt  www_brc_riken_jp.crt
   GTECyberTrustGlobalRoot.crt
   
   # ln -s www_brc_riken_jp.crt server.crt
   # ln -s ComodoSecurityServicesCA.crt ca.crt
   # ls
   ComodoSecurityServicesCA.crt  ca.crt@      www_brc_riken_jp.crt
   GTECyberTrustGlobalRoot.crt   server.crt@
   
   # cd ../ssl.key/
   # cp [プライベートキーを作った場所]/myserver.key server.key
   # chmod 400 server.key

5. apache mod-ssl設定
   <VirtualHost *:443>の後の適切なところにキーの場所を書き込む

       SSLCertificateFile /etc/apache/ssl.crt/server.crt
       SSLCertificateKeyFile /etc/apache/ssl.key/server.key
       SSLCACertificatePath /etc/apache/ssl.crt
       SSLCACertificateFile /etc/apache/ssl.crt/ca.crt

6. apache再起動

   # /etc/init.d/apache restart