APACHE, MODSSL, OPENSSL, PHP, ORACLE_client, GD, MYSQL_client
on DEBIAN
Rolland Balzon philippe
06/2002






apache ssl php oracle gd mysql




1. ORACLE install client programmer: see http://prolland.free.fr/works/oracle/index.html
2. Mysql client with apt-get install mysql...dev
3. GD
4. Following approach is described on http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL
5. Another documentation :http://rr.sans.org/authentic/web.php

install   
// install apache, openssl, modssl, php, oracle

cd /usr/local
tar -xvzf openssl-0.9.6d.tar.gz 
tar -xvzf apache_1.3.24.tar.gz 
tar -xvzf mod_ssl-2.8.8-1.3.24.tar.gz 
tar -xvzf php-4.2.1.tar.gz 

cd openssl-0.9.6d
./config
make
make install

cd ..
cd ssl/
vi openssl.cnf // Adapting this file


cd ../mod_ssl-2.8.8-1.3.24
./configure --with-apache=../apache_1.3.24 --with-ssl=/usr/local/openssl-0.9.6d


cd ../apache_1.3.24
SSL_BASE=/usr/local/openssl-0.9.6d ./configure --prefix=/usr/local/apache

## becarefull --enable-track-vars must be add since it necessary to pass data (get or post) to scripts...
## in order to use a webmail as nocc you must install imap lib 
## for debian go to www.debian.org on the left click debian package, on the bottom search the package containing your remaining file
## becarefull ssl and with-imap don't work, just add --with-imap-ssl
cd ../php-4.2.1
CFLAGS='-O2 -I/usr/local/openssl-0.9.6d/include' ./configure --with-mysql  --with-oracle=/usr/local/oracle/8i --with-gd --with-xml --with-oci8=/usr/local/oracle/8i --with-apache=../apache_1.3.24 --enable-track-vars --with-imap-ssl
make
make install


cd ../apache_1.3.24
SSL_BASE=/usr/local/openssl-0.9.6d ./configure --prefix=/usr/local/apache  --enable-module=ssl --activate-module=src/modules/php4/libphp4.a
make
make certificate TYPE=custom (dummy,test,existing) ex: existing CRT=/pat/to.your.crt KEY=/path/to/your.key]
make install


vi /usr/local/apache/conf/httpd.conf
/usr/local/apache/bin/apachectl start
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl startssl



// CERTIFICATION AUTHORIZED and SERVER CERTIFICAT
//
1.AUthorite de certification
2. Server certification creation (public and private keys)
See CNRS Documentation (fr) : http://www.dr15.cnrs.fr/Delegation/STI/Certifs/guide/

Installer une version de openssl
Le fichier de configuration d'OpenSSL s'installe automatiquement dans
	/usr/local/ssl/lib/openssl.cnf
Modifier:
	dir = /usr/local/ssl/CA 
	certificate = $dir/cacert.pem 
	private_key = $dir/private/cakey.pem 
	policy = policy_anything 
	default_bits = 512 
	nsCertType = client, email, server, objsign                                 

Puis une liste de commandes à réaliser:

cd /usr/local/ssl/
cd CA
echo 01 > serial
cp /dev/null index.txt
mkdir certs crl private newcerts
/usr/local/ssl/bin/openssl req -new -x509 -days 1000 -keyout private/cakey.pem -out cacert.pem
rm -f cacert.der
openssl x509 -in cacert.pem -out cacert.der -outform DER
cd /usr/local/ssl/CA/private
openssl genrsa -des3 -out tmp.key 512
openssl rsa -in tmp.key -out serverkey.pem
chmod 400 serverkey.pem
rm -f tmp.key
openssl req -new -days 999 -key serverkey.pem -out newreq.pem
cd ../certs
openssl ca -out servercert.pem -infiles ../private/newreq.pem
=====================================================================================
============ Cette opération signe le certificat par l'autorité de certification. 
============ Pour ce faire, il faudra indiquer la phrase de codage (PEM phrase) 
============ de l'autorité de certification.
=====================================================================================
cd .. 
cp -p private/serverkey.pem /etc/httpd/conf/ssl.key/server.key 
cp -p cacert.pem /etc/httpd/conf/ssl.crt/ca.crt 
cp -p certs/servercert.pem /etc/httpd/conf/ssl.crt/server.crt 
rm -f private/newreq.pem 

## MORE IMPORTANT do make .... in /usr/local/apache/conf/ssl.crt after each modification
## of CA or server certification.
cd /usr/local/apache/conf/ssl.crt
make 



## Keys copy in good places
cd /usr/local/apache/htdocs/public/
mkdir CA
cp /usr/local/apache/conf/ssl.crt/ca.crt ./CA



## certificate for some clients or some users
cd /usr/local/ssl/CA
openssl req -new -keyout newreq.pem -out newreq.pem -days 365
openssl ca -out newcert.pem -infiles newreq.pem
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -name "nomade61" -clcerts -out "nomade61.p12"


cd /usr/local/ssl/CA
openssl req -new -keyout newreq.pem -out newreq.pem -days 365
openssl ca -out newcert.pem -infiles newreq.pem
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -name "kaidara" -clcerts -out "kaidara.p12"

## Browser installation (example Netscape)
1. In Security info, Signers: Load CA (Authorized certification) from /usr/local/apache/htdocs/public/CA/ca.crt 
2. You can use an ftp connection in order to dowload nomade61.p12 or kaidara.p12 on your computer.
3. Load Security info, Yours: import...
4. OK !!??

## Apache Starting
Before starting apache, catch oracle environnement.
su oracle8i
env
su root
/usr/local/apache/bin/apachetcl stop
/usr/local/apache/bin/apachetcl startssl


## How to add module static in php/apache after these installation and conscerve all certificate
Go to modssl install, without make in /usr/local/apache/conf/ssl.crt and with 
make certificate TYPE=existing CRT=/pat/to.your.crt KEY=/path/to/your.key


## How to load a ca.crt: ie certificate authorization
by http, ie place a ca.crt in public zone; like ./htdocs/CA/ca.crt
add the following line in httpd.conf :
AddType application/x-x509-ca-cert .crt

note :  install openssl and apache adding automatically this line, in return
		if you must load this ca by apache without modssl, add this line...