Apache で HTTPS (SSL) を使えるようにする


Apache で HTTPS (SSL) を使えるようにする方法は次の通り。

CentOS:2.6.18-8.el5
Apache:2.2.3
を使用しました。

まずは mod_ssl をインストールする。

# yum install mod_ssl
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
base                      100% |=========================| 1.1 kB    00:00
updates                   100% |=========================|  951 B    00:00
addons                    100% |=========================|  951 B    00:00
extras                    100% |=========================| 1.1 kB    00:00
Reading repository metadata in from local files
primary.xml.gz            100% |=========================| 230 kB    00:00
updates   : ################################################## 463/463
Added 91 new packages, deleted 0 old in 3.22 seconds
primary.xml.gz            100% |=========================| 104 kB    00:00
extras    : ################################################## 361/361
Added 1 new packages, deleted 0 old in 1.22 seconds
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for mod_ssl to pack into transaction set.
mod_ssl-2.2.3-11.el5_1.ce 100% |=========================|  12 kB    00:00
---> Package mod_ssl.i386 1:2.2.3-11.el5_1.centos.3 set to be updated
--> Running transaction check
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for distcache to pack into transaction set.
distcache-1.4.5-14.1.i386 100% |=========================| 8.8 kB    00:00
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 mod_ssl                 i386       1:2.2.3-11.el5_1.centos.3  updates            84 k
Installing for dependencies:
 distcache               i386       1.4.5-14.1       base              119 k

Transaction Summary
=============================================================================
Install      2 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 203 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): mod_ssl-2.2.3-11.e 100% |=========================|  84 kB    00:00
(2/2): distcache-1.4.5-14 100% |=========================| 119 kB    00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: distcache                    ######################### [1/2]
  Installing: mod_ssl                      ######################### [2/2]

Installed: mod_ssl.i386 1:2.2.3-11.el5_1.centos.3
Dependency Installed: distcache.i386 0:1.4.5-14.1
Complete!
#

次に、サーバの秘密鍵を作成する。

# cd /etc/pki/tls/certs
# make server.key
umask 77 ; \
        /usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.........................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase: [ 任意のパスフレーズを入力 ]
Verifying - Enter pass phrase: [ 任意のパスフレーズを入力 ]
#
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: [ 上で入力したパスフレーズ ]
writing RSA key
#

次に、上記の秘密鍵を使ってサーバの証明書を作成する。

# make server.crt
umask 77 ; \
        /usr/bin/openssl req -utf8 -new -key server.key -x509 -days 365 -out server.crt -set_serial 0
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:[ JP など任意の国コード ]
State or Province Name (full name) [Berkshire]:[ 任意の都道府県名 ]
Locality Name (eg, city) [Newbury]:[ 任意の市区名 ]
Organization Name (eg, company) [My Company Ltd]:[ 任意の会社名 ]
Organizational Unit Name (eg, section) []:[ 任意の組織名 ]
Common Name (eg, your name or your server's hostname) []:[ サーバ名 ]
Email Address []:[ 任意のメールアドレス ]
#

これで HTTPS (SSL) の準備ができたので、
使用するように Apache の設定を変更する。

上で作成したサーバ用の秘密鍵 (server.key) を
/etc/pki/tls/private へ移動する。

# mv /etc/pki/tls/certs/server.key /etc/pki/tls/private

/etc/httpd/conf.d/ssl.conf で <Virtual Host> と </Virtual Host> の間に
SSLCertificateFile, SSLCertificateKeyFile があれば
次の通り編集して、無ければ追記する。

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

設定の反映は httpd の再起動。

これで 443 ポートが Listen されるようになり、
HTTPS (SSL) が使用可能になった。