Welcome to thompsonbd.com
thompsonbd.com is my holding place for everything from the Dodge Charger TorRed Daytona I own, to web development, photos of the skydiving trip I took with my brother and dad.
Windows + Apache 2.0 + SSL
1. Assumptions
This tutorial assumes that you already have Apache2 installed and working on a Windows server. I have Apache 2.0.50 installed on Windows Server 2003.2. Needed Files
Files that you will need can be downloaded from this website. These are not necessarily the most up-to-date, but they worked for my install so I have included them here. You will need to download both Apache_2.0.52-Openssl_0.9.7e-Win32.zip and Openssl-0.9.7e-Win32.zipUnzip both of these files to seperate folders.
3. Setting Up OpenSSL
Copy the files ssleay32.dll and libeay32.dll from the OpenSSL folder to WINNT\System32. Double check that you make sure you copied the dll's and not the lib's.You also need to download openssl.cnf into the same folder where you unzipped OpenSSL. Windows will remove the .cnf and will make this file look like a dialup icon. Just ignore it. Just make sure you have the file in the right place.
Download ssl.conf and place it in the Apache2/conf directory.
4. Creating a test certificate
Open a command prompt. Navigate to where you unzipped OpenSSL.
openssl req -config openssl.cnf -new -out my-server.csr
You can replace my-server.csr with whatever you want aslong as the extention is .csr. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.
openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator. You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.Create a directory in the Apache folder name Apache2/conf/ssl and move my-server.key and my-server.cert into it.
5. Configuring Apache and mod_ssl
Open the httpd.conf file and locate the LoadModule directives. Add
LoadModule ssl_module modules/mod_ssl.so
After </IfModule> add
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none
In the VirtualHost directives add
SSLRandomSeed startup builtin
SSLSessionCache none
<VirtualHost www.my-domain.com:443>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>
Open the ssl.conf file and set the correct www.my-domain.com and DocumentRoot. You will place the location of the secure material in the " " after DocumentRoot. So if your secure webpages are on your D: drive, in the folder called secure, the line should look like
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>
DocumentRoot "D:/secure"
6. In closing...
If you have any questions please contact me at chris@thompsonbd.com. I also have to give credit to
| Balázs Bárány | His tutorial is over at http://tud.at/programm/apache-ssl-win32-howto.php3 |
| Matt Raible | His tutorial is over at http://raibledesigns.com/wiki/Wiki.jsp?page=ApacheSSL |
| And the numerous people that have sent me emails saying that I forgot to mention to copy the openssl.exe file to the apache2/bin directory |
Menu
Blog Archive
Loading...