Raible's Wiki

Raible Designs
Wiki Home
News
Recent Changes

AppFuse

Homepage
  - Korean
  - Chinese
  - Italian
  - Japanese

QuickStart Guide
  - Chinese
  - French
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish
  - Japanese

User Guide
  - Korean
  - Chinese

Tutorials
  - Chinese
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish

FAQ
  - Korean

Latest Downloads

Other Applications

Struts Resume
Security Example
Struts Menu

Set your name in
UserPreferences


Referenced by
Articles
Articles_cn
Articles_de
Articles_pt
Articles_zh




JSPWiki v2.2.33

[RSS]


Hide Menu

ApacheSSL


Difference between version 17 and version 1:

At line 7 changed 1 line.
<div style="float: right; margin-top: 20px;">
<!--
Changelog:
1.7.1 2006-11-16 Added default test certificate pass phrase
1.7.0 2005-12-29 Added "unknown protocol" issue and solution
1.6.9 2005-01-24 Added link to new Windows+Apache+SSL Tutorial
1.6.8 2004-12-13 Links updated; OpenSSL configfile explained; other clarifications
1.6.7 2004-05-18 Moved to Wiki so users can edit when they find mistakes/updates
1.6.6 2003-12-30 Added user comments
1.6.5 2002-09-27 Added instructions for Linux
1.6.4 2002-09-26 Added information for Apache 2.0 and added a little formatting
1.6.3 2002-05-18 info about better not overwriting the configuration files
1.6.2 2002-05-10 more info about "couldn't load..."; apache 2 warning
1.6.1 2002-04-10 AddModule clarification, more debugging
1.6 2001-12-28 Windows XP information, common problems section
1.5.3 2001-11-27 Added link to French translation
1.5.2 2001-11-06 Added AddModule
1.5.1 2001-10-26 Added link to Spanish translation
1.5 2001-10-20 Lots of clarifications based on input from many people
1.4.4 2001-05-26 Added Peter Holm to the contributors
1.4.3 2001-05-25 "Port" directive commented out, some fixes for current versions
1.4.2 2001-04-06 Remark about .so files
1.4.1 2001-02-20 Success on ME
1.4 2001-01-28 Information about debugging connect errors
1.3.14 2000-12-28 Small fixes; right-click to download the openssl.cnf file
1.3.13 2000-12-19 Added feedback section
1.2.12 2000-11-21 Information about the languages I speak
1.2.11 2000-11-15 Removed outdated information about M$ IIS
1.2.10 2000-11-05 OpenSSL.exe fixes
1.2.9.2 2000-09-11 Minor tweaks, corrected HTML
1.2.9.1 2000-07-26 IfDefine Directive added, thanks to Torsten Stanienda
1.2.8 2000-05-09 OpenSSL -config corrected
1.2.7 2000-04-29 Peter Barany corrected my English
1.2.6 2000-04-28 Added info on converting the certificate to DER format for MSIE 4
1.2.5 2000-04-21 The HOWTO is now hosted on my on server. Updated the URL
Added -config parameter for openssl to work with the provided config file
1.2 2000-01-24 Christoph Zich tested the HOWTO on Windows 98
1.1 1999-10-22 Included Horst Brauner's openssl.conf file
1.0 Initial release
-->
At line 48 added 1 line.
<div style="float: right; margin-top: 20px;">
At line 12 changed 1 line.
google_ad_height = 60;
google_ad_height = 60;1
At line 26 changed 1 line.
<p>Version 1.6.5</p>
<p>Version 1.6.8 (changelog: view source)</p>
At line 34 changed 1 line.
<a href="http://jfmoreau.ifrance.com/jfmoreau/Apache+SSL%20Win32%20HOWTO.htm">French
<a href="http://netsafe.free.fr/index.php?Chap=A1">French
At line 41 removed 1 line.
At line 82 added 3 lines.
%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%%
At line 114 added 1 line.
At line 121 removed 3 lines.
<li><code>Listen 443</code> (So your server listens on the standard SSL
port)</li>
At line 140 removed 6 lines.
<p>Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a>
and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>.
(<span class="highlight">You can get the 2.0.42 version at <a href="http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip">http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip</a></span>, older packages
are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>).
Download and unzip it to a new directory. </p>
At line 147 changed 3 lines.
If you need the newest version, you will have to compile it yourself if it is
not there. Don't ask me about it; I don't have it, I don't compile the versions
on modssl.org, and I don't have access to development tools on Win32.
If you want to compile the mod_ssl.so module, you can use the latest
sources, available at
<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a>
for Apache 1.3.x and included in Apache HTTP server sources,
accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>)
for Apache 2.0.x.</p>
<p>For Windows, the precompiled module is available at
<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a>
(where you will find there Apache 1.3 and 2.0 binaries with
the corresponding mod_ssl.so module versions included), while binaries for Linux are
included in the major Linux distributions.
</li>
</ul>
Apache Software Foundation mades a point in not offering the compiled binaries
for the SSL module, due to the export regulations for cryptographic software from USA.
Don&#39;t ask for binaries if they will not be available at the currently indicated locations.
Various ISVs provide free binaries for this module in various projects such as
<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere
Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc.
At line 152 changed 2 lines.
<p><span class="highlight">Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
from the Apache/modssl distribution directory to <code>WINNT\System32</code>.
<p>OpenSSL is required for getting a certificate to use with your web server. You may
download its sources and compile it from
<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled
binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a>
for Windows and are included in major Linux distributions.</p>
<p>OpenSSL for Windows might also be obtained by downloading and installing
<strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>
<p><span class="highlight">Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
from the Apache/modssl distribution directory to <code>WINNT\System32</code>
(or in another folder mentioned in the PATH environment variable).
At line 157 changed 1 line.
<p>Download and install <strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>
<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>
At line 159 changed 2 lines.
<p>You&#39;ll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already
exist for you. If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution.
<p>The following instructions are adapted from
<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>
At line 162 changed 1 line.
</p><h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>
<p>Open a shell window (Command Prompt in Windows) and change the current directory to
the directory where you have the openssl.exe file (openssl file for Linux).</p>
At line 164 changed 7 lines.
<p>The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>
<p><code>openssl req -new -out server.csr</code><br />
This creates a certificate signing request and a private key. When asked
for <code>&quot;Common Name (eg, your websites domain name)&quot;</code>,
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>).
The certificate belongs to this server name and browsers complain if the
name doesn&#39;t match.</p>
<p><code>openssl req -config openssl.cnf -new -out server.csr</code><br />
This creates a certificate signing request (<code>server.csr</code>) and a
private key (<code>privkey.pem</code>), using the configuration
file that is provided with the binary distribution of OpenSSL or with
Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to
prompt for each detail of the certificate. When asked for
<code>&quot;Common Name (eg, your websites domain name)&quot;</code>,
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>).
The certificate belongs to this server name and browsers complain if the
name doesn&#39;t match.</p>
At line 172 changed 9 lines.
<p><code>openssl rsa -in privkey.pem -out server.key</code><br />
This removes the passphrase from the private key. You MUST understand
what this means; <code>server.key</code> should be only readable by the
apache server and the administrator.<br />
You should delete the <code>.rnd</code> file because it contains the entropy
information for creating the key and could be used for cryptographic attacks
against your private key.</p>
<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key
-days 365</code><br />
<p style="margin-left: 20px; font-style: italic; color: green">
If you didn't provide a config file, OpenSSL will try to use the file specified
by the OPENSSL_CONF environment variable. This variable is usually not defined
and if you follow the instructions from the original tutorial (linked at the
top of this page), which does not use the <code>-conf</code> switch, you will
get an error about &quot;distinguished name&quot;. (Thanks to
<strong>Olivier Gambier</strong> for clearing this problem, using information from
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)</p>
At line 245 added 17 lines.
<p style="margin-left: 20px; font-style: italic; color: green">
On a Windows system, files with <code>cnf</code> extensions are treated as special files
(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless
of display settings, and the file will have a strongly modified context menu that
might prevent you from editing it and might mislead you to believe you don't have this file.
Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.</p>
<p><code>openssl rsa -in privkey.pem -out server.key</code><br />
This removes the passphrase from the private key. You MUST understand
what this means; <code>server.key</code> should be only readable by the
Apache server and the administrator.<br />
You should delete the <code>.rnd</code> file because it contains the entropy
information for creating the key and could be used for cryptographic attacks
against your private key.</p>
<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key
-days 365</code><br />
At line 191 changed 1 line.
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>
At line 193 changed 4 lines.
<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>
and <code>server.crt</code> into it. <strong>For Linux</strong> create
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>
<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>
and <code>server.crt</code> into it. <strong>For Linux</strong> create
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>
At line 198 changed 8 lines.
<p style="margin-left: 20px; font-style: italic; color: green"><strong>Tip from Olivier Gambier</strong>:<br />
You can't create a certificate with openssl.exe without a config file
(you get an error about distinguished names).
Thus if the variable OPENSSL_CONF is not defined (and I didn't find it
in your doc, nor I found a conf file in the distrib I downloaded), you
must add:
"-config configfile"
to the certificate creation command, and create a valid "configfile"
<p><span class="highlight">__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.</span></p>
At line 207 removed 4 lines.
I found the information, among with the error message meaning, from
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.
</p>
At line 226 changed 2 lines.
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will
be done for you when you compile with <code>--enable-ssh=shared</code>)</p>
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will
be done for you when you compile with <code>--enable-ssh=shared</code>)</p>
At line 229 changed 1 line.
<p>In newer versions of the distribution, it could also be necessary to add<br />
<p>In newer versions of the distribution for Apache 1.x, it could also be necessary to add<br />
At line 231 changed 2 lines.
after the AddModule lines that are already in the config file.
(Not necessary for 2.0.42)</p>
after the AddModule lines that are already in the config file. </p>
At line 234 changed 5 lines.
<p>Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/.
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>
(Right click -> Save Target As...). <span class="highlight">Make sure
and change the <code>DocumentRoot</code> and <code>ServerName</code> values
on lines 93 and 94.</span></p>
<p>Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/.
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>
(Right click -> Save Target As...). <span class="highlight">Make sure
and change the <code>DocumentRoot</code> and <code>ServerName</code> values
on lines 93 and 94.</span></p>
At line 240 changed 1 line.
<p>Add the following to the end of <code>httpd.conf</code>:</p>
<p>Add the following to the end of <code>httpd.conf</code>: <span class="highlight">Make sure and change <b>www.my-server.dom</b> in the example below.</span></p>
At line 254 changed 1 line.
SSLCertificateFile conf/ssl/server.cert
SSLCertificateFile conf/ssl/server.crt
At line 492 added 4 lines.
<p>Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server.
<br /><br />
A: Under the VirtualHost section you add to the httpd.conf, I had to change __&lt;VirtualHost www.myhost.com:443>__ to __&lt;VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works.
At line 471 changed 1 line.
These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a>
These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a>

Back to ApacheSSL, or to the Page History.