Raible's Wiki: ApacheSSL

At line 7 changed 1 line.

<!--

Changelog:

1.7.1 2006-11-16 Added default test certificate pass phrase

1.7.0 2005-12-29 Added "unknown protocol" issue and solution

1.6.9 2005-01-24 Added link to new Windows+Apache+SSL Tutorial

1.6.8 2004-12-13 Links updated; OpenSSL configfile explained; other clarifications

1.6.7 2004-05-18 Moved to Wiki so users can edit when they find mistakes/updates

1.6.6 2003-12-30 Added user comments

1.6.5 2002-09-27 Added instructions for Linux

1.6.4 2002-09-26 Added information for Apache 2.0 and added a little formatting

1.6.3 2002-05-18 info about better not overwriting the configuration files

1.6.2 2002-05-10 more info about "couldn't load..."; apache 2 warning

1.6.1 2002-04-10 AddModule clarification, more debugging

1.6 2001-12-28 Windows XP information, common problems section

1.5.3 2001-11-27 Added link to French translation

1.5.2 2001-11-06 Added AddModule

1.5.1 2001-10-26 Added link to Spanish translation

1.5 2001-10-20 Lots of clarifications based on input from many people

1.4.4 2001-05-26 Added Peter Holm to the contributors

1.4.3 2001-05-25 "Port" directive commented out, some fixes for current versions

1.4.2 2001-04-06 Remark about .so files

1.4.1 2001-02-20 Success on ME

1.4 2001-01-28 Information about debugging connect errors

1.3.14 2000-12-28 Small fixes; right-click to download the openssl.cnf file

1.3.13 2000-12-19 Added feedback section

1.2.12 2000-11-21 Information about the languages I speak

1.2.11 2000-11-15 Removed outdated information about M$ IIS

1.2.10 2000-11-05 OpenSSL.exe fixes

1.2.9.2 2000-09-11 Minor tweaks, corrected HTML

1.2.9.1 2000-07-26 IfDefine Directive added, thanks to Torsten Stanienda

1.2.8 2000-05-09 OpenSSL -config corrected

1.2.7 2000-04-29 Peter Barany corrected my English

1.2.6 2000-04-28 Added info on converting the certificate to DER format for MSIE 4

1.2.5 2000-04-21 The HOWTO is now hosted on my on server. Updated the URL

Added -config parameter for openssl to work with the provided config file

1.2 2000-01-24 Christoph Zich tested the HOWTO on Windows 98

1.1 1999-10-22 Included Horst Brauner's openssl.conf file

1.0 Initial release

-->

At line 48 added 1 line.

At line 12 changed 1 line.

google_ad_height = 60;

google_ad_height = 60;1

At line 26 changed 1 line.

Version 1.6.5

Version 1.6.8 (changelog: view source)

At line 34 changed 1 line.

<a href="http://jfmoreau.ifrance.com/jfmoreau/Apache+SSL%20Win32%20HOWTO.htm">French

<a href="http://netsafe.free.fr/index.php?Chap=A1">French

At line 41 removed 1 line.

At line 82 added 3 lines.

%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%%

At line 114 added 1 line.

At line 121 removed 3 lines.

<li><code>Listen 443</code> (So your server listens on the standard SSL

port)</li>

At line 140 removed 6 lines.

Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a>

and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>.

(You can get the 2.0.42 version at <a href="http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip">http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip</a>, older packages

are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>).

Download and unzip it to a new directory.

At line 147 changed 3 lines.

If you need the newest version, you will have to compile it yourself if it is

not there. Don't ask me about it; I don't have it, I don't compile the versions

on modssl.org, and I don't have access to development tools on Win32.

If you want to compile the mod_ssl.so module, you can use the latest

sources, available at

<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a>

for Apache 1.3.x and included in Apache HTTP server sources,

accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>)

for Apache 2.0.x.

For Windows, the precompiled module is available at

<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a>

(where you will find there Apache 1.3 and 2.0 binaries with

the corresponding mod_ssl.so module versions included), while binaries for Linux are

included in the major Linux distributions.

</li>

</ul>

Apache Software Foundation mades a point in not offering the compiled binaries

for the SSL module, due to the export regulations for cryptographic software from USA.

Don't ask for binaries if they will not be available at the currently indicated locations.

Various ISVs provide free binaries for this module in various projects such as

<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere

Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc.

At line 152 changed 2 lines.

Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>

from the Apache/modssl distribution directory to <code>WINNT\System32</code>.

OpenSSL is required for getting a certificate to use with your web server. You may

download its sources and compile it from

<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled

binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a>

for Windows and are included in major Linux distributions.

OpenSSL for Windows might also be obtained by downloading and installing

Cygwin from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.

Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>

from the Apache/modssl distribution directory to <code>WINNT\System32</code>

(or in another folder mentioned in the PATH environment variable).

At line 157 changed 1 line.

Download and install Cygwin from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.

<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>

At line 159 changed 2 lines.

You'll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already

exist for you. If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution.

The following instructions are adapted from

<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.

At line 162 changed 1 line.

<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>

Open a shell window (Command Prompt in Windows) and change the current directory to

the directory where you have the openssl.exe file (openssl file for Linux).

At line 164 changed 7 lines.

The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.

<code>openssl req -new -out server.csr</code>

This creates a certificate signing request and a private key. When asked

for <code>"Common Name (eg, your websites domain name)"</code>,

give the exact domain name of your web server (e.g. www.my-server.dom).

The certificate belongs to this server name and browsers complain if the

name doesn't match.

<code>openssl req -config openssl.cnf -new -out server.csr</code>

This creates a certificate signing request (<code>server.csr</code>) and a

private key (<code>privkey.pem</code>), using the configuration

file that is provided with the binary distribution of OpenSSL or with

Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to

prompt for each detail of the certificate. When asked for

<code>"Common Name (eg, your websites domain name)"</code>,

give the exact domain name of your web server (e.g. www.my-server.dom).

The certificate belongs to this server name and browsers complain if the

name doesn't match.

At line 172 changed 9 lines.

<code>openssl rsa -in privkey.pem -out server.key</code>

This removes the passphrase from the private key. You MUST understand

what this means; <code>server.key</code> should be only readable by the

apache server and the administrator.

You should delete the <code>.rnd</code> file because it contains the entropy

information for creating the key and could be used for cryptographic attacks

against your private key.

<code>openssl x509 -in server.csr -out server.crt -req -signkey server.key

-days 365</code>

If you didn't provide a config file, OpenSSL will try to use the file specified

by the OPENSSL_CONF environment variable. This variable is usually not defined

and if you follow the instructions from the original tutorial (linked at the

top of this page), which does not use the <code>-conf</code> switch, you will

get an error about "distinguished name". (Thanks to

Olivier Gambier for clearing this problem, using information from

<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)

At line 245 added 17 lines.

On a Windows system, files with <code>cnf</code> extensions are treated as special files

(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless

of display settings, and the file will have a strongly modified context menu that

might prevent you from editing it and might mislead you to believe you don't have this file.

Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.

<code>openssl rsa -in privkey.pem -out server.key</code>

This removes the passphrase from the private key. You MUST understand

what this means; <code>server.key</code> should be only readable by the

Apache server and the administrator.

You should delete the <code>.rnd</code> file because it contains the entropy

information for creating the key and could be used for cryptographic attacks

against your private key.

<code>openssl x509 -in server.csr -out server.crt -req -signkey server.key

-days 365</code>

At line 191 changed 1 line.

<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code>

At line 193 changed 4 lines.

Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>

and <code>server.crt</code> into it. For Linux create

two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>

into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.

Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>

and <code>server.crt</code> into it. For Linux create

two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>

into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.

At line 198 changed 8 lines.

Tip from Olivier Gambier:

You can't create a certificate with openssl.exe without a config file

(you get an error about distinguished names).

Thus if the variable OPENSSL_CONF is not defined (and I didn't find it

in your doc, nor I found a conf file in the distrib I downloaded), you

must add:

"-config configfile"

to the certificate creation command, and create a valid "configfile"

__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.

At line 207 removed 4 lines.

I found the information, among with the error message meaning, from

<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.

At line 226 changed 2 lines.

in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will

be done for you when you compile with <code>--enable-ssh=shared</code>)

in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will

be done for you when you compile with <code>--enable-ssh=shared</code>)

At line 229 changed 1 line.

In newer versions of the distribution, it could also be necessary to add

In newer versions of the distribution for Apache 1.x, it could also be necessary to add

At line 231 changed 2 lines.

after the AddModule lines that are already in the config file.

(Not necessary for 2.0.42)

after the AddModule lines that are already in the config file.

At line 234 changed 5 lines.

Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/.

For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>

(Right click -> Save Target As...). Make sure

and change the <code>DocumentRoot</code> and <code>ServerName</code> values

on lines 93 and 94.

Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/.

For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>

(Right click -> Save Target As...). Make sure

and change the <code>DocumentRoot</code> and <code>ServerName</code> values

on lines 93 and 94.

At line 240 changed 1 line.

Add the following to the end of <code>httpd.conf</code>:

Add the following to the end of <code>httpd.conf</code>: Make sure and change www.my-server.dom in the example below.

At line 254 changed 1 line.

SSLCertificateFile conf/ssl/server.cert

SSLCertificateFile conf/ssl/server.crt

At line 492 added 4 lines.

Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server.

A: Under the VirtualHost section you add to the httpd.conf, I had to change __<VirtualHost www.myhost.com:443>__ to __<VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works.

At line 471 changed 1 line.

These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a>

These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a>

Raible's Wiki

AppFuse

Other Applications

ApacheSSL