At line 9 removed 2 lines. |
$Id: ssl-howto.html,v 1.2 2002/09/27 20:50:37 mraible Exp $ |
|
At line 10 added 4 lines. |
1.7.1 2006-11-16 Added default test certificate pass phrase |
1.7.0 2005-12-29 Added "unknown protocol" issue and solution |
1.6.9 2005-01-24 Added link to new Windows+Apache+SSL Tutorial |
1.6.8 2004-12-13 Links updated; OpenSSL configfile explained; other clarifications |
At line 64 changed 1 line. |
<p>Version 1.6.7 (changelog: view source)</p> |
<p>Version 1.6.8 (changelog: view source)</p> |
At line 79 removed 1 line. |
|
At line 82 added 3 lines. |
|
%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%% |
|
At line 160 removed 3 lines. |
<li><code>Listen 443</code> (So your server listens on the standard SSL |
port)</li> |
|
At line 179 removed 6 lines. |
<p>Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a> |
and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>. |
(<span class="highlight">You can get the 2.0.49 version at <a href="http://hunter.campbus.com/Apache_2.0.49-Openssl_0.9.7d-Win32.zip">http://hunter.campbus.com/Apache_2.0.49-Openssl_0.9.7d-Win32.zip</a></span>, older packages |
are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>). |
Download and unzip it to a new directory. </p> |
|
At line 186 changed 3 lines. |
If you need the newest version, you will have to compile it yourself if it is |
not there. Don't ask me about it; I don't have it, I don't compile the versions |
on modssl.org, and I don't have access to development tools on Win32. |
If you want to compile the mod_ssl.so module, you can use the latest |
sources, available at |
<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a> |
for Apache 1.3.x and included in Apache HTTP server sources, |
accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>) |
for Apache 2.0.x.</p> |
<p>For Windows, the precompiled module is available at |
<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a> |
(where you will find there Apache 1.3 and 2.0 binaries with |
the corresponding mod_ssl.so module versions included), while binaries for Linux are |
included in the major Linux distributions. |
</li> |
</ul> |
Apache Software Foundation mades a point in not offering the compiled binaries |
for the SSL module, due to the export regulations for cryptographic software from USA. |
Don't ask for binaries if they will not be available at the currently indicated locations. |
Various ISVs provide free binaries for this module in various projects such as |
<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere |
Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc. |
At line 191 changed 2 lines. |
<p><span class="highlight">Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code> |
from the Apache/modssl distribution directory to <code>WINNT\System32</code>. |
<p>OpenSSL is required for getting a certificate to use with your web server. You may |
download its sources and compile it from |
<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled |
binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a> |
for Windows and are included in major Linux distributions.</p> |
|
<p>OpenSSL for Windows might also be obtained by downloading and installing |
<strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p> |
|
<p><span class="highlight">Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code> |
from the Apache/modssl distribution directory to <code>WINNT\System32</code> |
(or in another folder mentioned in the PATH environment variable). |
At line 196 changed 1 line. |
<p>Download and install <strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p> |
<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2> |
At line 198 changed 2 lines. |
<p>You'll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already |
exist for you. If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution. |
<p>The following instructions are adapted from |
<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p> |
At line 201 changed 1 line. |
</p><h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2> |
<p>Open a shell window (Command Prompt in Windows) and change the current directory to |
the directory where you have the openssl.exe file (openssl file for Linux).</p> |
At line 203 changed 7 lines. |
<p>The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p> |
<p><code>openssl req -new -out server.csr</code><br /> |
This creates a certificate signing request and a private key. When asked |
for <code>"Common Name (eg, your websites domain name)"</code>, |
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>). |
The certificate belongs to this server name and browsers complain if the |
name doesn't match.</p> |
<p><code>openssl req -config openssl.cnf -new -out server.csr</code><br /> |
This creates a certificate signing request (<code>server.csr</code>) and a |
private key (<code>privkey.pem</code>), using the configuration |
file that is provided with the binary distribution of OpenSSL or with |
Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to |
prompt for each detail of the certificate. When asked for |
<code>"Common Name (eg, your websites domain name)"</code>, |
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>). |
The certificate belongs to this server name and browsers complain if the |
name doesn't match.</p> |
At line 211 changed 9 lines. |
<p><code>openssl rsa -in privkey.pem -out server.key</code><br /> |
This removes the passphrase from the private key. You MUST understand |
what this means; <code>server.key</code> should be only readable by the |
apache server and the administrator.<br /> |
You should delete the <code>.rnd</code> file because it contains the entropy |
information for creating the key and could be used for cryptographic attacks |
against your private key.</p> |
<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key |
-days 365</code><br /> |
<p style="margin-left: 20px; font-style: italic; color: green"> |
If you didn't provide a config file, OpenSSL will try to use the file specified |
by the OPENSSL_CONF environment variable. This variable is usually not defined |
and if you follow the instructions from the original tutorial (linked at the |
top of this page), which does not use the <code>-conf</code> switch, you will |
get an error about "distinguished name". (Thanks to |
<strong>Olivier Gambier</strong> for clearing this problem, using information from |
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)</p> |
At line 245 added 17 lines. |
<p style="margin-left: 20px; font-style: italic; color: green"> |
On a Windows system, files with <code>cnf</code> extensions are treated as special files |
(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless |
of display settings, and the file will have a strongly modified context menu that |
might prevent you from editing it and might mislead you to believe you don't have this file. |
Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.</p> |
|
<p><code>openssl rsa -in privkey.pem -out server.key</code><br /> |
This removes the passphrase from the private key. You MUST understand |
what this means; <code>server.key</code> should be only readable by the |
Apache server and the administrator.<br /> |
You should delete the <code>.rnd</code> file because it contains the entropy |
information for creating the key and could be used for cryptographic attacks |
against your private key.</p> |
|
<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key |
-days 365</code><br /> |
At line 230 changed 1 line. |
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p> |
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p> |
At line 232 changed 4 lines. |
<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code> |
and <code>server.crt</code> into it. <strong>For Linux</strong> create |
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code> |
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p> |
<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code> |
and <code>server.crt</code> into it. <strong>For Linux</strong> create |
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code> |
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p> |
At line 237 changed 8 lines. |
<p style="margin-left: 20px; font-style: italic; color: green"><strong>Tip from Olivier Gambier</strong>:<br /> |
You can't create a certificate with openssl.exe without a config file |
(you get an error about distinguished names). |
Thus if the variable OPENSSL_CONF is not defined (and I didn't find it |
in your doc, nor I found a conf file in the distrib I downloaded), you |
must add: |
"-config configfile" |
to the certificate creation command, and create a valid "configfile" |
<p><span class="highlight">__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.</span></p> |
At line 246 removed 4 lines. |
I found the information, among with the error message meaning, from |
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>. |
</p> |
|
At line 265 changed 2 lines. |
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will |
be done for you when you compile with <code>--enable-ssh=shared</code>)</p> |
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will |
be done for you when you compile with <code>--enable-ssh=shared</code>)</p> |
At line 268 changed 1 line. |
<p>In newer versions of the distribution, it could also be necessary to add<br /> |
<p>In newer versions of the distribution for Apache 1.x, it could also be necessary to add<br /> |
At line 270 changed 2 lines. |
after the AddModule lines that are already in the config file. |
(Not necessary for 2.0.42)</p> |
after the AddModule lines that are already in the config file. </p> |
At line 273 changed 5 lines. |
<p>Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/. |
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a> |
(Right click -> Save Target As...). <span class="highlight">Make sure |
and change the <code>DocumentRoot</code> and <code>ServerName</code> values |
on lines 93 and 94.</span></p> |
<p>Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/. |
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a> |
(Right click -> Save Target As...). <span class="highlight">Make sure |
and change the <code>DocumentRoot</code> and <code>ServerName</code> values |
on lines 93 and 94.</span></p> |
At line 279 changed 1 line. |
<p>Add the following to the end of <code>httpd.conf</code>:</p> |
<p>Add the following to the end of <code>httpd.conf</code>: <span class="highlight">Make sure and change <b>www.my-server.dom</b> in the example below.</span></p> |
At line 293 changed 1 line. |
SSLCertificateFile conf/ssl/server.cert |
SSLCertificateFile conf/ssl/server.crt |
At line 492 added 4 lines. |
<p>Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server. |
<br /><br /> |
A: Under the VirtualHost section you add to the httpd.conf, I had to change __<VirtualHost www.myhost.com:443>__ to __<VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works. |
|
At line 510 changed 1 line. |
These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a> |
These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a> |