Raible's Wiki: ApacheSSL

At line 9 removed 2 lines.

$Id: ssl-howto.html,v 1.2 2002/09/27 20:50:37 mraible Exp $

At line 10 added 4 lines.

1.7.1 2006-11-16 Added default test certificate pass phrase

1.7.0 2005-12-29 Added "unknown protocol" issue and solution

1.6.9 2005-01-24 Added link to new Windows+Apache+SSL Tutorial

1.6.8 2004-12-13 Links updated; OpenSSL configfile explained; other clarifications

At line 64 changed 1 line.

Version 1.6.7 (changelog: view source)

Version 1.6.8 (changelog: view source)

At line 79 removed 1 line.

At line 82 added 3 lines.

%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%%

At line 160 removed 3 lines.

<li><code>Listen 443</code> (So your server listens on the standard SSL

port)</li>

At line 179 removed 6 lines.

Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a>

and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>.

(You can get the 2.0.49 version at <a href="http://hunter.campbus.com/Apache_2.0.49-Openssl_0.9.7d-Win32.zip">http://hunter.campbus.com/Apache_2.0.49-Openssl_0.9.7d-Win32.zip</a>, older packages

are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>).

Download and unzip it to a new directory.

At line 186 changed 3 lines.

If you need the newest version, you will have to compile it yourself if it is

not there. Don't ask me about it; I don't have it, I don't compile the versions

on modssl.org, and I don't have access to development tools on Win32.

If you want to compile the mod_ssl.so module, you can use the latest

sources, available at

<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a>

for Apache 1.3.x and included in Apache HTTP server sources,

accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>)

for Apache 2.0.x.

For Windows, the precompiled module is available at

<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a>

(where you will find there Apache 1.3 and 2.0 binaries with

the corresponding mod_ssl.so module versions included), while binaries for Linux are

included in the major Linux distributions.

</li>

</ul>

Apache Software Foundation mades a point in not offering the compiled binaries

for the SSL module, due to the export regulations for cryptographic software from USA.

Don't ask for binaries if they will not be available at the currently indicated locations.

Various ISVs provide free binaries for this module in various projects such as

<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere

Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc.

At line 191 changed 2 lines.

Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>

from the Apache/modssl distribution directory to <code>WINNT\System32</code>.

OpenSSL is required for getting a certificate to use with your web server. You may

download its sources and compile it from

<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled

binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a>

for Windows and are included in major Linux distributions.

OpenSSL for Windows might also be obtained by downloading and installing

Cygwin from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.

Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>

from the Apache/modssl distribution directory to <code>WINNT\System32</code>

(or in another folder mentioned in the PATH environment variable).

At line 196 changed 1 line.

Download and install Cygwin from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.

<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>

At line 198 changed 2 lines.

You'll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already

exist for you. If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution.

The following instructions are adapted from

<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.

At line 201 changed 1 line.

<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>

Open a shell window (Command Prompt in Windows) and change the current directory to

the directory where you have the openssl.exe file (openssl file for Linux).

At line 203 changed 7 lines.

The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.

<code>openssl req -new -out server.csr</code>

This creates a certificate signing request and a private key. When asked

for <code>"Common Name (eg, your websites domain name)"</code>,

give the exact domain name of your web server (e.g. www.my-server.dom).

The certificate belongs to this server name and browsers complain if the

name doesn't match.

<code>openssl req -config openssl.cnf -new -out server.csr</code>

This creates a certificate signing request (<code>server.csr</code>) and a

private key (<code>privkey.pem</code>), using the configuration

file that is provided with the binary distribution of OpenSSL or with

Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to

prompt for each detail of the certificate. When asked for

<code>"Common Name (eg, your websites domain name)"</code>,

give the exact domain name of your web server (e.g. www.my-server.dom).

The certificate belongs to this server name and browsers complain if the

name doesn't match.

At line 211 changed 9 lines.

<code>openssl rsa -in privkey.pem -out server.key</code>

This removes the passphrase from the private key. You MUST understand

what this means; <code>server.key</code> should be only readable by the

apache server and the administrator.

You should delete the <code>.rnd</code> file because it contains the entropy

information for creating the key and could be used for cryptographic attacks

against your private key.

<code>openssl x509 -in server.csr -out server.crt -req -signkey server.key

-days 365</code>

If you didn't provide a config file, OpenSSL will try to use the file specified

by the OPENSSL_CONF environment variable. This variable is usually not defined

and if you follow the instructions from the original tutorial (linked at the

top of this page), which does not use the <code>-conf</code> switch, you will

get an error about "distinguished name". (Thanks to

Olivier Gambier for clearing this problem, using information from

<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)

At line 245 added 17 lines.

On a Windows system, files with <code>cnf</code> extensions are treated as special files

(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless

of display settings, and the file will have a strongly modified context menu that

might prevent you from editing it and might mislead you to believe you don't have this file.

Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.

<code>openssl rsa -in privkey.pem -out server.key</code>

This removes the passphrase from the private key. You MUST understand

what this means; <code>server.key</code> should be only readable by the

Apache server and the administrator.

You should delete the <code>.rnd</code> file because it contains the entropy

information for creating the key and could be used for cryptographic attacks

against your private key.

<code>openssl x509 -in server.csr -out server.crt -req -signkey server.key

-days 365</code>

At line 230 changed 1 line.

<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code>

At line 232 changed 4 lines.

Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>

and <code>server.crt</code> into it. For Linux create

two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>

into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.

Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>

and <code>server.crt</code> into it. For Linux create

two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>

into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.

At line 237 changed 8 lines.

Tip from Olivier Gambier:

You can't create a certificate with openssl.exe without a config file

(you get an error about distinguished names).

Thus if the variable OPENSSL_CONF is not defined (and I didn't find it

in your doc, nor I found a conf file in the distrib I downloaded), you

must add:

"-config configfile"

to the certificate creation command, and create a valid "configfile"

__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.

At line 246 removed 4 lines.

I found the information, among with the error message meaning, from

<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.

At line 265 changed 2 lines.

in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will

be done for you when you compile with <code>--enable-ssh=shared</code>)

in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will

be done for you when you compile with <code>--enable-ssh=shared</code>)

At line 268 changed 1 line.

In newer versions of the distribution, it could also be necessary to add

In newer versions of the distribution for Apache 1.x, it could also be necessary to add

At line 270 changed 2 lines.

after the AddModule lines that are already in the config file.

(Not necessary for 2.0.42)

after the AddModule lines that are already in the config file.

At line 273 changed 5 lines.

Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/.

For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>

(Right click -> Save Target As...). Make sure

and change the <code>DocumentRoot</code> and <code>ServerName</code> values

on lines 93 and 94.

Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/.

For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>

(Right click -> Save Target As...). Make sure

and change the <code>DocumentRoot</code> and <code>ServerName</code> values

on lines 93 and 94.

At line 279 changed 1 line.

Add the following to the end of <code>httpd.conf</code>:

Add the following to the end of <code>httpd.conf</code>: Make sure and change www.my-server.dom in the example below.

At line 492 added 4 lines.

Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server.

A: Under the VirtualHost section you add to the httpd.conf, I had to change __<VirtualHost www.myhost.com:443>__ to __<VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works.

At line 510 changed 1 line.

These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a>

These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a>

Raible's Wiki

AppFuse

Other Applications

ApacheSSL