Raible's Wiki

Raible Designs
Wiki Home
News
Recent Changes

AppFuse

Homepage
  - Korean
  - Chinese
  - Italian
  - Japanese

QuickStart Guide
  - Chinese
  - French
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish
  - Japanese

User Guide
  - Korean
  - Chinese

Tutorials
  - Chinese
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish

FAQ
  - Korean

Latest Downloads

Other Applications

Struts Resume
Security Example
Struts Menu

Set your name in
UserPreferences


Referenced by
Articles
Articles_cn
Articles_de
Articles_pt
Articles_zh




JSPWiki v2.2.33

[RSS]


Hide Menu

ApacheSSL


Difference between version 17 and version 7:

At line 9 removed 2 lines.
$Id: ssl-howto.html,v 1.2 2002/09/27 20:50:37 mraible Exp $
At line 10 added 4 lines.
1.7.1 2006-11-16 Added default test certificate pass phrase
1.7.0 2005-12-29 Added "unknown protocol" issue and solution
1.6.9 2005-01-24 Added link to new Windows+Apache+SSL Tutorial
1.6.8 2004-12-13 Links updated; OpenSSL configfile explained; other clarifications
At line 64 changed 1 line.
<p>Version 1.6.7 (changelog: view source)</p>
<p>Version 1.6.8 (changelog: view source)</p>
At line 79 removed 1 line.
At line 82 added 3 lines.
%%note __NEW!__ (January 23, 2005) Chris Thompson has written an [an updated and simplified|http://www.thompsonbd.com/tutorials/apachessl.php] Apache+SSL HowTo for Windows.%%
At line 160 removed 3 lines.
<li><code>Listen 443</code> (So your server listens on the standard SSL
port)</li>
At line 179 removed 6 lines.
<p>Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a>
and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>.
(<span class="highlight">You can get the 2.0.49 version at <a href="http://hunter.campbus.com/Apache_2.0.49-Openssl_0.9.7d-Win32.zip">http://hunter.campbus.com/Apache_2.0.49-Openssl_0.9.7d-Win32.zip</a></span>, older packages
are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>).
Download and unzip it to a new directory. </p>
At line 186 changed 3 lines.
If you need the newest version, you will have to compile it yourself if it is
not there. Don't ask me about it; I don't have it, I don't compile the versions
on modssl.org, and I don't have access to development tools on Win32.
If you want to compile the mod_ssl.so module, you can use the latest
sources, available at
<a href="http://www.modssl.org/contrib/ftp/source/">http://www.modssl.org/contrib/ftp/source/</a>
for Apache 1.3.x and included in Apache HTTP server sources,
accesible as a CVS code repository (see the instructions at <a href="http://httpd.apache.org/dev/anoncvs.txt">http://httpd.apache.org/dev/anoncvs.txt</a>)
for Apache 2.0.x.</p>
<p>For Windows, the precompiled module is available at
<a href="http://hunter.campbus.com/">http://hunter.campbus.com/</a>
(where you will find there Apache 1.3 and 2.0 binaries with
the corresponding mod_ssl.so module versions included), while binaries for Linux are
included in the major Linux distributions.
</li>
</ul>
Apache Software Foundation mades a point in not offering the compiled binaries
for the SSL module, due to the export regulations for cryptographic software from USA.
Don&#39;t ask for binaries if they will not be available at the currently indicated locations.
Various ISVs provide free binaries for this module in various projects such as
<a href="http://www.nusphere.com/products/index.htm#NuSphereTechPlatform">NuSphere
Technology Platform</a>, <a href="http://www.apache-ssl.org/">Apache-SSL</a> etc.
At line 191 changed 2 lines.
<p><span class="highlight">Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
from the Apache/modssl distribution directory to <code>WINNT\System32</code>.
<p>OpenSSL is required for getting a certificate to use with your web server. You may
download its sources and compile it from
<a href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>. Compiled
binaries are available at <a href="http://gnuwin32.sourceforge.net/packages/openssl.htm">http://gnuwin32.sourceforge.net/packages/openssl.htm</a>
for Windows and are included in major Linux distributions.</p>
<p>OpenSSL for Windows might also be obtained by downloading and installing
<strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>
<p><span class="highlight">Put the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
from the Apache/modssl distribution directory to <code>WINNT\System32</code>
(or in another folder mentioned in the PATH environment variable).
At line 196 changed 1 line.
<p>Download and install <strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>
<h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>
At line 198 changed 2 lines.
<p>You&#39;ll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already
exist for you. If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution.
<p>The following instructions are adapted from
<a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>
At line 201 changed 1 line.
</p><h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>
<p>Open a shell window (Command Prompt in Windows) and change the current directory to
the directory where you have the openssl.exe file (openssl file for Linux).</p>
At line 203 changed 7 lines.
<p>The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>
<p><code>openssl req -new -out server.csr</code><br />
This creates a certificate signing request and a private key. When asked
for <code>&quot;Common Name (eg, your websites domain name)&quot;</code>,
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>).
The certificate belongs to this server name and browsers complain if the
name doesn&#39;t match.</p>
<p><code>openssl req -config openssl.cnf -new -out server.csr</code><br />
This creates a certificate signing request (<code>server.csr</code>) and a
private key (<code>privkey.pem</code>), using the configuration
file that is provided with the binary distribution of OpenSSL or with
Cygwin (<code>openssl.cnf</code>) that will make the OpenSSL application to
prompt for each detail of the certificate. When asked for
<code>&quot;Common Name (eg, your websites domain name)&quot;</code>,
give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>).
The certificate belongs to this server name and browsers complain if the
name doesn&#39;t match.</p>
At line 211 changed 9 lines.
<p><code>openssl rsa -in privkey.pem -out server.key</code><br />
This removes the passphrase from the private key. You MUST understand
what this means; <code>server.key</code> should be only readable by the
apache server and the administrator.<br />
You should delete the <code>.rnd</code> file because it contains the entropy
information for creating the key and could be used for cryptographic attacks
against your private key.</p>
<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key
-days 365</code><br />
<p style="margin-left: 20px; font-style: italic; color: green">
If you didn't provide a config file, OpenSSL will try to use the file specified
by the OPENSSL_CONF environment variable. This variable is usually not defined
and if you follow the instructions from the original tutorial (linked at the
top of this page), which does not use the <code>-conf</code> switch, you will
get an error about &quot;distinguished name&quot;. (Thanks to
<strong>Olivier Gambier</strong> for clearing this problem, using information from
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.)</p>
At line 245 added 17 lines.
<p style="margin-left: 20px; font-style: italic; color: green">
On a Windows system, files with <code>cnf</code> extensions are treated as special files
(of type SpeedDial) and Windows Explorer will refuse to display its extension, regardless
of display settings, and the file will have a strongly modified context menu that
might prevent you from editing it and might mislead you to believe you don't have this file.
Just look for a SpeedDial-type file displayed simply as <code>openssl</code>.</p>
<p><code>openssl rsa -in privkey.pem -out server.key</code><br />
This removes the passphrase from the private key. You MUST understand
what this means; <code>server.key</code> should be only readable by the
Apache server and the administrator.<br />
You should delete the <code>.rnd</code> file because it contains the entropy
information for creating the key and could be used for cryptographic attacks
against your private key.</p>
<p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key
-days 365</code><br />
At line 230 changed 1 line.
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>
<code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>
At line 232 changed 4 lines.
<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>
and <code>server.crt</code> into it. <strong>For Linux</strong> create
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>
<p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>
and <code>server.crt</code> into it. <strong>For Linux</strong> create
two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>
into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>
At line 237 changed 8 lines.
<p style="margin-left: 20px; font-style: italic; color: green"><strong>Tip from Olivier Gambier</strong>:<br />
You can't create a certificate with openssl.exe without a config file
(you get an error about distinguished names).
Thus if the variable OPENSSL_CONF is not defined (and I didn't find it
in your doc, nor I found a conf file in the distrib I downloaded), you
must add:
"-config configfile"
to the certificate creation command, and create a valid "configfile"
<p><span class="highlight">__Note:__ The default pass phrase shipped with openssl.cnf is ''aaaa''.</span></p>
At line 246 removed 4 lines.
I found the information, among with the error message meaning, from
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.
</p>
At line 265 changed 2 lines.
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will
be done for you when you compile with <code>--enable-ssh=shared</code>)</p>
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will
be done for you when you compile with <code>--enable-ssh=shared</code>)</p>
At line 268 changed 1 line.
<p>In newer versions of the distribution, it could also be necessary to add<br />
<p>In newer versions of the distribution for Apache 1.x, it could also be necessary to add<br />
At line 270 changed 2 lines.
after the AddModule lines that are already in the config file.
(Not necessary for 2.0.42)</p>
after the AddModule lines that are already in the config file. </p>
At line 273 changed 5 lines.
<p>Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/.
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>
(Right click -> Save Target As...). <span class="highlight">Make sure
and change the <code>DocumentRoot</code> and <code>ServerName</code> values
on lines 93 and 94.</span></p>
<p>Copy <code>ssl.conf</code> from the OpenSSL distribution to Apache/conf/.
For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>
(Right click -> Save Target As...). <span class="highlight">Make sure
and change the <code>DocumentRoot</code> and <code>ServerName</code> values
on lines 93 and 94.</span></p>
At line 279 changed 1 line.
<p>Add the following to the end of <code>httpd.conf</code>:</p>
<p>Add the following to the end of <code>httpd.conf</code>: <span class="highlight">Make sure and change <b>www.my-server.dom</b> in the example below.</span></p>
At line 492 added 4 lines.
<p>Q: When trying to connect to https://www.myhost.com I kept getting an error about an unknown protocol. I could however connect to https://10.10.0.14 which is the local ip of the server.
<br /><br />
A: Under the VirtualHost section you add to the httpd.conf, I had to change __&lt;VirtualHost www.myhost.com:443>__ to __&lt;VirtualHost _default_:443>__.Not sure why this had to be done in my case, but it works.
At line 510 changed 1 line.
These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a>
These instructions were tested by <a href="mailto:[email protected]">Matt Raible</a>

Back to ApacheSSL, or to the Page History.