Posts Tagged ‘openSSL’

Setting SSL with Apache 2.x on Windows

openssl req

Pretty similar to setting up SSL on unix/linux and actually not that hard to do. Just a few things to remember as a checklist.

If your Apache install didn’t include openSSL then you’ll need to download a few things:

Normally you can find mod_ssl.so in your apache install directory in modules.
In conf/extras you’ll find httpd_ssl.conf

Or just download Apache with openSSL here. Next step is to create a certificate. Only thing to look at really is your server name in your httpd.conf file (found in the conf/ directory). You use your server name in your certificate setup – these must match otherwise you’ll get errors (it’ll still work though).

Ok first thing to do for the  certificate is to download the program for generating your certificate and key. If you go to http://code.google.com/p/openssl-for-windows/downloads/list and download the zip file that you need – I used openssl-0.9.8k_WIN32.zip. Next unzip this to you computer and extract all files, I normally just make a directory in my Apache install e.g. C:/[Apache Dir]/openssl/

Next you’ll need a configuration file, openssl.cnf, for this program to basically tell it how to behave – you can download the file here. Place this file into your [Openssl Install Dir]/bin directory. Windows by default will call this file SpeedDial just in case you need to find it.

Now from this bin directory you should see to .dll files: libeay32.dll and ssleay32.dll. These files should be included with your openssl download. Copy these files to your windows/system32 directory. Ok now that’s all done we can actually create our certificate!

Start up a command prompt (start menu/accessories/command prompt) or run cmd.exe. Now navigate to your openssl install bin directory in your prompt screen.

Start openssl:

openssl-start

To generate the PEM password phrase type and run the following:

req -config openssl.cnf -new -out myName.csr -keyout myName.pem

openssl-req

If you’ve done the previous steps correctly this should start prompting you for information. You can skip stuff by using a period (.) but make sure to set a password and set the common name as your domain e.g. www.luckylarry.co.uk – whatever your server name is in your apache httpd config!

Now we create a key by typing the following:

rsa -in myName.pem -out myName.key

This will ask you for the password you previously set. Finally we create the certificate by running the following:

x509 -in myName.csr -out myName.crt -req -signkey myName.key -days 365

openssl-bin

So if you now look in your openssl/bin directory you will see a few files have now been made. You just need to copy the .crt and .key file to your apache/conf directory – I find its easier to refer to this location in my config. Delete the .rnd file as this can be used against you should anyone have access to it

Finally we just need to enable SSL on Apache. First copy the example httpd-ssl.conf from conf/extras to conf/ directory Open this up and check a few things. Firstly look in there for your server name (line 78) – make sure this is setup. Next look for the path to the .crt and .key file (line 99 and 107) – make sure these are pointing to where ever you put your key and certificate files.

Now we just need to set our main config. Go to conf/httpd.conf and first make sure this line is added:

LoadModule ssl_module modules/mod_ssl.so

Now we add a bit of config after the list of modules.


Include conf/httpd_ssl.conf

And thats it! All done.

Now we can start Apache. Look for any errors, they’ll be for a wrong directory/ path or you haven’t copied the .dll files.

Also check your error.log and ssl_request.log in your/logs directory to check that you’re getting no errors. Now you should be able to use https on your domain. One last word of caution to properly use SSL make sure you have a static, unique and un-shared IP address.