Apache2 SSL on Windows 1.

Install OpenSSL
OpenSSL is free, but the main site only distributes source code. They have a binary distributions page, but it only links to an installer made by Shining Light Productions. I haven't tried that, because I don't want any more crap in Add/Remove Programs. Instead, I download the latest Opensslversion-Win32.zip from hunter, which is presently Openssl-0.9.8bWin32.zip. It's about 1mb and is usually about the second link on the page. Don't get the links that say "Apache" in them just yet, be patient. Unzip the file somewhere on your computer and copy all the libeay32.dll and ssleay32.dll to your Windows\System32 directory. If you've dealt with SSL at all before, especially as a developer, you might already have copies of these there. Keep whatever is newest. For a basic sanity check, open a command prompt and go to the directory where you unzipped OpenSSL. Run openssl version and it should report both the version of OpenSSL, matching what was embedded in the ZIP you downloaded, as well as when it was built. Generally the more recent, the better. You'll also need an openssl.cnf which is an OpenSSL configuration file that, for some reason, doesn't come with Hunter's distribution. Download this one or this one and save it to the folder where you unzipped OpenSSL.

2. Create Self-Signed Certificate
Several files related to your your SSL certificate will be created in this section, so choose a common base name to use. In my examples I use "blarg", which I've italicised to show it should be replaced by your choice. In practice, I recommend extracting the essence from your domain name; for example, if I was creating a certificate for https://www.neilstuff.com/ then I'd use "neilstuff". Open up a command prompt and go to the directory where you unzipped OpenSSL and run the following command to create a new certificate request:

com/.key The only thing you'll be asked is the password you had used. or intranets it's okay for this to not quite match -. I suggest using something like "none" or "password". Now it's time to create a non-password protected key for Apache 2.X by executing the following: openssl rsa -in blarg.pem) you're generating. This contains entropy information which could be used by malicious people to try and crack your certificate later on (if they get a hold of it). Before we go on. testing.just be prepared to deal with warnings from web browsers and such.com which means I damn well better use that certificate on https://www. e.cnf -new -out blarg. the kind of certificate that SSL likes to munch: . which ones depend on your openssl. In my example.0. Your resulting KEY file is essential the same thing as the PEM.pem You'll be prompted to answer many questions.blarg. Since we'll be removing this for the benefit of Apache 2. Common Name: The fully-qualified domain name associated with this certificate.0.pem -out blarg. just not password protected. delete the .g. I use www. For personal security.openssl req -config openssl.blarg. run the following command to create an X.csr -keyout blarg. all except two of these can be left blank: • • PEM pass phrase: Password associated with the private key (blarg.rnd file.509 certificate.X. Finally.cnf file.

• Replace both instances of "c:/apache/htdocs" with your web root path.9.key -days 365 Congratulations. The quotes are important.so. we'll be using them soon.59-Openssl_0.cert -req -signkey blarg. Install Apache 2. Open conf\httpd..openssl x509 -in blarg.0.e. 3.0.conf in a text editor and . you've created a self-signed certificate! Keep the KEY and CERT files some place safe.so You can skip this section if you already have Apache 2 installed with mod_ssl. .zip.csr -out blarg.X w/ mod_ssl. and remember to change all backslashes (\) to forward ones (/). ServerRoot "c:/Program Files/Apache Group/Apache2".8bWin32.5mb and is usually about the third link on the page. Back to hunter to download the latest Apache2 binary distribution for Windows with SSL. It's about 6. which is presently Apache_2. • Change the line that says ServerRoot "c:/apache" to indicate the folder where you unzipped Apache2. Create a folder for this such as C:\Program Files\Apache Group\Apache2 and unzip the contents there.. i.

conf. Open a command prompt.If you want to have Apache2 listen on a different port than 80 (the default). . get to the bin directory (under the folder you created). you can go to the same directory and run apache -k start. and run the following command to install Apache2 as a service: apache -k install Anytime you wish to start Apache2. change the Listen and ServerName directives in conf\httpd.

the ones you created in step 2. then your installation may not have mod_ssl. make DocumentRoot match the exact value in conf/httpd...Restarting and stopping are much the same except you'll specify "restart" and "stop" after the "-k". It's also possible to just use the NET START and NET STOP commands you're probably familiar with. and ServerAdmin lines as per your needs.X Open up conf\httpd. make sure the following lines exist somewhere (they should if you got Apache2 from hunter): <IfModule mod_ssl.so . If you want the https version of your site to point to the same web root.. • • • Remove the <IfDefine SSL> and matching </IfDefine> lines. Finally it's time to use your self-signed certificate! The lines you'll want to change are SSLCertificateFile and SSLCertificateKeyFile which should point to your CERT and KEY files respectively.cert files there. If you don't see that line where it probably should be (among the other LoadModule lines). so make sure they're valid if you're doing this for public consumption. can't help you there! Also. ServerName.conf in a text editor and .conf. 3. The other two values will be reported by your server to any HTTPS clients.key and blarg. Crack open conf\ssl.. Correct the DocumentRoot.conf in a text editor and look for the line LoadModule ssl_module modules/mod_ssl.so and remove any pound sign (#) characters preceding it.conf.conf </IfModule> Create a directory under conf called ssl and copy the blarg. Enable SSL in Apache 2. the name of the service for those commands will be "Apache2". .0. while you're in conf\httpd.c> Include conf/ssl.

it will listen on port 443 (default for HTTPS) and drop any connections made to it. Restart the Apache2 service and voila! You got Apache2 running with SSL on Windows! . I recommend using a port besides 443 if you're running Apache2 side-by-side with IIS.If IIS is installed. so you might just see that weird dropped connection behavior. Apache2 doesn't appear to report a problem when it can't listen for SSL.

Sign up to vote on this title
UsefulNot useful