Windows + Apache 2.

0 + SSL
1. Assumptions
This tutorial assumes that you already have Apache2 installed and working on a
Windows server. I have Apache 2.0.50 installed on Windows Server 2003.

2. Needed Files
Files that you will need can be downloaded from this website. These are not
necessarily the most up-to-date, but they worked for my install so I have included
them here. You will need to download both Apache_2.0.52-Openssl_0.9.7e-Win32.zip
and Openssl-0.9.7e-Win32.zip

Unzip both of these files to seperate folders.

3. Setting Up OpenSSL
Copy the files ssleay32.dll and libeay32.dll from the OpenSSL folder to
WINNT\System32. Double check that you make sure you copied the dll's and not the
lib's.

You also need to download openssl.cnf into the same folder where you unzipped
OpenSSL. Windows will remove the .cnf and will make this file look like a dialup
icon. Just ignore it. Just make sure you have the file in the right place.

Download ssl.conf and place it in the Apache2/conf directory.

4. Creating a test certificate
Open a command prompt. Navigate to where you unzipped OpenSSL.
openssl req -config openssl.cnf -new -out my-server.csr
You can replace my-server.csr with whatever you want as long as the extention is
.csr. When asked for "Common Name (eg, your websites domain name)", give the
exact domain name of your web server (e.g. www.my-server.dom). The certificate
belongs to this server name and browsers complain if the name doesn't match.
openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this
means; my-server.key should be only readable by the apache server and the
administrator. You should delete the .rnd file because it contains the entropy
information for creating the key and could be used for cryptographic attacks against
your private key.
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days
365
This creates a self-signed certificate that you can use until you get a "real" one from a
certificate authority. (Which is optional; if you know your users, you can tell them to
install the certificate into their browsers.) Note that this certificate expires after one
year, you can increase -days 365 if you don't want this.

Create a directory in the Apache folder name Apache2/conf/ssl and move my-
server.key and my-server.cert into it.
5. Configuring Apache and mod_ssl
Open the httpd.conf file and locate the LoadModule directives. Add

LoadModule ssl_module modules/mod_ssl.so

After </IfModule> add
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none
In the VirtualHost directives add
<VirtualHost www.my-domain.com:443>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>
Open the ssl.conf file and set the correct www.my-domain.com and DocumentRoot.
You will place the location of the secure material in the " " after DocumentRoot. So if
your secure webpages are on your D: drive, in the folder called secure, the line should
look like
DocumentRoot "D:/secure"
6. In closing...

Overview
This page describes the installation of the Win32 version of Apache with the mod_ssl
extension. The newest version should always be available from
http://tud.at/programm/apache-ssl-win32-howto.php3.

This process worked for many people on Windows NT, 98, ME, 2000 and XP; please
mail me your suggestions and bug reports. You can even install Apache with SSL in
addition to the Microsoft Internet Information Server if you need to.

Note: sometimes, there are changes between the precompiled apache distributions so
that this HOWTO is not correct anymore. In this case, if the current version does not
work for you, download an older version - one that was published before the
modification date of this HOWTO. Or, if you like adventures, try to make it run, and
mail me if you needed to change anything.

Apache with mod_ssl seems to be the only free (as in speech, not in beer) solution for
Win32. Please note that Apache on Win32 is considered beta quality as it doesn't
reach the stability and performance of Apache on Un*x platforms.

1.: Installing Apache

Get the Win32 version of the Apache web server from one of the mirrors. It is called
something like

apache_x_y_z_win32.exe. This is a self-extracting archive that contains the Apache

base system and sample configuration files.

Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on modssl.org,
you cannot expect it to work with 2.0.x.
Install Apache as described in http://www.apache.org/docs/windows.html.

For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following
steps:

I used http://httpd.apache.org/docs-2.0/install.html as a reference.

$ lynx http://www.apache.org/dist/httpd/httpd-2.0.42.tar.gz
$ gzip -d httpd-2.0.42.tar.gz
$ tar xvf httpd-2.0.42.tar
$ ./configure --enable-mods-shared=most --enable-ssl=shared
$ make
$ make install

If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so
from http://jakarta.apache.org/builds/jakarta-tomcat-
connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so. After downloading, put
this file into your modules directory and rename it mod_jk.so. Click here for more
information on configuring Apache and Tomcat.

Note: You can skip this step and get a full Apache+SSL distribution from modssl.org,
as described below. There will be no fancy installation program but you won't need to
overwrite the stock Apache files. This is the better way if you are experienced and
don't fear editing configuration files (which you will need to do anyway).

Change at least the following parameters in Apache-dir/conf/httpd.conf:

[Replace all occurences of www.my-server.dom with the real domain name!]

• Port 80 to # Port 80 (Comment it out;

Port is not necessary, Listen overrides it later.)

• (if not in addition to IIS) Listen 80

• ServerName www.my-server.dom
• (if in addition to IIS) DocumentRoot and the corresponding <Directory
some-dir> to your Inetpub\wwwroot

Install the Apache service (NT only) and start the server. Verify that everything works
before proceeding to the SSL installation because this limits the possible errors.

Try http://www.my-server.dom:443/. It won't be encrypted yet but if this works then

the port configuration (port 443) is right.

2.: Getting OpenSSL and mod_ssl

If you want to compile the mod_ssl.so module, you can use the latest sources,
available at http://www.modssl.org/contrib/ftp/source/ for Apache 1.3.x and included
in Apache HTTP server sources, accesible as a CVS code repository (see the
instructions at http://httpd.apache.org/dev/anoncvs.txt) for Apache 2.0.x.
For Windows, the precompiled module is available at http://hunter.campbus.com/
(where you will find there Apache 1.3 and 2.0 binaries with the corresponding
mod_ssl.so module versions included), while binaries for Linux are included in the
major Linux distributions. Apache Software Foundation mades a point in not offering
the compiled binaries for the SSL module, due to the export regulations for
cryptographic software from USA. Don't ask for binaries if they will not be available
at the currently indicated locations. Various ISVs provide free binaries for this module
in various projects such as NuSphere Technology Platform, Apache-SSL etc.

OpenSSL is required for getting a certificate to use with your web server. You may
download its sources and compile it from http://www.openssl.org/source/. Compiled
binaries are available at http://gnuwin32.sourceforge.net/packages/openssl.htm for
Windows and are included in major Linux distributions.

OpenSSL for Windows might also be obtained by downloading and installing Cygwin
from http://www.cygwin.com.

Put the files ssleay32.dll and libeay32.dll from the Apache/modssl distribution
directory to WINNT\System32 (or in another folder mentioned in the PATH
environment variable). This is important! About 70 % of the e-mails I receive is
because people forget to do this.

3.: Creating a test certificate

The following instructions are adapted from http://www.apache-ssl.org/#FAQ.

Open a shell window (Command Prompt in Windows) and change the current
directory to the directory where you have the openssl.exe file (openssl file for Linux).

openssl req -config openssl.cnf -new -out server.csr

This creates a certificate signing request (server.csr) and a private key
(privkey.pem), using the configuration file that is provided with the binary
distribution of OpenSSL or with Cygwin (openssl.cnf) that will make the OpenSSL
application to prompt for each detail of the certificate. When asked for "Common Name
(eg, your websites domain name)", give the exact domain name of your web
server (e.g. www.my-server.dom). The certificate belongs to this server name and
browsers complain if the name doesn't match.

If you didn't provide a config file, OpenSSL will try to use the file specified by the
OPENSSL_CONF environment variable. This variable is usually not defined and
if you follow the instructions from the original tutorial (linked at the top of this
page), which does not use the -conf switch, you will get an error about
"distinguished name". (Thanks to Olivier Gambier for clearing this problem, using
information from http://www.openssl.org/docs/apps/req.html.)

On a Windows system, files with cnf extensions are treated as special files (of type
SpeedDial) and Windows Explorer will refuse to display its extension, regardless
of display settings, and the file will have a strongly modified context menu that
 might prevent you from editing it and might mislead you to believe you don't have
this file. Just look for a SpeedDial-type file displayed simply as openssl.

openssl rsa -in privkey.pem -out server.key

This removes the passphrase from the private key. You MUST understand what this
means; server.key should be only readable by the Apache server and the
administrator.
You should delete the .rnd file because it contains the entropy information for
creating the key and could be used for cryptographic attacks against your private key.

openssl x509 -in server.csr -out server.crt -req -signkey server.key

-days 365
This creates a self-signed certificate that you can use until you get a "real" one from a
certificate authority. (Which is optional; if you know your users, you can tell them to
install the certificate into their browsers.) Note that this certificate expires after one
year, you can increase -days 365 if you don't want this.

If you have users with MS Internet Explorer 4.0+ and want them to be able to install
the certificate into their certificate storage (by downloading and opening it), you need
to create a DER-encoded version of the certificate:
openssl x509 -in server.crt -out server.der.crt -outform DER

Create an Apache/conf/ssl directory and move server.key and server.crt into

it. For Linux create two directories: ssl.key and ssl.crt. Move server.crt into
ssl.crt and move server.key into ssl.key.

Note: The default pass phrase shipped with openssl.cnf is aaaa.

4.: Configuring Apache and mod_ssl

Copy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl
distribution over your original Apache installation directory (remember to stop
Apache first and DO NOT overwrite your edited config files etc.!).

Find the LoadModule directives in your httpd.conf file and add this after the
existing ones, according to the file you have found in the distribution:

LoadModule ssl_module modules/ApacheModuleSSL.dll

or
LoadModule ssl_module modules/ApacheModuleSSL.so
or
LoadModule ssl_module modules/mod_ssl.so
in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will be done for
you when you compile with --enable-ssh=shared)

In newer versions of the distribution for Apache 1.x, it could also be necessary to add
AddModule mod_ssl.c
after the AddModule lines that are already in the config file.

Copy ssl.conf from the OpenSSL distribution to Apache/conf/. For Windows, you
can download from http://www.raibledesigns.com/tomcat/ssl.conf (Right click ->
Save Target As...). Make sure and change the DocumentRoot and ServerName values
on lines 93 and 94.

Add the following to the end of httpd.conf:

# see http://www.modssl.org/docs/2.4/ssl_reference.html for more info

SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

ErrorLog logs/ssl.log

LogLevel info

# You can later change "info" to "warn" if everything is OK

<VirtualHost www.my-server.dom:443>

SSLEngine On

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

</VirtualHost>

Don't forget to call apache with -D SSL if the IfDefine directive is active in the
config file! In other words, either start Apache from the command line with -D SSL or
comment out the IfDefine start/end tags in ssl.conf.

NOTE: When using SSL with multiple Virtual Hosts, you must use an ip-based
configuration. This is because SSL requires you to configure a specific port (443),
whereas name-based specifies all ports (*). You might the following error if you try to
mix name-based virtual hosts with SSL.

[error] VirtualHost _default_:443 -- mixing * ports and non-* ports

with a NameVirtualHost address is not supported, proceeding with
undefined results

You might need to use regedit to change the key

HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z to the

correct number if the apache.exe from modssl.org/contrib is not the same version
as the previously installed one. (This seems not to be necessary with recent versions.)

Start the server, this time from the command prompt (not as a service) in order to see
the error messages that prevent Apache from starting. If everything is OK,
(optionally) press CTRL+C to stop the server and start it as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen and/or into
the error.log and SSL.log files in the Apache/logs directory.

If something doesn't work, set all LogLevels to the maximum and look into the
logfiles. They are very helpful.

DON'T e-mail me or the other contributors without having plain Apache installed
(Step 1). We will ignore your request; we are not the Free Apache Helpdesk and there
is enough good documentation on configuring Apache; if that is not enough for you,
you shouldn't run a secure server anyway. Also, DON'T e-mail without having looked
into the error.log and SSL.log with LogLevel set to Debug.

Debugging connect problems

Problems connecting to the server with a browser can have many reasons, many of
them on the client (proxy, DNS, general IE dumbness).

So, if you encounter problems connecting with SSL, try another browser and/or look
into the settings. If even this doesn't work, you can use OpenSSL to debug the
problem.

bb@www$ openssl s_client -connect no-such-machine:443

gethostbyname failure # Error resolving this DNS name. Connect with
the IP address.
connect:errno=2

bb@www$ openssl s_client -connect www1.tud.at:443

connect: Connection refused

connect:errno=111

# No SSL server on this port. Double-check the Listen and Port

directives.

bb@www$ openssl s_client -connect apcenter.apcinteractive.net:443

# everything OK. OpenSSL shows the information it obtained from the

server.

CONNECTED(00000003)

depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle

Management/CN=apcenter.apcinteractive.net/[email protected]

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle

Management/CN=apcenter.apcinteractive.net/[email protected]

verify return:1

---

Certificate chain

0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle
Management/CN=apcenter.apcinteractive.net/[email protected]

i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle
Management/CN=apcenter.apcinteractive.net/[email protected]

---

Server certificate

---BEGIN CERTIFICATE---

MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV

[...]

9ucXUnk=

---END CERTIFICATE---

subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle
Management/CN=apcenter.apcinteractive.net/[email protected]

issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle
Management/CN=apcenter.apcinteractive.net/[email protected]

---

No client certificate CA names sent

---

SSL handshake has read 1281 bytes and written 320 bytes

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 1024 bit

SSL-Session:

Protocol : TLSv1
 Cipher : EDH-RSA-DES-CBC3-SHA

Session-ID:
49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB

Session-ID-ctx:

Master-Key:
00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF
0194EF8E16985B5E38BF6F12131

Key-Arg : None

Start Time: 980696025

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

Enter:

GET / HTTP/1.0

and press RETURN twice No InterWiki reference defined in properties

for Wiki called 'Enter'!)

HTTP/1.1 200 OK

Date: Sun, 28 Jan 2001 15:34:58 GMT

Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4

Cache-Control: no-cache, no-store, must-revalidate, private

Expires: 0

Pragma: no-cache

X-Powered-By: PHP/4.0.4

Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT

Connection: close

Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

# the server shows its main document