A newer and hopefully more often updated version of this
HOWTO which also covers Apache 2 is available from http://raibledesigns.com/tomcat/ssl-howto.html.
This page describes the installation of the Win32 version of Apache with the mod_ssl extension. The newest version should always be available from http://tud.at/programm/apache-ssl-win32-howto.php3.
This process worked for many people on Windows NT, 98, ME, 2000 and XP.
Get the Win32 version of the Apache web server from one of the mirrors. It is called something like
Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on modssl.org, you cannot expect it to work with 2.0.x.
Install Apache as described in http://www.apache.org/docs/windows.html.
Note: You can skip this step and get a full Apache+SSL distribution from modssl.org, as described below. There will be no fancy installation program but you won't need to overwrite the stock Apache files. This is the better way if you are experienced and don't fear editing configuration files (which you will need to do anyway).
Change at least the following parameters in
[Replace all occurences of
Install the Apache service (NT/2000 only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.
Try http://www.my-server.dom:443/. It won't be encrypted yet but if this works then the port configuration (port 443) is right.
Go to http://www.modssl.org/contrib/ or http://hunter.campbus.com/ and find a file called like
If you need the newest version, you will have to compile it yourself if it is not there. Don't ask me about it; I don't have it, I don't compile the versions on modssl.org, and I don't have access to development tools on Win32.
Copy the files
You'll need a config file for
(This is a normal text file. It is really called so; however, some Windows versions insist on hiding the extension from you. You can edit it with Windows notepad or a good editor, but it shouldn't be necessary.)
The following instructions are from http://www.apache-ssl.org/#FAQ.
This creates a certificate signing request and a private key. When asked for
This removes the passphrase from the private key. You MUST understand what this means;
You should delete the
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase
If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
Create an
Copy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first and DO NOT overwrite your edited config files etc.!).
Find the LoadModule directives in your
or
or
in newer versions.
In newer versions of the distribution, it could also be necessary to add
after the AddModule lines that are already in the config file.
Add the following to the end of
Don't forget to call apache with
You might need to use
Also, if you use IfDefine directives and start apache as a service, you need to edit the apache command line in the registry (
Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting. If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen and/or into the error.log and SSL.log files in the Apache/logs directory.
If something doesn't work, set all
Apache Web Server: http://www.apache.org
mod_ssl: http://www.modssl.org
mod_ssl configuration: http://www.modssl.org/docs/2.8/ssl_reference.html
OpenSSL: http://www.openssl.org
PHP Hypertext preprocessor: http://www.php.net
Overview
This page describes the installation of the Win32 version of Apache with the mod_ssl extension. The newest version should always be available from http://tud.at/programm/apache-ssl-win32-howto.php3.
This process worked for many people on Windows NT, 98, ME, 2000 and XP.
1.: Installing Apache
Get the Win32 version of the Apache web server from one of the mirrors. It is called something like
apache_x_y_z_win32.exe. This is a self-extracting archive that contains the Apache base
system and sample configuration files.Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on modssl.org, you cannot expect it to work with 2.0.x.
Install Apache as described in http://www.apache.org/docs/windows.html.
Note: You can skip this step and get a full Apache+SSL distribution from modssl.org, as described below. There will be no fancy installation program but you won't need to overwrite the stock Apache files. This is the better way if you are experienced and don't fear editing configuration files (which you will need to do anyway).
Change at least the following parameters in
Apache-dir/conf/httpd.conf:[Replace all occurences of
www.my-server.dom with the real domain name!]Port 80to#Port 80(Comment it out;Portis not necessary,Listenoverrides it later.)- (if not
in addition to IIS)
Listen 80 Listen 443(So your server listens on the standard SSL port)ServerNamewww.my-server.dom- (if in
addition to IIS)
DocumentRootand the corresponding<Directorysome-dir>to yourInetpub\wwwroot
Install the Apache service (NT/2000 only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.
Try http://www.my-server.dom:443/. It won't be encrypted yet but if this works then the port configuration (port 443) is right.
2.: Getting OpenSSL and mod_ssl
Go to http://www.modssl.org/contrib/ or http://hunter.campbus.com/ and find a file called like
Apache_X-mod_ssl_Y-openssl_Z-WIN32[-i386].zip. Download and unzip it to a new directory. If you need the newest version, you will have to compile it yourself if it is not there. Don't ask me about it; I don't have it, I don't compile the versions on modssl.org, and I don't have access to development tools on Win32.
Copy the files
ssleay32.dll and libeay32.dll
from the Apache/modssl distribution directory to WINNT\System32. This is
important! About 70 % of the e-mails I receive is because people forget to
do this. If you don't find those files or openssl.exe in the apache zip, get a
file called like openssl-version-win32.zip from one of the download sites. You'll need a config file for
OpenSSL.exe.
Here is one (right-click on it
and "Save as..."). (There is an openssl.cnf in the distribution with
different wording of some questions, but it should do it, too.) Copy it to the
directory openssl.exe is in.(This is a normal text file. It is really called so; however, some Windows versions insist on hiding the extension from you. You can edit it with Windows notepad or a good editor, but it shouldn't be necessary.)
3.: Creating a test certificate
The following instructions are from http://www.apache-ssl.org/#FAQ.
openssl req -config
openssl.cnf -new -out my-server.csrThis creates a certificate signing request and a private key. When asked for
"Common Name (eg, your websites domain
name)", give the exact domain name of your
web server (e.g. www.my-server.dom). The certificate belongs to this
server name and browsers complain if the name doesn't match.openssl rsa -in privkey.pem
-out my-server.keyThis removes the passphrase from the private key. You MUST understand what this means;
my-server.key should be only readable by the apache server and the administrator.You should delete the
.rnd file because it contains the entropy information for creating the
key and could be used for cryptographic attacks against your private key.openssl x509 -in
my-server.csr -out my-server.cert -req -signkey my-server.key -days 365This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase
-days 365 if
you don't want this.If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in
my-server.cert -out my-server.der.crt -outform DERCreate an
Apache/conf/ssl directory and move my-server.key and my-server.cert into it.4.: Configuring Apache and mod_ssl
Copy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first and DO NOT overwrite your edited config files etc.!).
Find the LoadModule directives in your
httpd.conf
file and add this after the existing ones, according to the file you have found
in the distribution:LoadModule ssl_module
modules/ApacheModuleSSL.dll or
LoadModule ssl_module
modules/ApacheModuleSSL.so or
LoadModule ssl_module
modules/mod_ssl.so in newer versions.
In newer versions of the distribution, it could also be necessary to add
AddModule mod_ssl.cafter the AddModule lines that are already in the config file.
Add the following to the end of
httpd.conf:# see http://www.modssl.org/docs/2.8/ssl_reference.html for more infoSSLMutex semSSLRandomSeed startup builtinSSLSessionCache none SSLLog logs/SSL.logSSLLogLevel info# You can later change "info" to "warn" if everything is OK <VirtualHost www.my-server.dom:443>SSLEngine OnSSLCertificateFile conf/ssl/my-server.certSSLCertificateKeyFile conf/ssl/my-server.key</VirtualHost> Don't forget to call apache with
-D SSL if
the IfDefine directive is active in the config file!You might need to use
regedit to change the
key HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z to the correct number if the apache.exe from modssl.org/contrib is not the same version as the previously installed one. (This
seems not to be necessary with recent versions.)Also, if you use IfDefine directives and start apache as a service, you need to edit the apache command line in the registry (
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache2) (I haven't tried this). Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting. If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen and/or into the error.log and SSL.log files in the Apache/logs directory.
If something doesn't work, set all
LogLevels to the
maximum and look into the logfiles. They are very helpful.Links
Apache Web Server: http://www.apache.org
mod_ssl: http://www.modssl.org
mod_ssl configuration: http://www.modssl.org/docs/2.8/ssl_reference.html
OpenSSL: http://www.openssl.org
PHP Hypertext preprocessor: http://www.php.net
No comments:
Post a Comment