Rubayat Hasan

Software Development, Music, Web Design, life, thoughts…

 
 
APR22010

Setting up Apache HTTPS/SSL on Windows

by Rubayat
posted in Tutorial

I am assuming that you already have Apache2 installed and working on a Windows server.

For SSL/HTTPS to work you need to downloadand setup the Win32 Binary including OpenSSL "httpd/apache_x.x.x-win32-x86-openssl-x.x.x.msi" on your Windows server.

If you now have regular HTTP server working follow the guide below to setup HTTPS.

Setting up HTTPS on a Windows Server:

  • Creating a self-signed SSL Certificate using OpenSSL:

    Open the command prompt and cd to your Apache installations "bin" directory. Usually it would be:

    cd "C:\Program Files\Apache Software Foundation\Apache2.2\bin"

    To create the SSL certificate we will need the openssl.cnf files location but the default location set by OpenSSL for this file is setup according to a Linux distribution, so we need to fix it for Windows.

    We need to setup the Windows environment variable OPENSSL_CONF to point to the openssl.cnf files location. It is usually located in "C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf" directory.

    So we can set it up by the following command or through the GUI interface:

    set OPENSSL_CONF=C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf

    All files generated from the following commands will reside in "C:\Program Files\Apache Software Foundation\Apache2.2\bin" folder.

    Now that we have the environment variable set we need to create a new OpenSSL certificate request using the following command:

    openssl req -new -out server.csr

    It will ask you some questions and you can safely ignore them and just answer the following questions: 
    PEM pass phrase: Password associated with the private key you’regenerating (anything of your choice).  
    Common Name: The fully-qualified domain name associated with this certificate (i.e. www.your-domain.com).

    Now we need to remove the passphrase from the private key. The file"server.key" created from the following command should be only readable by the apache server and the administrator. You should also delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

    openssl rsa -in privkey.pem -out server.key

    Now we need to set up an expiry date, it could be any time of your choice, we use 365 days below:

    openssl x509 -in server.csr -out server.cert -req -signkey server.key -days 365

    We have the Self-signed SSL certificates ready now. Now We need to MOVE the "server.cert" and "server.key" file to the

    "C:\Program Files\Apache Software Foundation\Apache2.2\conf" location.

  • Configuring Apache to run SSL/HTTPS server:

    Now that we have the Self-signed SSL certificate ready, all we need is to configure Apache to start the SSL server.

    First we modify the "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf" file.

    Open up conf\httpd.conf in a text editor and look for the line:

    LoadModule ssl_module modules/mod_ssl.so and remove any pound sign (#) characters preceding it.

    Include conf/extra/httpd-ssl.conf and remove any pound sign (#) characters preceding it.

    Now we need to modify the "C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-ssl.conf". Let all the default options as it is but make sure to modify the following section according to your need:

    <VirtualHost _default_:443> 
        ServerAdmin some@email.com 
        DocumentRoot "Your Root folder location" 
        ServerName www.domain.com:443 
        ServerAlias domain.com:443 
        ErrorLog "logs/anyFile-error.log" 
        CustomLog "logs/anyFile-access.log" common 
        SSLEngine on

    SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.cert"

    SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key" 
    </VirtualHost>

    Make sure that "SSLCertificateFile" and "SSLCertificateKeyFile" are properly located.

    For better organizing you can also put the whole <VirtualHost></VirtualHost> section in the "C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-vhosts.conf" along with your other Virtual Host settings there but you need to uncomment “Include conf/extra/httpd-vhosts.conf” in your conf\httpd.conf file to use that.

  • Opening SSL/HTTPS port on Windows:

    Now we need to open an exception in Windows Firewall for TCP port 443. You can do that by going to “Windows Firewall” settings in Control Panel and adding a port in the exception section.

Well that was long and painful but but now Restart the server and everything should work fine.

Please feel free to leave comments if this guide helped.

Create Self-Signed CertificateC

Related posts:

 
 
 
 

23 Responses to “Setting up Apache HTTPS/SSL on Windows”

 
 
  •  
    Firdi Says: 
    December 18th, 2011 at 12:39 pm

    hi,

    please change:

    openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

    instead

    openssl x509 -in server.csr -out server.cert -req -signkey server.key -days 365

     
  •  
    Preston Says: 
    August 18th, 2011 at 1:42 pm

    Really good guide. Thank you very much for posting this.

     
  •  
    ofem Says: 
    August 11th, 2011 at 3:40 am

    where are the files located after this guide ? can’t find them.

     
  •  
    jack Says: 
    July 28th, 2011 at 7:01 am

    Today I have downloadedhttp://www.fightrice.com/mirrors/apache//httpd/binaries/win32/httpd-2.2.19-win32-x86-openssl-0.9.8r.msi file on Windows 2008 RC2 64-bit. Installed the file and Apache default web page on http is working fine.

    Configuring all this settings and starting Apache Windows service and I get error: “Windows could not start the Apache2.2 on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 1.”

    I have looked into System Event Log and there is message: “The Apache2.2 service terminated with service-specific error Incorrect function.”

    I have looked at Apache \log\ folder and there are no files in this folder (I have deleted all files from this log folder before starting Apache).

    Any idea what could be wrong?

     
  •  
    Olivier Says: 
    July 5th, 2011 at 3:56 am

    Great tutorial. But I had to replace :

    SSLCertificateFile “F:/Bin/Apache Software Foundation/Apache2.2/conf/server.crt”

    by :

    SSLCertificateFile “F:/Bin/Apache Software Foundation/Apache2.2/conf/server.cert”

    (.cert instead of .crt) in httpd-ssl.conf to make it work.

     
  •  
    Eugen Says: 
    July 1st, 2011 at 5:17 am

    Many Thanks,
    Your doku is very precise.
    Only one detail:
    In conf/extra/httpd-ssl.conf we have SSLMutex to sat to default like beneath.

    SSLMutex default

     
  •  
    RAJAT SHUVRA ROY Says: 
    June 15th, 2011 at 2:38 am

    thnx a lot 4 ur kind info but the command “C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf” is not working…the command is saying that… the path is wrong..

     
  •  
    RAJAT SHUVRA ROY Says: 
    June 15th, 2011 at 2:23 am

    really,i was much confused before ur suggestion…thnx u.

     
  •  
    mjb Says: 
    May 26th, 2011 at 2:23 pm

    Be aware on Win 64, you must uncomment the OTHER SSLSessionCache for things to work. The default SSLSessionCache setting will fail with a spurious “values must be > 8192)”

     
  •  
    David Says: 
    May 12th, 2011 at 7:27 am

    Hi

    Thanks a lot for the help on this especially on pointing to the openssl.cnf in command prompt.

    I still have a big problem, after doing all this, I restart my server and it says: “The requested operation has failed”. Do note that Iinstalled the following file for Apache: httpd-2.2.17-win32-x86-openssl-0.9.8o.msi.

    What can be the problem?

     
  •  
    Deb Z Says: 
    May 10th, 2011 at 3:24 pm

    It’s been a bit of time, yet still your directions are great. I’ve just downloaded the WampServer, and was having the error “ordinal 924 could not be located in the dynamic link library LIBEAY32.dll” when trying to general the new certificate request. I replace the openssl.exe, libeay32.dll, and ssleay32.dll from an older version of PHP (i.e., version 5.2.17-Win32), and the command “magically” worked. (Think it may have to do with the setup -or lack thereof – of my machine.) From there on, it was clear sailing.

     
  •  
    mnutsch Says: 
    March 3rd, 2011 at 12:20 am

    Rubayat,

    This tutorial was immensely helpful. Thank you for writing it.

     
  •  
    pranav Says: 
    January 31st, 2011 at 2:12 pm

    Great article! Thanks!

     
  •  
    lwpro2 Says: 
    October 25th, 2010 at 1:19 am

    instead of
    “set OPENSSL_CONF=C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf”,
    we can specify the configuration file location by using “openssl req –config openssl.conf –new –out ./sss/blarg.csr –keyout ./ssl/blarg.pem”.

    and all is about generating certificate file and config httpd.conf to load the module and know where is the certificate. cheers.

     
  •  
    YC Says: 
    October 9th, 2010 at 6:39 pm

    Hi Rubayat…

    I have a question here…. About the openssl.cnf file. We need to change all the directories in that file manually if we implement it in Windows?

     
    •  
      Rubayat Says: 
      October 11th, 2010 at 2:42 pm

      Hi,

      We are not changing anything in that file. All we are doing is setting Windows Environment Variable properly to point to that files location.

       
  •  
    nanda Says: 
    October 6th, 2010 at 10:18 pm

    what i’ve missed?
    after follow the steps, and i restart the apache
    then i open http://www.my-website.com is still doing nothing!, only ‘the page cannot display’

    please help me

     
  •  
    Pris Says: 
    June 13th, 2010 at 5:51 pm

    Thank you so much for getting me back on track. I think it was removing the passphrase that tripped me up!

     
  •  
    Anshul Says: 
    April 29th, 2010 at 7:08 pm

    Hi Rubiyat,

    Is it possible to specify 2 server certificates for within tag. The server certificate on my proxy server is expiring and before it expires i need to install a new certificate. I was wondering whether it was possible to have 2 certificates for the same ip address and domain specified in the vHosts configuration.

    Any help in this regard would be greatly appreciated.

     
    •  
      Rubayat Says: 
      April 30th, 2010 at 1:42 am

      So you want to use 2 SSL certificate on one vHost configuration for one domain? Thats probably not going to work.

      Logically there will be no way for the server to know which certificate is the one to serve for a particular domain.

      Why can’t you just link the new certificate when the old one expires?

       
  •  
    Robert Says: 
    April 19th, 2010 at 7:28 pm

    Great guide, Rubayat!

     
 
 

Leave a Reply

 

Name (required)

Mail (will not be published) (required)

Website

Click the "Preview" button to preview your comment here.
This entry was posted on Friday, April 2nd, 2010 at 11:44 pmand is filed under Tutorial. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
 

Categories

apache win openssl的更多相关文章

  1. win openssl 生成证书

    第1步:生成私钥 有密码:openssl genrsa -des3 -out private.key 1024无密码:openssl genrsa -out private.key 1024 说明:生 ...

  2. MoinMoin install in apache (win)

    一:下载环境 xampp:http://sourceforge.net/projects/xampp/files/XAMPP%20Windows/1.8.1/xampp-win32-1.8.1-VC9 ...

  3. win7 apache+openssl 安装

    win7 apache+openssl 安装 博客分类: win7 apache+openssl 安装 win7 apache+openssl 安装  注:附件提供包含apache和openssl的安 ...

  4. linux下apache+openssl配置记录

    软件环境 Apache Httpd 2.2.29 (http://httpd.apache.org ) OpenSSL 1.0.1h (http://www.openssl.org/source ) ...

  5. apache添加ssl协议实现用户认证

    目标 1对服务器的访问由http改为https, 2仅有证书的客户端可以访问服务器, 3.通过服务器端的配置,可以停用某个客户端的证书. 一 Apache服务器相关配置: 在../apache/con ...

  6. openssl生成https证书 (转)

    1.首先要生成服务器端的私钥(key文件):openssl genrsa -des3 -out server.key 1024运行时会提示输入密码,此密码用于加密key文件去除key文件口令的命令:o ...

  7. window下为apache配置ssl证书

    转载自 子非鱼 的博客稍作修改 第一步:依赖 配置Apache服务器支持https协议和SSL证书,最基本的要求是Apache包含openssl模块.还好apache/bin目录下有libeay32. ...

  8. openssl 第一篇

    自从老罗赞助了openssl以及心脏出血事件的新闻,得以了解了openssl.那么什么是openssl呢?下面摘自官网: The OpenSSL Project is a collaborative  ...

  9. 把ssl模块加入到已经编译好的apache中实现HTTPS

    为了使Apache支持https访问,系统需要安有apache.openssl.mod_ssl.so 1.安装openssl: 基本上系统都已经安装了,在/usr/bin/openssl下,直接使用o ...

随机推荐

  1. Java Web编程的主要组件技术——Hibernate入门

    参考书籍:<J2EE开源编程精要15讲> Hibernate是对象/关系映射(ORM,Object/Relational Mapping)的解决方案,就是将Java对象与对象关系映射到关系 ...

  2. ffmpeg的内部Video Buffer管理和传送机制

    ffmpeg的内部Video Buffer管理和传送机制 本文主要介绍ffmpeg解码器内部管理Video Buffer的原理和过程,ffmpeg的Videobuffer为内部管理,其流程大致为:注册 ...

  3. liunx安装qq

    http://www.07net01.com/电脑玩物 http://www.07net01.com/2014/09/68186.html 安装qq 一开始,我在ubuntu14.04下安装的QQ版本 ...

  4. JQuery实现——黑客帝国代码雨效果

    效果如你所见就是本页面上方那样的效果 实现方法来自一个印度小伙纸,学习完我也没总结一下,今儿个补上 如何实现,大家右键查看源码复制即可,不过学习的过程还是要总结总结. 下面通过另外两个小例子,一步一步 ...

  5. Android开发中如何调用摄像头的功能

    我们要调用摄像头的拍照功能,显然 第一步必须加入调用摄像头硬件的权限,拍完照后我们要将图片保存在SD卡中,必须加入SD卡读写权限,所以第一步,我们应该在Android清单文件中加入以下代码     & ...

  6. 在PHP中如何获取用户的真实IP

    /** * 获得用户的真实IP地址 * * @access public * @return string */ function real_ip() { static $realip = NULL; ...

  7. HDU 1247 Hat’s Words

    Hat’s Words Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others)Total ...

  8. codeforces 681D Gifts by the List dfs+构造

    题意:给你一个森林,表示其祖先关系(自己也是自己的祖先),每个人有一个礼物(要送给这个人的固定的一个祖先) 让你构造一个序列,使得的对于每个人,这个序列中第一个出现的他的祖先,是他要送礼物的的那个祖先 ...

  9. 《Python CookBook2》 第一章 文本 - 测试一个对象是否是类字符串 && 字符串对齐

    测试一个对象是否是类字符串 任务 有时候需要测试一个对象,尤其是当你在写一个函数或者方法的时候,经常需要测试传入的参数是否是一个字符串. 解决方案 利用内建的isinstance 和basestrin ...

  10. 软件测试技术(三)——使用因果图法进行的UI测试

    目标程序 较上次增加两个相同的输入框 使用方法介绍 因果图法 在Introduction to Software Testing by Paul一书中,将软件测试的覆盖标准划分为四类,logical ...