To get a secure SSL site up and running on Apache under Windows, there are a few hoops to jump through that are not very intuitive. To that end, I am going to document my approach to setting up SSL using OpenSSL. This approach assumes that you already have Apache up and running on your machine, so if you have not done that, head over to the HTTPD download page and set that up before continuing.
- Setting up OpenSSL
First we need to get OpenSSL setup on our system, which is not included with the Apache Windows binaries. In fact the OpenSSL project doesn’t even provide the binaries themselves, but you can find them at Shining Light Productions. For this example, I will be choosing the Win32 OpenSSL v0.9.8k Light version. If you see a message like the one below, you will need to install the Microsoft Visual C++ 2008 Redistributable Package and then attempt the OpenSSL installation again.
Once you have it installed, you can do a quick test to make sure that it is set up properly:
- Creating Certificates
Next, we will use the OpenSSL terminal interface to create our self-signed certificates. To explain a bit about what is going on below, I have a site already existing on my system that can be reached at http://scribble. What we are doing is creating a secure subdomain of https://secure.scribble. Typically when I create certificates, I name the files with the host/domain obvious so that they can be easily identified later. Obviously you will want to replace the domain name to match your setup, but type the following in the terminal in the OpenSSL/bin directory:
openssl req -new -out secure.scribble.csr -keyout secure.scribble.pem
That will generate what you see below.
You may notice that I left a lot of the prompts blank. Considering this is a dummy certificate in a development environment, that approach makes sense. You may choose to be more explicit based on your needs.
If we were to use this key as it is, we would be prompted for the password every time that Apache starts. Since that is less than ideal, we will now generate a non-protected key from the one we created in the previous step by typing the following:
openssl rsa -in secure.scribble.pem -out secure.scribble.key
You can see that I was prompted for a pass phrase. This is the same password that you created when we generated the certificate above.
Now we need to need to build the certificate that we will actually import into Apache. You can do so by typing:
openssl x509 -in secure.scribble.csr -out secure.scribble.cert -req -signkey secure.scribble.key -days 1000
This will result in the following output:
You can see that we now have a .cert, .csr, .key, and .pem file for our domain. We will use a combination of the .key and the .cert
- Configuring Apache
Now we need to make sure that your Apache server is ready to serve SSL requests.
First, let’s put the .key and .cert files that we created above into a directory under Apache. In your “conf” directory, create a subdirectory named “ssl” and move secure.scribble.key and secure.scribble.cert into that new directory.
Next we need to make sure that the mod_ssl module is enabled. Open up the httpd.conf file for your Apache webserver. Search for “mod_ssl” and you should find a line that looks like this:
Yours will likely be commented out with a ‘#’ sign in front of the line. You will want to delete that ‘#’ so that it looks like the highlighted line above.
Next you will need to make sure that you have uncommented the line that includes the httpd-ssl.conf file like you see below:
The last thing we need to do is configure our site. Open up the conf/extra/httpd-ssl.conf file in an editor. You will see that there is an amazingly huge and complex site definition in there already that starts with and ends about 150 lines later with . We need to disable this site. If you are feeling bold, you can simply delete it. However, I take the approach of commenting it out entirely so that I still have it as a reference, which is my recommendation as well. Starting with the line , put a ‘#’ at the start of every line that doesn’t already have one and continue until you comment out the line.
Now it is finally time for us to create the site definition for our https://secure.scribble site. We will use some of the concepts in the example, but eliminate most of them. Here is what mine looks like after paring down all the excess:
<VirtualHost *:443> DocumentRoot "C:/www/scribble" ServerName secure.scribble:443 SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile conf/ssl/secure.scribble.cert SSLCertificateKeyFile conf/ssl/secure.scribble.key </VirtualHost>
In that code you can see where we are pointing to the .key and .cert files that we created above.
Now, restart your Apache server and you are now serving up securely!