The odyssey to a secure server

This document serves to describe the steps to install SSL on an Apache 2.0.42 webserver running on Windows 2000. There are several how-to's on the web, but I have found that none includes all that is necessary or it has information switched, making it very hard for the unexperienced webmaster to figure out what to do. So this document might be redundant, but I hope it will help new webmasters to get SSL running. I will try to include the links to referenced documents whenever possible.

Note: I used Apache version 2.0.42 and OpenSSL version 0.9.6g. The files used here probably won't work with later versions of Apache. For sure they won't work with earlier versions!

23.10.2002:

Now there are the same files available for Apache 2.0.43. Simply go to http://hunter.campbus.com and download the distribution with the right version number. Then follow this steps.

11.04.2003:

The site http://hunter.campbus.com now has the version 2.0.45 with OpenSSL 0.9.7a available. I have noticed that the directories bin, lib and modules have some differnet content and that there is a new directory include - who installs the new version (recommended) can simply unpack and copy the whole directory in question. Since version 2.0.42 the modules are compatible in between versions, so there are no problems.

Please read this document carefully when following it step-by-step.


Needed files

(you might as well download them right now)

Conventions (or: what am I talking about?)

Apache-Dir: The directory where your Apache is installed, i.e. "C:\Program Files\Apache Group\Apache2".
Archive: The archive of Apache with OpenSSL in needed files that you downloaded.
WebRoot: Where your webpages are kept.


Configure Apache part 1

Taken from http://www.raibledesigns.com/tomcat/ssl-howto.html.

Change at least the following parameters in "Apache-Dir/conf/httpd.conf":

Install/start the Apache service. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.

Getting mod_ssl

Taken from http://www.raibledesigns.com/tomcat/ssl-howto.html.

From the "bin" directory in the Archive, copy the files "ssleay32.dll" and "libeay32.dll" to the directory "WINNT/system32" on your webserver. Copy the file "openssl.exe" to the "Apache-Dir\bin" directory of your webserver.

Put the configuration file for OpenSSL in the "Apache-Dir\bin" directory on your webserver.

Create a test-certificate

Taken from http://tud.at/programm/apache-ssl-win32-howto.php3.

Open a DOS-prompt and go to the "Apache-Dir\bin" directory.

  1. Type
    "openssl req -config openssl.cnf -new -out my-server.csr".
    This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.
  2. Type
    "openssl rsa -in privkey.pem -out my-server.key".
    This removes the passphrase from the private key. You MUST understand what this means; "my-server.key" should be only readable by the apache server and the administrator. If it exists, you should delete the ".rnd" file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
  3. Type
    "openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365".
    This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate by typing
"openssl x509 -in my-server.cert -out my-server.der.crt -outform DER".

Create an "Apache-Dir/conf/ssl" directory and move "my-server.key" and "my-server.cert" into it.

Configuring Apache part 2

Taken from http://www.raibledesigns.com/tomcat/ssl-howto.html.

Stop the Apache service.

Copy the file "mod_ssl.so" from the "modules" directory inside the Archive into the directory "Apache-Dir\modules" of your webserver.

Find the LoadModule directives in your "httpd.conf" file and add this after the existing ones:

  LoadModule ssl_module modules/mod_ssl.so
If the line is already there, but commented, just un-comment it.

In newer versions of the distribution, it could also be necessary to add

  AddModule mod_ssl.c
after the AddModule lines that are already in the config file (not necessary for 2.0.42).

Copy "ssl.conf" from the Archive to "Apache-Dir\conf". Make sure and change the following things:

It should have at least the following lines (check the names of your certificates):

	Listen 443
	
	# see http://www.modssl.org/docs/2.4/ssl_reference.html for more info
	SSLMutex sem
	SSLRandomSeed startup builtin
	SSLSessionCache none

	ErrorLog logs/ssl.log
	LogLevel info
	# You can later change "info" to "warn" if everything is OK

	<VirtualHost www.my-server.dom:443>
	  SSLEngine On
	  SSLCertificateFile conf/ssl/my-server.cert
	  SSLCertificateKeyFile conf/ssl/my-server.key
	</VirtualHost>

You need to use the -D SSL option if the IfDefine directive is active in the config file to start Apache with SSL.
The best is to comment out the IfDefine start/end tags in "ssl.conf".

Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting (type "apache -k start"). If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer.

If it doesn't work, Apache should write meaningful messages to the screen and/or into the "error.log" and "SSL.log" files in the "Apache-Dir/logs" directory.
If something doesn't work and you can't figure it out, try setting all LogLevels to the maximum and look into the logfiles. They are very helpful.

Try to access through https://www.my-server.dom:443/. It should ask you to install a certificate and then direct you to your page.

Possible problems and their solution


Still not working?

If you encounter any other problems when installing Apache for the first time, be sure to check the Apache website.

Before you email us asking questions, check the following resources first (because that's what I did)! A lot of people have tried to do this and they have been helped.


©2002 Op3racional. Author Sabine Dinis Blochberger. Suport email suporte@op3racional.de