ssl for Apache

See the setup section below, but understand that newer apache's break out the virtual host and ssl settings into conf/extras/httpd-* files. You may also be running apache as a service in windows, so the startup commands do not apply. To run ssl for multiple domains using name based virtual hosts, understand that they will all use the same certificate, which is why we make a wildcard certificate in the example. Apache will log a warning about this:

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

To avoid seeing the warning, you can change the LogLevel parameter in httpd.conf to somethiing other than “warn”.

1. setup Apache2 as usual (make sure to get the version with SSL support)
2. in httpd.conf, comment out Port 80, and use Listen lines instead

   #Port 80
   Listen 80
   Listen 443

3. make certs and keys (see appropriate sections below)
4. in httpd.conf, add ssl support by uncommenting this line:

   LoadModule ssl_module modules/mod_ssl.so

5. in httpd.conf, set up named based virtual hosts:

   NameVirtualHost *:80
   NameVirtualHost *:443
   
   <VirtualHost *:80>
     DocumentRoot "/path/to/my-server"
     ServerName my-server
   </VirtualHost>

6. tweak ssl.conf to have the following (probably best to remove the _default_ virtual host entry)

   # see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
   SSLMutex sem
   SSLRandomSeed startup builtin
   SSLSessionCache none
   
   SSLLog logs/SSL.log
   SSLLogLevel info
   # You can later change "info" to "warn" if everything is OK
   
   <VirtualHost *:443>
     DocumentRoot "/path/to/my-server"
     ServerName my-server
     SSLEngine On
     SSLCertificateFile conf/ssl/my-server.cert
     SSLCertificateKeyFile conf/ssl/my-server.key
   </VirtualHost>

7. Don't forget to call apache with -D SSL if the IfDefine directive is active in the config file! On Unix, it would look like this:

   apachectl -D SSL -k start

This example is on Windows 7, using a cygwin terminal, creating a wildcard certificate

1. (this is making the request) the wildcard part is the asterisk when asked for the CN; enter something like 1234 for the password

   openssl req -config /usr/ssl/openssl.cnf -new -out myname.local.csr
   
   Generating a 1024 bit RSA private key
   .......++++++
   ..............++++++
   writing new private key to 'privkey.pem'
   Enter PEM pass phrase:
   Verifying - Enter PEM pass phrase:
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:AZ
   Locality Name (eg, city) []:
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:MYCOMPANY
   Organizational Unit Name (eg, section) []:IS
   Common Name (eg, YOUR name) []:*.myname.local
   Email Address []:myname@mycompany.com
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

2. (this is making your private key) enter password as you created it above

   openssl rsa -in privkey.pem -out myname.local.key
   
   Enter pass phrase for privkey.pem:
   writing RSA key

3. (this is creating the self signed certificate)

   openssl x509 -in myname.local.csr -out myname.local.cert -req -signkey myname.local.key -days 10000
   
   Signature ok
   subject=/C=US/ST=AZ/O=MYCOMPANY/OU=IS/CN=*.myname.local/emailAddress=myname@mycompany.com
   Getting Private key

4. copy files to your apache server

   cp myname.local.cert /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
   cp myname.local.key /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/

1. the Apache2 SSL archive comes with an openssl binary in Apache2/bin, and the configuration file 'openssl.cnf' is in Apache2/conf
2. open a command terminal and go to Apache2/bin
3. substitute your domain in place of my-server

   openssl req -config ../conf/openssl.cnf -new -out my-server.csr
   openssl rsa -in privkey.pem -out my-server.key
   openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 10000

4. copy the .cert and .key file from the previous step to a new directory of Apache2/conf/ssl

• openssl

• http://tud.at/programm/apache-ssl-win32-howto.php3