Solved

Configure SSL with Apache 2.0.61 on Windows Server 2003

Posted on 2008-10-26
14
1,038 Views
Last Modified: 2010-05-18
Hi Experts,

I provide application hosting and I have been asked to set up SSL on one of the servers I manage.  The server is already running Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.7m mod_jk/1.2.0.  (Apache was installed with the following binary:  apache_2.0.61-win32-x86-openssl-0.9.7m.msi).

I have found a bunch of links to HOW TOs, but they all seem to deal with generating a self-signed certificate.  In this case my customer has provided me with a certificate signed by VeriSign.  But I am not sure what to do with it.

This is urgent - I need to get SSL configured in the next few hours.

What do I do with the certificate file (compasstest.cer)?

Regards,

Paul Hobbs
0
Comment
Question by:mrgordonz
  • 10
  • 4
14 Comments
 
LVL 3

Accepted Solution

by:
raminhos earned 500 total points
ID: 22810071
Hello, i made a simple how-to for myself, to use whenever i need.

I couldn't attach my zip file, so i will place here my little how to and the files you require

you need to have php 5 with ssl installed..

If you want i can email you with all the files i use in my mini how to..


BIN:
- libeay32.dll
- openssl
- openssl.exe
- ssleay32.dll

CONF
- ssl.conf

MODULES
- mod_ssl.so



Install SSL in Apache

Copy the following files to apache/bin directory
libeay32.dll
openssl.cnf
openssl.exe
ssleay32.dll


Copy the ssl.conf file to apache/conf directory
Create a folder named ssl inside apache/conf


Copy the file mod_ssl.so to folder apache/modules

Now, lets generate certeficate and keys

Inside the folder bin of apache in commando prompt:

Check the key: ServerName in httpd.conf so we can fill the CN in the certeficate creation

openssl req -config openssl.cnf -new -out nome_servidor.csr
openssl rsa -in privkey.pem -out nome_servidor.key
openssl x509 -in nome_servidor.csr -out nome_servidor.cert -req -signkey nome_servidor.key -days 1095


Now that we have the certs and keys, lets move the .cert and .key files to apache/conf/ssl


Edit httpd.conf file and change:

- uncomment: LoadModule rewrite_module modules/mod_rewrite.so


Add:

Include conf/ssl.conf
LoadModule ssl_module modules/mod_ssl.so


Edit ssl.conf and change the following directives with the both names generated (.key and .cert)

SSLCertificateFile
SSLCertificateKeyFile



If you want to force http to redirect to https:

Place the following inside httpd.conf:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
0
 

Author Comment

by:mrgordonz
ID: 22810109
Thanks for the step-by-step instructions, but I am a bit confused.  I already have a certificate file which was provided by my customer for their domain:  compasstest.cer.  When I double-click the cer file they provided, it opens a little window which says it is a certificate with the following details:

Issued to: compasstest.<customerdomain>.com

Issued by: VeriSign Class 3 Secure Server CA

How do I use this certificate file?
0
 
LVL 3

Expert Comment

by:raminhos
ID: 22810121
cert must be placed in the dir where your apache must get it...depending on your apache configuration
0
 

Author Comment

by:mrgordonz
ID: 22810130
But don't I need to somehow tell Apache that the cert exists?  Don't I need to install it somehow?  Forgive me if my questions are dumb - this is the first time I have configured SSL.
0
 

Author Comment

by:mrgordonz
ID: 22810187
I have followed all your instructions and restarted Apache service, but it doesn't work.  When I check to see if anything is listening on port 443, there is nothing.  Apache is still listening on port 80, but not 443.  Also, where do I put the certificate file provided by the customer?
0
 

Author Comment

by:mrgordonz
ID: 22810212
an update:  I commented out the IF DEFINE bits in ssl.conf and now Apache is listening on port 443.  But when I browse to the site it says the certificate is not valid because it is self signed.  Which is not what I want because I have a certificate provided by the customer.
0
 

Author Comment

by:mrgordonz
ID: 22810520
further update:

I have tried following the instructions on the VeriSign site (http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_23849415.html#a22810212).  The steps I followed are:

1.  generated a CSR file (openssl req -config openssl.cnf -new -out <customer_domain>.csr)
2.  generate a private key (openssl rsa -in privkey.pem -out <customer_domain>.key)
3.  download intermediate certificate from VeriSign
4.  install certificate from VeriSign (copy <customer_domain>.cer file to conf\ssl folder, along with key file and intermediate.crt file)

Now when I try to start Apache it won't start and I get the following error:

[Mon Oct 27 17:25:25 2008] [error] Unable to configure RSA server private key
[Mon Oct 27 17:25:25 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

If I uncomment <IfDefine> in ssl.conf Apache will start, but it is not listening on port 443.

I am completely lost as to what to do next.  

All the tutorials I have found only describe using a self signed certificate.  That doesn't help me - I have been provided with a certificate which is signed by VeriSign.  But I don't know what to do with it.  

Is the customer also meant to provide a CSR file?  Should they provide the .KEY file or the .PEM file?  

HELP!!  This is really urgent.

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:mrgordonz
ID: 22810525
0
 

Author Comment

by:mrgordonz
ID: 22817741
No-one can help me?

Surely someone out there has installed a VeriSign certificate with Apache???  
0
 
LVL 3

Expert Comment

by:raminhos
ID: 22817781
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR193

verisgn have how-tos install certificates in every web server
0
 

Author Comment

by:mrgordonz
ID: 22817912
I have followed those instructions, and I get to a point where the instructions don't make sense to me:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Step 1: Install CA Certificate
 
Secure Site
If you are installing a Secure Site Certificate, you need to first install the Secure Site Intermediate CA Certificate.
 
Secure Site Pro
If you are installing a Secure Site Pro Certificate, you need to first install the Secure Site Pro Intermediate CA Certificate. (I did this as per the instructions below)
 
1. Copy the intermediate certificate into text file and name it intermediate.crt. This file can be placed in the same directory as your SSL Certificate. For example: /usr/local/ssl/crt
(I created the intermediate.crt file as instructed, and saved it to the folder C:\apache\Apache2\conf\ssl)
 
Step 2: Install the SSL Certificate
 
Your VeriSign certificate will be sent via email. If the certificate is included as an attachment (Cert.cer), you may use the file. If the certificate is imbedded in the body of the email, copy and paste it into a text file (save as public.crt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
 
1. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: public.crt
(I received the certificate as an email attachment - compasstest.cer - and renamed it to compasstest.crt.  It is located in the folder C:\apache\Apache2\conf\ssl, along with intermediate.crt)
 
2. Copy your Certificate into the directory that you will be using to hold your certificates. In For example: /usr/local/ssl/crt/.
 
Step 3: Configure the Server
 
1. In order to use the key pair, the httpd.conf file will need to be updated.
(This is where I get stuck.  What key pair?  How do I create the file private.key that is mentioned below?)
 
2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
 
SSLCertificateFile /usr/local/ssl/crt/public.crt  

SSLCertificateKeyFile /usr/local/ssl/private/private.key  

SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt

  The first directive tells Apache how to find the  Certificate File, the second one where the private key is located, and the third  line the location of the intermediate certificate.  

If you are using a different location and  certificate file names than the example above (which most likely you are) you  will need to change the path and filename to reflect your server.  

Note: Some instances of Apache contain  both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the  ssl.conf with the above directives. Do not enter both as there will be a  conflict and Apache may not start.  

3. Save your httpd.conf file and restart Apache.  You can most likely do so by using the apachectl script:    

apachectl stop  
apachectl startssl    

4. You should now be set to start using your  VeriSign certificate with your Apache-SSL Server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cheers,

Paul
0
 

Author Comment

by:mrgordonz
ID: 22817992
I think I understand the problem now.  The certificate I have been provided was created by VeriSign using a CSR which was NOT generated on my server.  Consequently, the certificate will not work on my server.  

Does that sound correct?
0
 
LVL 3

Expert Comment

by:raminhos
ID: 22818475
I think you can't use it than
0
 

Author Closing Comment

by:mrgordonz
ID: 31510184
Didn't quite solve the problem, but provided me with good information that ultimately helped me to solve the problem.  The key was that I am not using a self-signed certificate, but a signed certificate from a Certificate Authority (eg: VeriSign). A signed certificate won't work unless the CSR and the Private key were created on the actual server where the signed certificate is being installed.  It is now all working perfectly.  Very helpful tips regarding URL re-writing and general Apache config - thanks.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now