Solved

Configure SSL with Apache 2.0.61 on Windows Server 2003

Posted on 2008-10-26
14
1,047 Views
Last Modified: 2010-05-18
Hi Experts,

I provide application hosting and I have been asked to set up SSL on one of the servers I manage.  The server is already running Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.7m mod_jk/1.2.0.  (Apache was installed with the following binary:  apache_2.0.61-win32-x86-openssl-0.9.7m.msi).

I have found a bunch of links to HOW TOs, but they all seem to deal with generating a self-signed certificate.  In this case my customer has provided me with a certificate signed by VeriSign.  But I am not sure what to do with it.

This is urgent - I need to get SSL configured in the next few hours.

What do I do with the certificate file (compasstest.cer)?

Regards,

Paul Hobbs
0
Comment
Question by:mrgordonz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 4
14 Comments
 
LVL 3

Accepted Solution

by:
raminhos earned 500 total points
ID: 22810071
Hello, i made a simple how-to for myself, to use whenever i need.

I couldn't attach my zip file, so i will place here my little how to and the files you require

you need to have php 5 with ssl installed..

If you want i can email you with all the files i use in my mini how to..


BIN:
- libeay32.dll
- openssl
- openssl.exe
- ssleay32.dll

CONF
- ssl.conf

MODULES
- mod_ssl.so



Install SSL in Apache

Copy the following files to apache/bin directory
libeay32.dll
openssl.cnf
openssl.exe
ssleay32.dll


Copy the ssl.conf file to apache/conf directory
Create a folder named ssl inside apache/conf


Copy the file mod_ssl.so to folder apache/modules

Now, lets generate certeficate and keys

Inside the folder bin of apache in commando prompt:

Check the key: ServerName in httpd.conf so we can fill the CN in the certeficate creation

openssl req -config openssl.cnf -new -out nome_servidor.csr
openssl rsa -in privkey.pem -out nome_servidor.key
openssl x509 -in nome_servidor.csr -out nome_servidor.cert -req -signkey nome_servidor.key -days 1095


Now that we have the certs and keys, lets move the .cert and .key files to apache/conf/ssl


Edit httpd.conf file and change:

- uncomment: LoadModule rewrite_module modules/mod_rewrite.so


Add:

Include conf/ssl.conf
LoadModule ssl_module modules/mod_ssl.so


Edit ssl.conf and change the following directives with the both names generated (.key and .cert)

SSLCertificateFile
SSLCertificateKeyFile



If you want to force http to redirect to https:

Place the following inside httpd.conf:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
0
 

Author Comment

by:mrgordonz
ID: 22810109
Thanks for the step-by-step instructions, but I am a bit confused.  I already have a certificate file which was provided by my customer for their domain:  compasstest.cer.  When I double-click the cer file they provided, it opens a little window which says it is a certificate with the following details:

Issued to: compasstest.<customerdomain>.com

Issued by: VeriSign Class 3 Secure Server CA

How do I use this certificate file?
0
 
LVL 3

Expert Comment

by:raminhos
ID: 22810121
cert must be placed in the dir where your apache must get it...depending on your apache configuration
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:mrgordonz
ID: 22810130
But don't I need to somehow tell Apache that the cert exists?  Don't I need to install it somehow?  Forgive me if my questions are dumb - this is the first time I have configured SSL.
0
 

Author Comment

by:mrgordonz
ID: 22810187
I have followed all your instructions and restarted Apache service, but it doesn't work.  When I check to see if anything is listening on port 443, there is nothing.  Apache is still listening on port 80, but not 443.  Also, where do I put the certificate file provided by the customer?
0
 

Author Comment

by:mrgordonz
ID: 22810212
an update:  I commented out the IF DEFINE bits in ssl.conf and now Apache is listening on port 443.  But when I browse to the site it says the certificate is not valid because it is self signed.  Which is not what I want because I have a certificate provided by the customer.
0
 

Author Comment

by:mrgordonz
ID: 22810520
further update:

I have tried following the instructions on the VeriSign site (http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_23849415.html#a22810212).  The steps I followed are:

1.  generated a CSR file (openssl req -config openssl.cnf -new -out <customer_domain>.csr)
2.  generate a private key (openssl rsa -in privkey.pem -out <customer_domain>.key)
3.  download intermediate certificate from VeriSign
4.  install certificate from VeriSign (copy <customer_domain>.cer file to conf\ssl folder, along with key file and intermediate.crt file)

Now when I try to start Apache it won't start and I get the following error:

[Mon Oct 27 17:25:25 2008] [error] Unable to configure RSA server private key
[Mon Oct 27 17:25:25 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

If I uncomment <IfDefine> in ssl.conf Apache will start, but it is not listening on port 443.

I am completely lost as to what to do next.  

All the tutorials I have found only describe using a self signed certificate.  That doesn't help me - I have been provided with a certificate which is signed by VeriSign.  But I don't know what to do with it.  

Is the customer also meant to provide a CSR file?  Should they provide the .KEY file or the .PEM file?  

HELP!!  This is really urgent.

0
 

Author Comment

by:mrgordonz
ID: 22810525
0
 

Author Comment

by:mrgordonz
ID: 22817741
No-one can help me?

Surely someone out there has installed a VeriSign certificate with Apache???  
0
 
LVL 3

Expert Comment

by:raminhos
ID: 22817781
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR193

verisgn have how-tos install certificates in every web server
0
 

Author Comment

by:mrgordonz
ID: 22817912
I have followed those instructions, and I get to a point where the instructions don't make sense to me:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Step 1: Install CA Certificate
 
Secure Site
If you are installing a Secure Site Certificate, you need to first install the Secure Site Intermediate CA Certificate.
 
Secure Site Pro
If you are installing a Secure Site Pro Certificate, you need to first install the Secure Site Pro Intermediate CA Certificate. (I did this as per the instructions below)
 
1. Copy the intermediate certificate into text file and name it intermediate.crt. This file can be placed in the same directory as your SSL Certificate. For example: /usr/local/ssl/crt
(I created the intermediate.crt file as instructed, and saved it to the folder C:\apache\Apache2\conf\ssl)
 
Step 2: Install the SSL Certificate
 
Your VeriSign certificate will be sent via email. If the certificate is included as an attachment (Cert.cer), you may use the file. If the certificate is imbedded in the body of the email, copy and paste it into a text file (save as public.crt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
 
1. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: public.crt
(I received the certificate as an email attachment - compasstest.cer - and renamed it to compasstest.crt.  It is located in the folder C:\apache\Apache2\conf\ssl, along with intermediate.crt)
 
2. Copy your Certificate into the directory that you will be using to hold your certificates. In For example: /usr/local/ssl/crt/.
 
Step 3: Configure the Server
 
1. In order to use the key pair, the httpd.conf file will need to be updated.
(This is where I get stuck.  What key pair?  How do I create the file private.key that is mentioned below?)
 
2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
 
SSLCertificateFile /usr/local/ssl/crt/public.crt  

SSLCertificateKeyFile /usr/local/ssl/private/private.key  

SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt

  The first directive tells Apache how to find the  Certificate File, the second one where the private key is located, and the third  line the location of the intermediate certificate.  

If you are using a different location and  certificate file names than the example above (which most likely you are) you  will need to change the path and filename to reflect your server.  

Note: Some instances of Apache contain  both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the  ssl.conf with the above directives. Do not enter both as there will be a  conflict and Apache may not start.  

3. Save your httpd.conf file and restart Apache.  You can most likely do so by using the apachectl script:    

apachectl stop  
apachectl startssl    

4. You should now be set to start using your  VeriSign certificate with your Apache-SSL Server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cheers,

Paul
0
 

Author Comment

by:mrgordonz
ID: 22817992
I think I understand the problem now.  The certificate I have been provided was created by VeriSign using a CSR which was NOT generated on my server.  Consequently, the certificate will not work on my server.  

Does that sound correct?
0
 
LVL 3

Expert Comment

by:raminhos
ID: 22818475
I think you can't use it than
0
 

Author Closing Comment

by:mrgordonz
ID: 31510184
Didn't quite solve the problem, but provided me with good information that ultimately helped me to solve the problem.  The key was that I am not using a self-signed certificate, but a signed certificate from a Certificate Authority (eg: VeriSign). A signed certificate won't work unless the CSR and the Private key were created on the actual server where the signed certificate is being installed.  It is now all working perfectly.  Very helpful tips regarding URL re-writing and general Apache config - thanks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question