Configure SSL with Apache 2.0.61 on Windows Server 2003

Posted on 2008-10-26
Last Modified: 2010-05-18
Hi Experts,

I provide application hosting and I have been asked to set up SSL on one of the servers I manage.  The server is already running Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.7m mod_jk/1.2.0.  (Apache was installed with the following binary:  apache_2.0.61-win32-x86-openssl-0.9.7m.msi).

I have found a bunch of links to HOW TOs, but they all seem to deal with generating a self-signed certificate.  In this case my customer has provided me with a certificate signed by VeriSign.  But I am not sure what to do with it.

This is urgent - I need to get SSL configured in the next few hours.

What do I do with the certificate file (compasstest.cer)?


Paul Hobbs
Question by:mrgordonz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 4

Accepted Solution

raminhos earned 500 total points
ID: 22810071
Hello, i made a simple how-to for myself, to use whenever i need.

I couldn't attach my zip file, so i will place here my little how to and the files you require

you need to have php 5 with ssl installed..

If you want i can email you with all the files i use in my mini how to..

- libeay32.dll
- openssl
- openssl.exe
- ssleay32.dll

- ssl.conf


Install SSL in Apache

Copy the following files to apache/bin directory

Copy the ssl.conf file to apache/conf directory
Create a folder named ssl inside apache/conf

Copy the file to folder apache/modules

Now, lets generate certeficate and keys

Inside the folder bin of apache in commando prompt:

Check the key: ServerName in httpd.conf so we can fill the CN in the certeficate creation

openssl req -config openssl.cnf -new -out nome_servidor.csr
openssl rsa -in privkey.pem -out nome_servidor.key
openssl x509 -in nome_servidor.csr -out nome_servidor.cert -req -signkey nome_servidor.key -days 1095

Now that we have the certs and keys, lets move the .cert and .key files to apache/conf/ssl

Edit httpd.conf file and change:

- uncomment: LoadModule rewrite_module modules/


Include conf/ssl.conf
LoadModule ssl_module modules/

Edit ssl.conf and change the following directives with the both names generated (.key and .cert)


If you want to force http to redirect to https:

Place the following inside httpd.conf:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Author Comment

ID: 22810109
Thanks for the step-by-step instructions, but I am a bit confused.  I already have a certificate file which was provided by my customer for their domain:  compasstest.cer.  When I double-click the cer file they provided, it opens a little window which says it is a certificate with the following details:

Issued to: compasstest.<customerdomain>.com

Issued by: VeriSign Class 3 Secure Server CA

How do I use this certificate file?

Expert Comment

ID: 22810121
cert must be placed in the dir where your apache must get it...depending on your apache configuration
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Author Comment

ID: 22810130
But don't I need to somehow tell Apache that the cert exists?  Don't I need to install it somehow?  Forgive me if my questions are dumb - this is the first time I have configured SSL.

Author Comment

ID: 22810187
I have followed all your instructions and restarted Apache service, but it doesn't work.  When I check to see if anything is listening on port 443, there is nothing.  Apache is still listening on port 80, but not 443.  Also, where do I put the certificate file provided by the customer?

Author Comment

ID: 22810212
an update:  I commented out the IF DEFINE bits in ssl.conf and now Apache is listening on port 443.  But when I browse to the site it says the certificate is not valid because it is self signed.  Which is not what I want because I have a certificate provided by the customer.

Author Comment

ID: 22810520
further update:

I have tried following the instructions on the VeriSign site (  The steps I followed are:

1.  generated a CSR file (openssl req -config openssl.cnf -new -out <customer_domain>.csr)
2.  generate a private key (openssl rsa -in privkey.pem -out <customer_domain>.key)
3.  download intermediate certificate from VeriSign
4.  install certificate from VeriSign (copy <customer_domain>.cer file to conf\ssl folder, along with key file and intermediate.crt file)

Now when I try to start Apache it won't start and I get the following error:

[Mon Oct 27 17:25:25 2008] [error] Unable to configure RSA server private key
[Mon Oct 27 17:25:25 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

If I uncomment <IfDefine> in ssl.conf Apache will start, but it is not listening on port 443.

I am completely lost as to what to do next.  

All the tutorials I have found only describe using a self signed certificate.  That doesn't help me - I have been provided with a certificate which is signed by VeriSign.  But I don't know what to do with it.  

Is the customer also meant to provide a CSR file?  Should they provide the .KEY file or the .PEM file?  

HELP!!  This is really urgent.


Author Comment

ID: 22817741
No-one can help me?

Surely someone out there has installed a VeriSign certificate with Apache???  

Expert Comment

ID: 22817781

verisgn have how-tos install certificates in every web server

Author Comment

ID: 22817912
I have followed those instructions, and I get to a point where the instructions don't make sense to me:

Step 1: Install CA Certificate
Secure Site
If you are installing a Secure Site Certificate, you need to first install the Secure Site Intermediate CA Certificate.
Secure Site Pro
If you are installing a Secure Site Pro Certificate, you need to first install the Secure Site Pro Intermediate CA Certificate. (I did this as per the instructions below)
1. Copy the intermediate certificate into text file and name it intermediate.crt. This file can be placed in the same directory as your SSL Certificate. For example: /usr/local/ssl/crt
(I created the intermediate.crt file as instructed, and saved it to the folder C:\apache\Apache2\conf\ssl)
Step 2: Install the SSL Certificate
Your VeriSign certificate will be sent via email. If the certificate is included as an attachment (Cert.cer), you may use the file. If the certificate is imbedded in the body of the email, copy and paste it into a text file (save as public.crt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
1. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: public.crt
(I received the certificate as an email attachment - compasstest.cer - and renamed it to compasstest.crt.  It is located in the folder C:\apache\Apache2\conf\ssl, along with intermediate.crt)
2. Copy your Certificate into the directory that you will be using to hold your certificates. In For example: /usr/local/ssl/crt/.
Step 3: Configure the Server
1. In order to use the key pair, the httpd.conf file will need to be updated.
(This is where I get stuck.  What key pair?  How do I create the file private.key that is mentioned below?)
2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
SSLCertificateFile /usr/local/ssl/crt/public.crt  

SSLCertificateKeyFile /usr/local/ssl/private/private.key  

SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt

  The first directive tells Apache how to find the  Certificate File, the second one where the private key is located, and the third  line the location of the intermediate certificate.  

If you are using a different location and  certificate file names than the example above (which most likely you are) you  will need to change the path and filename to reflect your server.  

Note: Some instances of Apache contain  both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the  ssl.conf with the above directives. Do not enter both as there will be a  conflict and Apache may not start.  

3. Save your httpd.conf file and restart Apache.  You can most likely do so by using the apachectl script:    

apachectl stop  
apachectl startssl    

4. You should now be set to start using your  VeriSign certificate with your Apache-SSL Server.




Author Comment

ID: 22817992
I think I understand the problem now.  The certificate I have been provided was created by VeriSign using a CSR which was NOT generated on my server.  Consequently, the certificate will not work on my server.  

Does that sound correct?

Expert Comment

ID: 22818475
I think you can't use it than

Author Closing Comment

ID: 31510184
Didn't quite solve the problem, but provided me with good information that ultimately helped me to solve the problem.  The key was that I am not using a self-signed certificate, but a signed certificate from a Certificate Authority (eg: VeriSign). A signed certificate won't work unless the CSR and the Private key were created on the actual server where the signed certificate is being installed.  It is now all working perfectly.  Very helpful tips regarding URL re-writing and general Apache config - thanks.

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL ( and MongoDB (…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : All lightning effects with instructions : http://www.mediaf…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question