Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Configure SSL with Apache 2.0.61 on Windows Server 2003

Posted on 2008-10-26
Medium Priority
Last Modified: 2010-05-18
Hi Experts,

I provide application hosting and I have been asked to set up SSL on one of the servers I manage.  The server is already running Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.7m mod_jk/1.2.0.  (Apache was installed with the following binary:  apache_2.0.61-win32-x86-openssl-0.9.7m.msi).

I have found a bunch of links to HOW TOs, but they all seem to deal with generating a self-signed certificate.  In this case my customer has provided me with a certificate signed by VeriSign.  But I am not sure what to do with it.

This is urgent - I need to get SSL configured in the next few hours.

What do I do with the certificate file (compasstest.cer)?


Paul Hobbs
Question by:mrgordonz
  • 10
  • 4

Accepted Solution

raminhos earned 1500 total points
ID: 22810071
Hello, i made a simple how-to for myself, to use whenever i need.

I couldn't attach my zip file, so i will place here my little how to and the files you require

you need to have php 5 with ssl installed..

If you want i can email you with all the files i use in my mini how to..

- libeay32.dll
- openssl
- openssl.exe
- ssleay32.dll

- ssl.conf

- mod_ssl.so

Install SSL in Apache

Copy the following files to apache/bin directory

Copy the ssl.conf file to apache/conf directory
Create a folder named ssl inside apache/conf

Copy the file mod_ssl.so to folder apache/modules

Now, lets generate certeficate and keys

Inside the folder bin of apache in commando prompt:

Check the key: ServerName in httpd.conf so we can fill the CN in the certeficate creation

openssl req -config openssl.cnf -new -out nome_servidor.csr
openssl rsa -in privkey.pem -out nome_servidor.key
openssl x509 -in nome_servidor.csr -out nome_servidor.cert -req -signkey nome_servidor.key -days 1095

Now that we have the certs and keys, lets move the .cert and .key files to apache/conf/ssl

Edit httpd.conf file and change:

- uncomment: LoadModule rewrite_module modules/mod_rewrite.so


Include conf/ssl.conf
LoadModule ssl_module modules/mod_ssl.so

Edit ssl.conf and change the following directives with the both names generated (.key and .cert)


If you want to force http to redirect to https:

Place the following inside httpd.conf:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Author Comment

ID: 22810109
Thanks for the step-by-step instructions, but I am a bit confused.  I already have a certificate file which was provided by my customer for their domain:  compasstest.cer.  When I double-click the cer file they provided, it opens a little window which says it is a certificate with the following details:

Issued to: compasstest.<customerdomain>.com

Issued by: VeriSign Class 3 Secure Server CA

How do I use this certificate file?

Expert Comment

ID: 22810121
cert must be placed in the dir where your apache must get it...depending on your apache configuration
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 22810130
But don't I need to somehow tell Apache that the cert exists?  Don't I need to install it somehow?  Forgive me if my questions are dumb - this is the first time I have configured SSL.

Author Comment

ID: 22810187
I have followed all your instructions and restarted Apache service, but it doesn't work.  When I check to see if anything is listening on port 443, there is nothing.  Apache is still listening on port 80, but not 443.  Also, where do I put the certificate file provided by the customer?

Author Comment

ID: 22810212
an update:  I commented out the IF DEFINE bits in ssl.conf and now Apache is listening on port 443.  But when I browse to the site it says the certificate is not valid because it is self signed.  Which is not what I want because I have a certificate provided by the customer.

Author Comment

ID: 22810520
further update:

I have tried following the instructions on the VeriSign site (http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_23849415.html#a22810212).  The steps I followed are:

1.  generated a CSR file (openssl req -config openssl.cnf -new -out <customer_domain>.csr)
2.  generate a private key (openssl rsa -in privkey.pem -out <customer_domain>.key)
3.  download intermediate certificate from VeriSign
4.  install certificate from VeriSign (copy <customer_domain>.cer file to conf\ssl folder, along with key file and intermediate.crt file)

Now when I try to start Apache it won't start and I get the following error:

[Mon Oct 27 17:25:25 2008] [error] Unable to configure RSA server private key
[Mon Oct 27 17:25:25 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

If I uncomment <IfDefine> in ssl.conf Apache will start, but it is not listening on port 443.

I am completely lost as to what to do next.  

All the tutorials I have found only describe using a self signed certificate.  That doesn't help me - I have been provided with a certificate which is signed by VeriSign.  But I don't know what to do with it.  

Is the customer also meant to provide a CSR file?  Should they provide the .KEY file or the .PEM file?  

HELP!!  This is really urgent.


Author Comment

ID: 22817741
No-one can help me?

Surely someone out there has installed a VeriSign certificate with Apache???  

Expert Comment

ID: 22817781

verisgn have how-tos install certificates in every web server

Author Comment

ID: 22817912
I have followed those instructions, and I get to a point where the instructions don't make sense to me:

Step 1: Install CA Certificate
Secure Site
If you are installing a Secure Site Certificate, you need to first install the Secure Site Intermediate CA Certificate.
Secure Site Pro
If you are installing a Secure Site Pro Certificate, you need to first install the Secure Site Pro Intermediate CA Certificate. (I did this as per the instructions below)
1. Copy the intermediate certificate into text file and name it intermediate.crt. This file can be placed in the same directory as your SSL Certificate. For example: /usr/local/ssl/crt
(I created the intermediate.crt file as instructed, and saved it to the folder C:\apache\Apache2\conf\ssl)
Step 2: Install the SSL Certificate
Your VeriSign certificate will be sent via email. If the certificate is included as an attachment (Cert.cer), you may use the file. If the certificate is imbedded in the body of the email, copy and paste it into a text file (save as public.crt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
1. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: public.crt
(I received the certificate as an email attachment - compasstest.cer - and renamed it to compasstest.crt.  It is located in the folder C:\apache\Apache2\conf\ssl, along with intermediate.crt)
2. Copy your Certificate into the directory that you will be using to hold your certificates. In For example: /usr/local/ssl/crt/.
Step 3: Configure the Server
1. In order to use the key pair, the httpd.conf file will need to be updated.
(This is where I get stuck.  What key pair?  How do I create the file private.key that is mentioned below?)
2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
SSLCertificateFile /usr/local/ssl/crt/public.crt  

SSLCertificateKeyFile /usr/local/ssl/private/private.key  

SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt

  The first directive tells Apache how to find the  Certificate File, the second one where the private key is located, and the third  line the location of the intermediate certificate.  

If you are using a different location and  certificate file names than the example above (which most likely you are) you  will need to change the path and filename to reflect your server.  

Note: Some instances of Apache contain  both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the  ssl.conf with the above directives. Do not enter both as there will be a  conflict and Apache may not start.  

3. Save your httpd.conf file and restart Apache.  You can most likely do so by using the apachectl script:    

apachectl stop  
apachectl startssl    

4. You should now be set to start using your  VeriSign certificate with your Apache-SSL Server.




Author Comment

ID: 22817992
I think I understand the problem now.  The certificate I have been provided was created by VeriSign using a CSR which was NOT generated on my server.  Consequently, the certificate will not work on my server.  

Does that sound correct?

Expert Comment

ID: 22818475
I think you can't use it than

Author Closing Comment

ID: 31510184
Didn't quite solve the problem, but provided me with good information that ultimately helped me to solve the problem.  The key was that I am not using a self-signed certificate, but a signed certificate from a Certificate Authority (eg: VeriSign). A signed certificate won't work unless the CSR and the Private key were created on the actual server where the signed certificate is being installed.  It is now all working perfectly.  Very helpful tips regarding URL re-writing and general Apache config - thanks.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question