Configure SSL with Apache 2.0.61 on Windows Server 2003
Hi Experts,
I provide application hosting and I have been asked to set up SSL on one of the servers I manage. The server is already running Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.7m mod_jk/1.2.0. (Apache was installed with the following binary: apache_2.0.61-win32-x86-op
I have found a bunch of links to HOW TOs, but they all seem to deal with generating a self-signed certificate. In this case my customer has provided me with a certificate signed by VeriSign. But I am not sure what to do with it.
This is urgent - I need to get SSL configured in the next few hours.
What do I do with the certificate file (compasstest.cer)?
Regards,
Paul Hobbs
I provide application hosting and I have been asked to set up SSL on one of the servers I manage. The server is already running Apache/2.0.61 (Win32) mod_ssl/2.0.61 OpenSSL/0.9.7m mod_jk/1.2.0. (Apache was installed with the following binary: apache_2.0.61-win32-x86-op
I have found a bunch of links to HOW TOs, but they all seem to deal with generating a self-signed certificate. In this case my customer has provided me with a certificate signed by VeriSign. But I am not sure what to do with it.
This is urgent - I need to get SSL configured in the next few hours.
What do I do with the certificate file (compasstest.cer)?
Regards,
Paul Hobbs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
cert must be placed in the dir where your apache must get it...depending on your apache configuration
ASKER
But don't I need to somehow tell Apache that the cert exists? Don't I need to install it somehow? Forgive me if my questions are dumb - this is the first time I have configured SSL.
ASKER
I have followed all your instructions and restarted Apache service, but it doesn't work. When I check to see if anything is listening on port 443, there is nothing. Apache is still listening on port 80, but not 443. Also, where do I put the certificate file provided by the customer?
ASKER
an update: I commented out the IF DEFINE bits in ssl.conf and now Apache is listening on port 443. But when I browse to the site it says the certificate is not valid because it is self signed. Which is not what I want because I have a certificate provided by the customer.
ASKER
further update:
I have tried following the instructions on the VeriSign site (https://www.experts-exchange.com/questions/23849415/Configure-SSL-with-Apache-2-0-61-on-Windows-Server-2003.html?anchorAnswerId=22810212#a22810212). The steps I followed are:
1. generated a CSR file (openssl req -config openssl.cnf -new -out <customer_domain>.csr)
2. generate a private key (openssl rsa -in privkey.pem -out <customer_domain>.key)
3. download intermediate certificate from VeriSign
4. install certificate from VeriSign (copy <customer_domain>.cer file to conf\ssl folder, along with key file and intermediate.crt file)
Now when I try to start Apache it won't start and I get the following error:
[Mon Oct 27 17:25:25 2008] [error] Unable to configure RSA server private key
[Mon Oct 27 17:25:25 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_privat
If I uncomment <IfDefine> in ssl.conf Apache will start, but it is not listening on port 443.
I am completely lost as to what to do next.
All the tutorials I have found only describe using a self signed certificate. That doesn't help me - I have been provided with a certificate which is signed by VeriSign. But I don't know what to do with it.
Is the customer also meant to provide a CSR file? Should they provide the .KEY file or the .PEM file?
HELP!! This is really urgent.
I have tried following the instructions on the VeriSign site (https://www.experts-exchange.com/questions/23849415/Configure-SSL-with-Apache-2-0-61-on-Windows-Server-2003.html?anchorAnswerId=22810212#a22810212). The steps I followed are:
1. generated a CSR file (openssl req -config openssl.cnf -new -out <customer_domain>.csr)
2. generate a private key (openssl rsa -in privkey.pem -out <customer_domain>.key)
3. download intermediate certificate from VeriSign
4. install certificate from VeriSign (copy <customer_domain>.cer file to conf\ssl folder, along with key file and intermediate.crt file)
Now when I try to start Apache it won't start and I get the following error:
[Mon Oct 27 17:25:25 2008] [error] Unable to configure RSA server private key
[Mon Oct 27 17:25:25 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_privat
If I uncomment <IfDefine> in ssl.conf Apache will start, but it is not listening on port 443.
I am completely lost as to what to do next.
All the tutorials I have found only describe using a self signed certificate. That doesn't help me - I have been provided with a certificate which is signed by VeriSign. But I don't know what to do with it.
Is the customer also meant to provide a CSR file? Should they provide the .KEY file or the .PEM file?
HELP!! This is really urgent.
ASKER
wrong url in previous post:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212
ASKER
No-one can help me?
Surely someone out there has installed a VeriSign certificate with Apache???
Surely someone out there has installed a VeriSign certificate with Apache???
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR193
verisgn have how-tos install certificates in every web server
verisgn have how-tos install certificates in every web server
ASKER
I have followed those instructions, and I get to a point where the instructions don't make sense to me:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Step 1: Install CA Certificate
Secure Site
If you are installing a Secure Site Certificate, you need to first install the Secure Site Intermediate CA Certificate.
Secure Site Pro
If you are installing a Secure Site Pro Certificate, you need to first install the Secure Site Pro Intermediate CA Certificate. (I did this as per the instructions below)
1. Copy the intermediate certificate into text file and name it intermediate.crt. This file can be placed in the same directory as your SSL Certificate. For example: /usr/local/ssl/crt
(I created the intermediate.crt file as instructed, and saved it to the folder C:\apache\Apache2\conf\ssl
Step 2: Install the SSL Certificate
Your VeriSign certificate will be sent via email. If the certificate is included as an attachment (Cert.cer), you may use the file. If the certificate is imbedded in the body of the email, copy and paste it into a text file (save as public.crt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
1. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: public.crt
(I received the certificate as an email attachment - compasstest.cer - and renamed it to compasstest.crt. It is located in the folder C:\apache\Apache2\conf\ssl
2. Copy your Certificate into the directory that you will be using to hold your certificates. In For example: /usr/local/ssl/crt/.
Step 3: Configure the Server
1. In order to use the key pair, the httpd.conf file will need to be updated.
(This is where I get stuck. What key pair? How do I create the file private.key that is mentioned below?)
2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
SSLCertificateFile /usr/local/ssl/crt/public.
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCACertificateFile /usr/local/ssl/crt/interme
The first directive tells Apache how to find the Certificate File, the second one where the private key is located, and the third line the location of the intermediate certificate.
If you are using a different location and certificate file names than the example above (which most likely you are) you will need to change the path and filename to reflect your server.
Note: Some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the ssl.conf with the above directives. Do not enter both as there will be a conflict and Apache may not start.
3. Save your httpd.conf file and restart Apache. You can most likely do so by using the apachectl script:
apachectl stop
apachectl startssl
4. You should now be set to start using your VeriSign certificate with your Apache-SSL Server.
~~~~~~~~~~~~~~~~~~~~~~~~~~
Cheers,
Paul
~~~~~~~~~~~~~~~~~~~~~~~~~~
Step 1: Install CA Certificate
Secure Site
If you are installing a Secure Site Certificate, you need to first install the Secure Site Intermediate CA Certificate.
Secure Site Pro
If you are installing a Secure Site Pro Certificate, you need to first install the Secure Site Pro Intermediate CA Certificate. (I did this as per the instructions below)
1. Copy the intermediate certificate into text file and name it intermediate.crt. This file can be placed in the same directory as your SSL Certificate. For example: /usr/local/ssl/crt
(I created the intermediate.crt file as instructed, and saved it to the folder C:\apache\Apache2\conf\ssl
Step 2: Install the SSL Certificate
Your VeriSign certificate will be sent via email. If the certificate is included as an attachment (Cert.cer), you may use the file. If the certificate is imbedded in the body of the email, copy and paste it into a text file (save as public.crt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
1. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: public.crt
(I received the certificate as an email attachment - compasstest.cer - and renamed it to compasstest.crt. It is located in the folder C:\apache\Apache2\conf\ssl
2. Copy your Certificate into the directory that you will be using to hold your certificates. In For example: /usr/local/ssl/crt/.
Step 3: Configure the Server
1. In order to use the key pair, the httpd.conf file will need to be updated.
(This is where I get stuck. What key pair? How do I create the file private.key that is mentioned below?)
2. In the Virtual Host settings for your site locate the httpd.conf file. Verify that you have the following 3 directives within this Virtual Host. Please add them if they are not present:
SSLCertificateFile /usr/local/ssl/crt/public.
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCACertificateFile /usr/local/ssl/crt/interme
The first directive tells Apache how to find the Certificate File, the second one where the private key is located, and the third line the location of the intermediate certificate.
If you are using a different location and certificate file names than the example above (which most likely you are) you will need to change the path and filename to reflect your server.
Note: Some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the ssl.conf with the above directives. Do not enter both as there will be a conflict and Apache may not start.
3. Save your httpd.conf file and restart Apache. You can most likely do so by using the apachectl script:
apachectl stop
apachectl startssl
4. You should now be set to start using your VeriSign certificate with your Apache-SSL Server.
~~~~~~~~~~~~~~~~~~~~~~~~~~
Cheers,
Paul
ASKER
I think I understand the problem now. The certificate I have been provided was created by VeriSign using a CSR which was NOT generated on my server. Consequently, the certificate will not work on my server.
Does that sound correct?
Does that sound correct?
I think you can't use it than
ASKER
Didn't quite solve the problem, but provided me with good information that ultimately helped me to solve the problem. The key was that I am not using a self-signed certificate, but a signed certificate from a Certificate Authority (eg: VeriSign). A signed certificate won't work unless the CSR and the Private key were created on the actual server where the signed certificate is being installed. It is now all working perfectly. Very helpful tips regarding URL re-writing and general Apache config - thanks.
ASKER
Issued to: compasstest.<customerdomai
Issued by: VeriSign Class 3 Secure Server CA
How do I use this certificate file?