setting up SSL on Windows with Apache1.3 using OpenSSL

Posted on 2014-07-11
Last Modified: 2014-07-15
I'm trying to generate an SSL certificate request on my server using OpenSSL. We're running Apache 1.3 on Windows. I also have Oracle 8i on the machine. It's too costly to upgrade the Oracle so I'm stuck with the older version of Apache.

I've installed Openssl and have generated a private key but the command to generate the certificate request (.csr file) gets errors that apparently have to do with the openssl config file, openssl.cnf. (see attahced)

Here are my commands to generate the (1) private key and (2) the certificate request and the responses: actual command prompts bordered with (~)
OpenSSL> genrsa -rand c:\rand.dat -out c:\privatekey.key 2048
Loading 'screen' into random state - done
868 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
-------This worked! :-)

OpenSSL> req -new -key c:\privatekey.key -out c:\cert_request.csr -config c:\oracle\ora9ias\apache\apache\conf\openssl.cnf
error on line -1 of c:\oracle\ora9ias\apache\apache\conf\openssl.cnf
3564:error:02001005:system library:fopen:Input/output error:./crypto/bio/bss_fil
3564:error:2006D002:BIO routines:BIO_new_file:system lib:./crypto/bio/bss_file.c
3564:error:0E078002:configuration file routines:DEF_LOAD:system lib:./crypto/con
error in req
------this didn't :-(

I basically have two questions. What must I edit in the sample openssl.cnf file to make this work and how do I install the mod_ssl module into Apache? From what I've read I'll need that module to make SSL work in Apache.

BTW, I tried using the Oracle Wallet Manager but my ancient version of Oracle can't generate a key larger than 1024 while the standard now is 2048.

Question by:uomobello
    LVL 60

    Expert Comment

    you can check out the openssl.cnf sample (good if you can set the environment filed for the directory to openssl, see way below example) and probably do all like generating the private and certificate via the openssl.cnf in one command instead of two steps.

    First off you need the CA root and generate private for it before generating for other as CA need to sign the issued key /cert. Below shared more info

    The critical part is the "Common Name". This must be the server's hostname, such as mail.your.domain, or the IP address.

    Check out below for the steps in Apache enabled SSL and you will need mod_ssl e.g. LoadModule ssl_module modules/

    There is Windows OpenSSL @
    On Windows you can also set the environment property OPENSSL_CONF. For example from the commandline you can type e.g.
    set OPENSSL_CONF=c:/libs/openssl-0.9.8k/openssl.cnf

    to validate it you can type: echo %OPENSSL_CONF%
    Now you can run openssl commands without having to pass the config location parameter.
    LVL 61

    Expert Comment

    Apache is free software. Upgrade any way you want. To v2.4.
    And fix 100 security bugs
    LVL 60

    Expert Comment

    yap dont suffer frm the recent heartbleed and related vulnerabilities. below is an online ssl test which will help alert 'holes' for you to further tighten if your website is public accessible...
    LVL 61

    Expert Comment

    Anyway error message says it cannot open cnf file.
    You need to supply all settings in command line.
    LVL 60

    Accepted Solution

    also notice the error list state it's trying to open a directory for reading?  Some try downloading a new version other than the "lite" version and see if it work as it is in the new installation with the path declared accordingly. esp the "set OPENSSL_CONF=".

    but rather I suspect it is cfg vs cnf instead - see below

    Problems could be below:
    1. check the "openssl.cfg" file location and pass that file location:
    for example: pass like this to keytool:   -config  C:\OpenSSL-Win32\bin\openssl.cfg
    Where "openssl.cfg" should exist at location "C:\OpenSSL-Win32\bin\"  or provide the location according to your requirement where you have kept the "openssl.cfg".

    2. Check the name of the "openssl.cfg" file.
    Keep in mind.  In Linux environment its named as "openssl.cnf"
    Where as for Windows its named as "openssl.cfg"
    So, Check for the file extension.

    In my case, if you notice carefully, I had the 2nd problem.
    So changing the
     -config openssl.cnf          to     -config openssl.cfg
    Solved my issue.
    LVL 61

    Expert Comment

    Oracle 8 mentioned - Oracle HTTP Server v8 will never support SSL keys bigger than 1024 bits, so it is out of internet by now.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now