setting up SSL on Windows with Apache1.3 using OpenSSL

I'm trying to generate an SSL certificate request on my server using OpenSSL. We're running Apache 1.3 on Windows. I also have Oracle 8i on the machine. It's too costly to upgrade the Oracle so I'm stuck with the older version of Apache.

I've installed Openssl and have generated a private key but the command to generate the certificate request (.csr file) gets errors that apparently have to do with the openssl config file, openssl.cnf. (see attahced)

Here are my commands to generate the (1) private key and (2) the certificate request and the responses: actual command prompts bordered with (~)
(1)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenSSL> genrsa -rand c:\rand.dat -out c:\privatekey.key 2048
Loading 'screen' into random state - done
868 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
..................+++
.................................+++
e is 65537 (0x10001)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------This worked! :-)

(2)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenSSL> req -new -key c:\privatekey.key -out c:\cert_request.csr -config c:\oracle\ora9ias\apache\apache\conf\openssl.cnf
error on line -1 of c:\oracle\ora9ias\apache\apache\conf\openssl.cnf
3564:error:02001005:system library:fopen:Input/output error:./crypto/bio/bss_fil
e.c:126:fopen('c:\oracle\ora9ias\apache\apache\conf\openssl.cnf','rb')
3564:error:2006D002:BIO routines:BIO_new_file:system lib:./crypto/bio/bss_file.c
:131:
3564:error:0E078002:configuration file routines:DEF_LOAD:system lib:./crypto/con
f/conf_def.c:199:
error in req
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------this didn't :-(

I basically have two questions. What must I edit in the sample openssl.cnf file to make this work and how do I install the mod_ssl module into Apache? From what I've read I'll need that module to make SSL work in Apache.

BTW, I tried using the Oracle Wallet Manager but my ancient version of Oracle can't generate a key larger than 1024 while the standard now is 2048.

Thanks
openssl.txt
uomobelloAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
btanConnect With a Mentor Exec ConsultantCommented:
also notice the error list state it's trying to open a directory for reading?  Some try downloading a new version other than the "lite" version and see if it work as it is in the new installation with the path declared accordingly. esp the "set OPENSSL_CONF=".

but rather I suspect it is cfg vs cnf instead - see below
http://java-with-shiva.blogspot.sg/2013/06/system-libraryfopenno-such-file-or.html

Problems could be below:
1. check the "openssl.cfg" file location and pass that file location:
for example: pass like this to keytool:   -config  C:\OpenSSL-Win32\bin\openssl.cfg
Where "openssl.cfg" should exist at location "C:\OpenSSL-Win32\bin\"  or provide the location according to your requirement where you have kept the "openssl.cfg".

2. Check the name of the "openssl.cfg" file.
Keep in mind.  In Linux environment its named as "openssl.cnf"
Where as for Windows its named as "openssl.cfg"
So, Check for the file extension.

In my case, if you notice carefully, I had the 2nd problem.
So changing the
 -config openssl.cnf          to     -config openssl.cfg
Solved my issue.
0
 
btanExec ConsultantCommented:
you can check out the openssl.cnf sample (good if you can set the environment filed for the directory to openssl, see way below example) and probably do all like generating the private and certificate via the openssl.cnf in one command instead of two steps.

First off you need the CA root and generate private for it before generating for other as CA need to sign the issued key /cert. Below shared more info
http://www.flatmtn.com/article/setting-ssl-certificates-apache

The critical part is the "Common Name". This must be the server's hostname, such as mail.your.domain, or the IP address.

Check out below for the steps in Apache enabled SSL and you will need mod_ssl e.g. LoadModule ssl_module modules/mod_ssl.so
http://rubayathasan.com/tutorial/apache-ssl-on-windows/
http://docs.oracle.com/cd/A95431_01/install/ssl.htm

There is Windows OpenSSL @ http://slproweb.com/products/Win32OpenSSL.html
On Windows you can also set the environment property OPENSSL_CONF. For example from the commandline you can type e.g.
set OPENSSL_CONF=c:/libs/openssl-0.9.8k/openssl.cnf

to validate it you can type: echo %OPENSSL_CONF%
Now you can run openssl commands without having to pass the config location parameter.
0
 
gheistCommented:
Apache is free software. Upgrade any way you want. To v2.4.
And fix 100 security bugs
https://www.openssl.org/news/openssl-0.9.8-notes.html
https://httpd.apache.org/security_report.html
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
btanExec ConsultantCommented:
yap dont suffer frm the recent heartbleed and related vulnerabilities. below is an online ssl test which will help alert 'holes' for you to further tighten if your website is public accessible...
https://www.ssllabs.com/ssltest/
0
 
gheistCommented:
Anyway error message says it cannot open cnf file.
You need to supply all settings in command line.
0
 
gheistCommented:
Oracle 8 mentioned - Oracle HTTP Server v8 will never support SSL keys bigger than 1024 bits, so it is out of internet by now.
0
All Courses

From novice to tech pro — start learning today.