setting up SSL on Windows with Apache1.3 using OpenSSL

I'm trying to generate an SSL certificate request on my server using OpenSSL. We're running Apache 1.3 on Windows. I also have Oracle 8i on the machine. It's too costly to upgrade the Oracle so I'm stuck with the older version of Apache.

I've installed Openssl and have generated a private key but the command to generate the certificate request (.csr file) gets errors that apparently have to do with the openssl config file, openssl.cnf. (see attahced)

Here are my commands to generate the (1) private key and (2) the certificate request and the responses: actual command prompts bordered with (~)
(1)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenSSL> genrsa -rand c:\rand.dat -out c:\privatekey.key 2048
Loading 'screen' into random state - done
868 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
..................+++
.................................+++
e is 65537 (0x10001)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------This worked! :-)

(2)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenSSL> req -new -key c:\privatekey.key -out c:\cert_request.csr -config c:\oracle\ora9ias\apache\apache\conf\openssl.cnf
error on line -1 of c:\oracle\ora9ias\apache\apache\conf\openssl.cnf
3564:error:02001005:system library:fopen:Input/output error:./crypto/bio/bss_fil
e.c:126:fopen('c:\oracle\ora9ias\apache\apache\conf\openssl.cnf','rb')
3564:error:2006D002:BIO routines:BIO_new_file:system lib:./crypto/bio/bss_file.c
:131:
3564:error:0E078002:configuration file routines:DEF_LOAD:system lib:./crypto/con
f/conf_def.c:199:
error in req
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------this didn't :-(

I basically have two questions. What must I edit in the sample openssl.cnf file to make this work and how do I install the mod_ssl module into Apache? From what I've read I'll need that module to make SSL work in Apache.

BTW, I tried using the Oracle Wallet Manager but my ancient version of Oracle can't generate a key larger than 1024 while the standard now is 2048.

Thanks
openssl.txt
uomobelloWeb Systems ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
you can check out the openssl.cnf sample (good if you can set the environment filed for the directory to openssl, see way below example) and probably do all like generating the private and certificate via the openssl.cnf in one command instead of two steps.

First off you need the CA root and generate private for it before generating for other as CA need to sign the issued key /cert. Below shared more info
http://www.flatmtn.com/article/setting-ssl-certificates-apache

The critical part is the "Common Name". This must be the server's hostname, such as mail.your.domain, or the IP address.

Check out below for the steps in Apache enabled SSL and you will need mod_ssl e.g. LoadModule ssl_module modules/mod_ssl.so
http://rubayathasan.com/tutorial/apache-ssl-on-windows/
http://docs.oracle.com/cd/A95431_01/install/ssl.htm

There is Windows OpenSSL @ http://slproweb.com/products/Win32OpenSSL.html
On Windows you can also set the environment property OPENSSL_CONF. For example from the commandline you can type e.g.
set OPENSSL_CONF=c:/libs/openssl-0.9.8k/openssl.cnf

to validate it you can type: echo %OPENSSL_CONF%
Now you can run openssl commands without having to pass the config location parameter.
0
gheistCommented:
Apache is free software. Upgrade any way you want. To v2.4.
And fix 100 security bugs
https://www.openssl.org/news/openssl-0.9.8-notes.html
https://httpd.apache.org/security_report.html
0
btanExec ConsultantCommented:
yap dont suffer frm the recent heartbleed and related vulnerabilities. below is an online ssl test which will help alert 'holes' for you to further tighten if your website is public accessible...
https://www.ssllabs.com/ssltest/
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

gheistCommented:
Anyway error message says it cannot open cnf file.
You need to supply all settings in command line.
0
btanExec ConsultantCommented:
also notice the error list state it's trying to open a directory for reading?  Some try downloading a new version other than the "lite" version and see if it work as it is in the new installation with the path declared accordingly. esp the "set OPENSSL_CONF=".

but rather I suspect it is cfg vs cnf instead - see below
http://java-with-shiva.blogspot.sg/2013/06/system-libraryfopenno-such-file-or.html

Problems could be below:
1. check the "openssl.cfg" file location and pass that file location:
for example: pass like this to keytool:   -config  C:\OpenSSL-Win32\bin\openssl.cfg
Where "openssl.cfg" should exist at location "C:\OpenSSL-Win32\bin\"  or provide the location according to your requirement where you have kept the "openssl.cfg".

2. Check the name of the "openssl.cfg" file.
Keep in mind.  In Linux environment its named as "openssl.cnf"
Where as for Windows its named as "openssl.cfg"
So, Check for the file extension.

In my case, if you notice carefully, I had the 2nd problem.
So changing the
 -config openssl.cnf          to     -config openssl.cfg
Solved my issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Oracle 8 mentioned - Oracle HTTP Server v8 will never support SSL keys bigger than 1024 bits, so it is out of internet by now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.