Apache 2.2 with SSL on Windows
There are a few services I run that I need to access over the web that I do not want anyone watching (phpMyAdmin, for example). The simple solution is to encrypt this traffic with SSL certificates. Here is how I did it on Windows with Apache 2.2:
- Install the latest Apache 2.2 with OpenSSL: http://httpd.apache.org/download.cgi.
- Open the Command Prompt and browse to [apache 2.2 path]/bin.
- Enter
openssl req -config ../conf/openssl.cnf -new -out foo.csr -keyout foo.pem
. Fill out this information the best you can but you can leave most of it blank. The most notable exceptions are the PEM Pass Phrase fields and the Common Name field (which should be the domain name you will use this certificate on). It is best that you leave the Challenge Password at the end blank. - Enter
openssl rsa -in foo.pem -out foo.key
. You will be asked to reenter the password you entered in the last step. - Enter
openssl x509 -in foo.csr -out foo.crt -req -signkey foo.key -days 3650
. You can replace 3560 with however long you want to certificate to be valid for. - You will now wind up with four files: foo.crt, foo.csr, foo.key, and foo.pem. At this point you really only need foo.crt and foo.key and may delete the other two (unless you want to sign more certificates later on).
- Move your two remaining files somewhere safe (not any place where the web server will be able to serve them to clients).
- Open [apache 2.2 path]/conf/httpd.conf in your favorite text editor. Uncomment out the line
LoadModule ssl_module modules/mod_ssl.so
. - Open [apache 2.2 path]/conf/extra/httpd-ssl.conf. Uncomment out the line
Listen 443
. - In Windows Explorer browse to [apache 2.2 path]/conf and open up the configuration for the site you want to SSL enable. Make sure you are setup to listen on port 443 if you are running a virtual host. Add the lines
SSLEngine on
,SSLCertificateFile "[foo.crt path]"
, andSSLCertificateKeyFile "[foo.key path]"
. - Restart Apache 2.2:
net stop apache2.2
andnet start apache2.2
Some notes:
- Certificates can only be used for whole domains or virtual hosts as opposed to a single directory. However with some clever allows, denies, and redirects in your web root you can do just about anything.
- Only one SSL connection per IP on the same server is allowed. This is by design within SSL.
- These certificates are self-signed. That means that anyone who views your new secure site will most likely be greeted with a warning they must accept before continuing. You setup the certificates yourself so you know there is nothing fishy going on but they might not know that. If you want to avoid this you will have to put out the cash to Verisign or someone else who can offer the same service.
- Check out the SSLCipherSuite and SSLCARevocationFile directives (which you will notice are missing in my instructions) to further lock down your site.
- Remember that if you ever change your certificate in any way the client may need to remove their old certificate before they will be able to view the site again.
- I generally replace foo with the domain name.
- Since this was always meant as a quick-and-dirty howto you can find more information at the Apache site.
- I am running Windows XP SP3, Apache 2.2.14, and the included OpenSSL 0.9.8k.