Version 1.4.1 (changelog: view source)
This page describes the installation of the Win32 version of Apache with
the mod_ssl extension. The newest version should always be available from
http://tud.at/programm/apache-ssl-win32-howto.php3.
This process worked for many people on Windows NT, 98, ME and 2000; please
mail me your suggestions and bug reports.
You can even install Apache with SSL in addition to the Microsoft Internet
Information Server if you need to.
Apache with mod_ssl seems to be the only free (as in speech, not in beer) solution for Win32. Please note that Apache on Win32 is considered beta quality as it doesn't reach the stability and performance of Apache on Un*x platforms.
Get the Win32 version of the Apache web server from one of the mirrors. It is called something like
apache_x_y_z_win32.exe. This is a self-extracting archive that
contains the Apache base system and sample configuration files.
Install Apache as described in http://www.apache.org/docs/windows.html.
Change at least the following parameters in
Apache-dir/conf/httpd.conf:
[Replace all occurences of www.my-server.com with the real
domain name!]
Port 443 (You might need to tweak IIS not to listen on
443)Listen 80Listen 443ServerName www.my-server.comDocumentRoot and the corresponding
<Directory some-dir> to your
Inetpub\wwwrootInstall the Apache service (NT only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.
Try http://my-server.com:443/. It won't be encrypted yet but if this works then the port configuration (port 443) is right.
Go to http://www.modssl.org/contrib/
and find a file called like Apache_X-mod_ssl_Y-openssl_Z-WIN32-i386.zip.
Download and unzip it to a new directory.
NOTE: Apache_1.3.12-mod_ssl_2.6.1-openssl_0.9.5-WIN32-i386.zip had
some stability problems when I tried it. Your mileage may vary.
The previous version (1.3.9) is very stable.
If you need the newest versions, you will have to compile them yourself.
Copy the files ssleay32.dll and libeay32.dll
from the Apache directory to WINNT\System32.
You'll need a config file for OpenSSL.exe.
Here is one (right-click on it and "Save as...").
Copy it to the directory openssl.exe is in.
The following instructions are from http://www.apache-ssl.org/#FAQ.
openssl req -config openssl.cnf -new -out my-server.csr
This creates a certificate signing request and a private key. When asked for
"Common Name (eg, your websites domain name)", give
the exact name of your web server (e.g. www.my-server.com). The certificate
belongs to this server name and browsers complain if the name doesn't
match.
openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what
this means; my-server.key should be only readable by the apache
server and the administrator.
You should delete the .rnd file because it contains the entropy
information for creating the key and could be used for cryptographic
attacks against your private key.
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a
"real" one from a certificate authority. (Which is optional; if you
know your users, you can tell them to install the certificate into their
browsers.) Note that this certificate expires after one year, you can
increase -days 365 if this isn't OK.
If you have users with MS Internet Explorer 4.x and want them to be able
to install the certificate into their certificate storage (by downloading and
opening it), you need to create a DER-encoded version of the certificate.
openssl x509 -in my-server.cert -out my-server.der.crt -outform DER
Create an Apache/conf/ssl directory and move
my-server.key and my-server.cert into it.
Copy the files from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first!).
Find the LoadModule directives in your httpd.conf file and
add this after the existing ones:
LoadModule ssl_module modules/ApacheModuleSSL.dll or
LoadModule ssl_module modules/ApacheModuleSSL.so in newer versions.
Add the following to the end of httpd.conf:
# see http://www.modssl.org/docs/2.4/ssl_reference.html for more info
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLLog logs/SSL.log
SSLLogLevel info
# You can later change "info" to "warn" if everything is OK
<VirtualHost www.my-server.com:443>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>
Don't forget to call apache with -D SSL if the IfDefine directive
is active in the config file!
You might need to use regedit to change the key
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z to the
correct number if the apache.exe from
modssl.org/contrib is not the same version as the previously installed
one.
Start the server, this time from the command prompt (not as a service) in
order to see the error messages that prevent Apache from starting. If
everything is OK, (optionally) press CTRL+C to stop the server and start it
as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen
and/or into the error.log and SSL.log files in the Apache/logs directory.
If something doesn't work, set all LogLevels to the maximum
and look into the logfiles. They are very helpful.
DON'T e-mail me or the other contributors without having plain Apache
installed (Step 1). We will ignore your request; we are not the Free Apache Helpdesk and
there is enough good documentation on configuring Apache; if that is not enough for
you, you shouldn't run a secure server anyway.
Also, DON'T e-mail without having looked into
the error.log and SSL.log with LogLevel set to Debug.
Problems connecting to the server with a browser can have many reasons, many of them on the client (proxy, DNS, general IE dumbness).
So, if you encounter problems connecting with SSL, try another browser and/or look into the settings. If even this doesn't work, you can use OpenSSL to debug the problem.
bb@www$ openssl s_client -connect no-such-machine:443
gethostbyname failure # Error resolving this DNS name. Connect with the IP address.
connect:errno=2
bb@www$ openssl s_client -connect www1.tud.at:443
connect: Connection refused
connect:errno=111
# No SSL server on this port. Double-check the Listen and Port directives.
bb@www$ openssl s_client -connect apcenter.apcinteractive.net:443
# everything OK. OpenSSL shows the information it obtained from the server.
CONNECTED(00000003)
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
verify return:1
---
Certificate chain
0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV
[...]
9ucXUnk=
-----END CERTIFICATE-----
subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/Email=bb@apcinteractive.net
---
No client certificate CA names sent
---
SSL handshake has read 1281 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB
Session-ID-ctx:
Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131
Key-Arg : None
Start Time: 980696025
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[Enter:
get / http/1.1
and press RETURN twice]
HTTP/1.1 200 OK
Date: Sun, 28 Jan 2001 15:34:58 GMT
Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: 0
Pragma: no-cache
X-Powered-By: PHP/4.0.4
Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
# the server shows its main document
Please drop me a line if you had success with this HOWTO on a Whistler Beta.
Don't ask us about installing servlet extensions, recompiling mod_ssl or Apache with EAPI,
recompiled versions etc. We have no idea and won't be able help you. We are just users and not
programmers.
If your needs are so special, you are better off with a
Debian GNU/Linux or
OpenBSD server. It will save you lots of trouble. Really.
Apache Web Server:
http://www.apache.org
mod_ssl: http://www.modssl.org
mod_ssl configuration: http://www.modssl.org/docs/2.4/ssl_reference.html
OpenSSL: http://www.openssl.org
PHP Hypertext preprocessor: http://www.php.net
Author of this document: Balázs
Bárány (http://tud.at)
(mail me your questions, but only after having looked into the error logs with
LogLevel debug. I speak English, German and Hungarian.)
Contributor: Horst
Bräuner (OpenSSL configuration on NT)
Contributor: Christoph Zich
(Windows 98)
Contributor: Torsten Stanienda
(Test with 1.3.12, IfDefine directive)
Last change: 2001-04-06