Professional Documents
Culture Documents
1. Install OpenSSL
OpenSSL is free, but the main site only
distributes source code. They have a
binary distributions page, but it only
links to an installer made by Shining
Light Productions. I haven't tried that,
because I don't want any more crap in
Add/Remove Programs.
Unzip the file somewhere on your computer and copy all the libeay32.dll and ssleay32.dll
to your Windows\System32 directory. If you've dealt with SSL at all before, especially as a
developer, you might already have copies of these there. Keep whatever is newest.
Open up a command prompt and go to the directory where you unzipped OpenSSL and run the
following command to create a new certificate request:
openssl req -config openssl.cnf -new -out blarg.csr -keyout blarg.pem
You'll be prompted to answer many questions, which ones depend on your openssl.cnf file; all
except two of these can be left blank:
• PEM pass phrase: Password associated with the private key (blarg.pem) you're
generating. Since we'll be removing this for the benefit of Apache 2.0.X, I suggest using
something like "none" or "password".
• Common Name: The fully-qualified domain name associated with this certificate. In my
example, I use www.blarg.com which means I damn well better use that certificate on
https://www.blarg.com/. For personal security, testing, or intranets it's okay for this to
not quite match -- just be prepared to deal with warnings from web browsers and such.
Now it's time to create a non-password protected key for Apache 2.0.X by executing the
following:
The only thing you'll be asked is the password you had used. Your resulting KEY file is essential
the same thing as the PEM, just not password protected.
Before we go on, delete the .rnd file. This contains entropy information which could be used by
malicious people to try and crack your certificate later on (if they get a hold of it).
Finally, run the following command to create an X.509 certificate, e.g. the kind of certificate that
SSL likes to munch:
openssl x509 -in blarg.csr -out blarg.cert -req -signkey blarg.key -days 365
Congratulations, you've created a self-signed certificate! Keep the KEY and CERT files some place
safe, we'll be using them soon.
3. Install Apache 2.0.X w/ mod_ssl.so
You can skip this section if you already have Apache 2 installed with mod_ssl.so.
• Change the line that says ServerRoot "c:/apache" to indicate the folder where you
unzipped Apache2, i.e. ServerRoot "c:/Program Files/Apache Group/Apache2".
The quotes are important, and remember to change all backslashes (\) to forward ones (/).
Open a command prompt, get to the bin directory (under the folder you created), and run the
following command to install Apache2 as a service:
apache -k install
Anytime you wish to start Apache2, you can go to the same directory and run apache -k start.
Restarting and stopping are much the same except you'll specify "restart" and "stop" after the
"-k". It's also possible to just use the NET START and NET STOP commands you're probably
familiar with; the name of the service for those commands will be "Apache2".
3. Enable SSL in Apache 2.0.X
Open up conf\httpd.conf in a text editor and look for the line LoadModule ssl_module
modules/mod_ssl.so and remove any pound sign (#) characters preceding it. If you don't see
that line where it probably should be (among the other LoadModule lines), then your installation
may not have mod_ssl.so ... can't help you there!
Also, while you're in conf\httpd.conf, make sure the following lines exist somewhere (they
should if you got Apache2 from hunter):
<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>
Create a directory under conf called ssl and copy the blarg.key and blarg.cert files there;
the ones you created in step 2.
Restart the Apache2 service and voila! You got Apache2 running with SSL on Windows!