The Apache + SSL on Win32 HOWTO

Version 1.2

Overview

This page describes the installation of the Win32 version of Apache with the mod_ssl extension. The newest version should always be available from http://www.access-point.at/apdb/apache-ssl-win32-howto.php3.
This process worked on Windows NT and Windows 98; please mail me your suggestions and bug reports.
You can even install Apache with SSL in addition to the Microsoft Internet Information Server if you need to.

Apache with mod_ssl seems to be the only free (as in speech, not in beer) solution for Win32. Please note that Apache on Win32 is considered beta quality as it doesn't reach the stability and performance of Apache on Un*x platforms.

Microsoft IIS doesn't cost money either, and it has SSL, too. However, exported versions of it are only able to use 40-bit cryptography which is considered quite insecure. OpenSSL uses 128 bit that is much more secure. The other problem with IIS is that it doesn't seem to accept self-signed certificates which are quite useful for testing purposes and intranet servers.

1.: Install Apache

Get the Win32 version of the Apache web server from one of the mirrors. It is called something like apache_x_y_z_win32.exe. This is a self-extracting archive that contains the Apache base system and sample configuration files.

Install Apache as described in http://www.apache.org/docs/windows.html.

Change at least the following parameters in Apache-dir/conf/httpd.conf:

Port 443 (You might need to tweak IIS not to listen on 443)
(if not in addition to IIS) Listen 80
Listen 443
ServerName www.my-server.com
(if in addition to IIS) DocumentRoot and the corresponding <Directory some-dir> to your Inetpub\wwwroot
If you want to use PHP, configure it according to the instructions.

Install the Apache service (NT only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.

Try https://my-server.com. It won't be encrypted yet but if this works then the port configuration (port 443) is right.

2.: Get OpenSSL and mod_ssl

Go to http://www.modssl.org/contrib/ and find a file called like Apache_X-mod_ssl_Y-openssl_Z-WIN32-i386.zip. Download and unzip it to a new directory.

Copy the files ssleay32.dll and libeay32.dll from the Apache directory to WINNT\System32.

You'll need a config file for OpenSSL.exe. Here is one. Copy it to a directory called /usr/local/ssl/lib/ (you'll need to create this directory) on the drive openssl.exe is on and name it openssl.cnf. (You will need OpenSSL only for creating the certificate so you can delete this "ugly" directory afterwards.)

3.: Create a test certificate

The following instructions are from http://www.apache-ssl.org/#FAQ.

openssl req -new > my-server.csr
This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact name of your web server (e.g. www.my-server.org). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographical attacks against your private key.

openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if this isn't OK.

Create an Apache/conf/ssl directory and move my-server.key and my-server.cert into it.

4.: Configure Apache and mod_ssl

Copy the files from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first!).

Find the LoadModule directives in your httpd.conf file and add this after the existing ones:

LoadModule ssl_module modules/ApacheModuleSSL.dll

Add the following to the end of httpd.conf:

# see http://www.modssl.org/docs/2.4/ssl_reference.html for more info
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

SSLLog logs/SSL.log
SSLLogLevel info
# You can later change this to "warn" if everything is OK

<VirtualHost www.my-server.com:443>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>

You might need to use regedit to change the key HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\X.Y.Z to the correct number if the apache.exe from modssl.org/contrib is not the same version as the previously installed one.

Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting. If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen and/or into the error.log and SSL.log files in the Apache/logs directory.

Links

Apache Web Server: http://www.apache.org
mod_ssl: http://www.modssl.org
mod_ssl configuration: http://www.modssl.org/docs/2.4/ssl_reference.html
OpenSSL: http://www.openssl.org
PHP Hypertext preprocessor: http://www.php.net

Author of this document: Balázs Bárány (http://tud.at)
Contributor: Horst Bräuner (OpenSSL configuration on NT)
Contributor: Christoph Zich (Windows 98)

Last change: 2000-01-24