Monday, October 24, 2005

Apache 2 and modssl

A few months ago I did a complete setup of Apache 2.0.54 and the modssl package under Windows 2000 Server. This morning I had to add a renewed certificate so I decided to start my blog and put the guides that I used and edited up online.

Lets just say its not without its hoops to jump through to get your Apache installation working under Windows!

There are a few places where you could go wrong and not realise it and some of the guides arent totally accurate so I decided to collate my own with all the caveats that are associated with it. There is an additional guide featured after this one for moving a secure cert from IIS 5/6 to Apache 2 with modssl.
Renewing the certificates with Thawte is quite easy as long as you follow their guidelines and don't forget which key goes with which certificate! Its easy to recover from this but Apache gives very few indications what is wrong (no error message on startup and no entries in error log).
You can find which certificate matches which key using the following commands

To view the certificate :
openssl x509 -noout -text -in certificate file


To view the key:
openssl rsa -noout -text -in keyfile


The exponent and the modulus should match in each, if not then its not the correct pairing.

N.B. Apache under Windows doesnt support passphrases on the key, if you do manage to miss this instruction and in your haste to follow the on-screen instructions, you can remove the passphrase by using the following command

openssl rsa -in file1.key -out file2.key

where file1.key is the key with passphrase and file2.key is the same key with the encryption removed. You will be asked for the passphrase for file1.key when you run this so if you don't remember what it is you are SOOL.

Enjoy the guides below, credit is given where credit is due.

Apache 2.0.54 with Modssl installation guide, adapted from the guide found on www.thompsonbd.com, kudos for helping me get my own installation setup.

1. Caveats

This tutorial assumes that you already have Apache2 installed and working on a Windows server.
You have already copied mod_sll.so from the Apache_2.0.52-Openssl_0.9.7e-Win32 extracted files into your apache installation Modules Directory.
This assumes that you are only using one secure cert on the server, if you require more than one secure cert on the server please see section 6.

2. Needed Files

Files that you will need can be downloaded from this website. These are not necessarily the most up-to-date, but they worked for my install so I have included them here. You will need to download both Apache_2.0.52-Openssl_0.9.7e-Win32.zip and Openssl-0.9.7e-Win32.zip

Unzip both of these files to seperate folders.

3. Setting Up OpenSSL

Copy the files ssleay32.dll and libeay32.dll from the OpenSSL folder to WINNT\System32. Double check that you make sure you copied the dll's and not the lib's.

You also need to download openssl.cnf into the same folder where you unzipped OpenSSL. Windows will remove the .cnf and will make this file look like a dialup icon. Just ignore it. Just make sure you have the file in the right place.

Download ssl.conf and place it in the Apache2/conf directory.

4. Creating a test certificate

Open a command prompt. Navigate to where you unzipped OpenSSL.

openssl req -config openssl.cnf -new -out my-server.csr

You can replace my-server.csr with whatever you want aslong as the extention is .csr. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out my-server.key

This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator. You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

Create a directory in the Apache folder name Apache2/conf/ssl and move my-server.key and my-server.cert into it.

5. Configuring Apache and mod_ssl

Open the httpd.conf file and locate the LoadModule directives. Add

LoadModule ssl_module modules/mod_ssl.so

After add

SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

In the VirtualHost directives add the following below the existing virtual host for the http host


SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key

Open the ssl.conf file and set the correct www.my-domain.com and DocumentRoot. You will place the location of the secure material in the " " after DocumentRoot. Change the VirtualHost __default__ to the IP address of the virtual host you are using.

6. Multiple Secure Certificates on the same server

Because of limitations in the SSL and HTTPS Specification it is only possible to have one secure cert per IP address, in order to overcome this the NIC that is used to connect to the network must be configured with N additional IP addresses where N is the number of secure certificates that are required. This is accomplished using the following method (Applicable to Windows servers only)

  1. Go to the properties page of the NIC that you are using to connect the server to the internet/target network
  2. Select Internet Protocol (TCP/IP) and click on properties
  3. Click on the advanced button
  4. Then click “Add” in the IP Addresses section, specify the additional IP address you would like the NIC to be configured with, the subnet mask will usually remain the same

Once this is completed you can continue configuring httpd.conf and ssl.conf for the apache setup.

SSL Configuration

Copy the entire virtualhost configuration already present from step 5 and paste it after the closing virtualhost tag ()

Change the relevant sections as specified in step 5, being careful to change the IP address configured as well

HTTPD Configuration

All that requires modification in this section is to add the new secure virtualhost with the same instructions that you followed in step 5 again being careful to change the IP address. You will also have to add an additional line in the “listen” directives specifying the additional IP addresses and ports(listen 12.34.56.67:80). You don't need the listen 12.34.56.78:443 directive as this is taken care of in the ssl.conf file
It is usually easiest to keep the http and https virtualhosts on the same IP address as to avoid confusion.



Moving a certificate from IIS 5/6 to Apache 2 (good for you!)
The majority of this is copied from the Thawte guide, there's is mainly about moving it to a Linux platform so there are a few additional tricks that need doing before

To Move a Certificate from IIS 6.0 to Apache do the following:

Create an MMC Snap-in for Managing Certificates:

1. Start > run > MMC
2. Go into the Console Tab > 'File' > 'Add/Remove Snap-in'
3. Click on 'Add' > Click on 'Certificates' and click on 'Add'
4. Choose 'Computer Account'
5. Choose 'Local Computer'
6. Close the 'Add Standalone Snap-in' window.
7. Click on 'OK' at the 'Add/Remove Snap-in' window.

Export your certificate and private key .pfx file from IIS6:

1. Open the Certificates (Local Computer) snap-in you added in the last section, navigate to Personal, and then to Certificates

2. You will see your Web server certificate denoted by the CN (Common Name) found in the Subject field of the certificate (using Microsoft Internet Explorer, you can easily view the certificate to see the Common Name if you are unsure)

3. Right-click on the server certificate, select All Tasks, and then click Export

4. When the wizard starts, click Next. Choose to export the private key, and then click Next

NOTE: If you export the certificate for use on an IIS Web server, do not select Require Strong Encryption.This option causes a password prompt every time an application attempts to access the private key, and causes IIS to fail.

5. The file format you will want to choose is the Personal Information Exchange (though you can select from several options). This will create a PFX file.

Notice that you can export any certificates in the certification path by selecting the option on this screen. This is very handy if your certificate was issued by a non-trusted certificate authority (for example, Microsoft Certificate Server).
Only choose delete the private key if the export is successful to be sure it is not left on the computer (for example if your migrating from one server to another).

6. Click Next, and then choose a password to protect the PFX file. You will need to enter the same password twice to ensure that the password is typed correctly. When you have completed this step, click Next.

7. Choose the file name you want to save this as. Do not include an extension in your file name; the wizard will automatically add the PFX extension for you.

8. Click Next, and then read the summary.
Pay special attention to where the file is being saved to.
If you are sure the information is correct, choose Finish.

9. You now have a PFX file containing you server certificate and
its corresponding private key. Be sure to protect this file.
You may want to move it to a floppy disk and store it somewhere safe from outside disturbance. Keep in mind, if you run a backup on the server, this file may be saved in that backup if it is still on the server.


To convert the .pfx file to a file that your Apache server will understand

Run the following command using OPENSSL:

1. To export the Private key file from the .pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key1.pem
You will be asked for the import password, this was generated in step 6 above, when asked for a RSA password enter the a password (not important as you will be removing it shortly)
(NB. Make sure to append ‘1’ to your key name, all will be come clear later)

2. To export the Certificate file from the .pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

3. For installation on a Win32 system it is necessary to remove the encryption on the key that you have just generated, run the following command
openssl rsa –in key1.pem –out –key.pem
Now delete the key1.pem file

4. You now need to copy the files to the locations as described in the httpd.conf, this would be c:\program files\apache group\apache2\conf\ssl on a standard win32 apache2 installation

5. Rename the key and the certificate as follows key.pem -> key.key, cert.pem -> cert.crt edit your httpd.conf and your ssl.conf file to suit, this is assuming that you created a self-signed certificate in order to test your apache2 ssl installation. Otherwise please consult my previous documentation on how to add SSL support to Apache2 under win32 for directions on what sections to change.

6. You will now need to restart the http daemon (net stop apache2, net start apache2 from the command line, or use the apache monitor)

1 comment:

selinitur said...

most likely, you have also heard about the way of fix dbf files