How to install an SSL certificate on cPanel Blog Ubuntu Nginx SSL: How to install an SSL certificate on Ubuntu for Nginx Blog How to install an SSL certificate on CentOS and Fedora on Nginx Blog How to install an SSL certificate on Apache httpd for CentOS or Fedora Blog Managed SSL Service A Managed SSL Installation and Renewal Service Products. How to setup virtualhost for multiple domain name on windows? I will use it for my own test projects. I have 3 projects that I need to setup and at the moment I'm using xampplite for the portable apache.

1. Configure Ssl Certificate In Apache

Version 1.6.6 (changelog: view source)

Configure Ssl Certificate In Apache

A newer and hopefully more often updated version of this HOWTO which also covers Apache 2 is available from http://raibledesigns.com/tomcat/ssl-howto.html. Also check out this tutorial covering Apache 2 on Windows Server 2003 if you use that.

Spanish translation maintained by Sergio Artigas

French translation maintained by Jean-Francois Moreau

Danish translation maintained by Morten Fischer-Nielsen

Overview

This page describes the installation of the Win32 version of Apache with the mod_ssl extension. The newest version should always be available from http://tud.at/programm/apache-ssl-win32-howto.php3.
This process worked for many people on Windows NT, 98, ME, 2000 and XP; please mail me your suggestions and bug reports.
You can even install Apache with SSL in addition to the Microsoft Internet Information Server if you need to.

Note: sometimes, there are changes between the precompiled apache distributions so that this HOWTO is not correct anymore. In this case, if the current version does not work for you, download an older version - one that was published before the modification date of this HOWTO.
Or, if you like adventures, try to make it run, and mail me if you needed to change anything.

Please note that Apache 1.3.x on Win32 is considered beta quality as it doesn't reach the stability and performance of Apache on Un*x platforms. The 2.x versions are perhaps better but this HOWTO doesn't cover 2.x yet.

1.: Installing Apache

Get the Win32 version of the Apache web server from one of the mirrors. It is called something like apache_x_y_z_win32.exe. This is a self-extracting archive that contains the Apache base system and sample configuration files.

Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on modssl.org, you cannot expect it to work with 2.0.x.

Install Apache as described in http://www.apache.org/docs/windows.html.

Note: You can skip this step and get a full Apache+SSL distribution from modssl.org, as described below. There will be no fancy installation program but you won't need to overwrite the stock Apache files. This is the better way if you are experienced and don't fear editing configuration files (which you will need to do anyway).

Change at least the following parameters in Apache-dir/conf/httpd.conf:
[Replace all occurences of www.my-server.dom with the real domain name!]

• Port 80 to # Port 80 (Comment it out; Port is not necessary, Listen overrides it later.)
• (if not in addition to IIS) Listen 80
• Listen 443 (So your server listens on the standard SSL port)
• ServerNamewww.my-server.dom
• (if in addition to IIS) DocumentRoot and the corresponding <Directory some-dir> to your Inetpubwwwroot

Install the Apache service (NT/2000 only) and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.

Try http://www.my-server.dom:443/. It won't be encrypted yet but if this works then the port configuration (port 443) is right.

2.: Getting OpenSSL and mod_ssl

Go to http://www.modssl.org/contrib/ or http://hunter.campbus.com/ and find a file called like Apache_X-mod_ssl_Y-openssl_Z-WIN32[-i386].zip. Download and unzip it to a new directory.
If you need the newest version, you will have to compile it yourself if it is not there. Don't ask me about it; I don't have it, I don't compile the versions on modssl.org, and I don't have access to development tools on Win32.

Copy the files ssleay32.dll and libeay32.dll from the Apache/modssl distribution directory to WINNTSystem32. This is important! About 70 % of the e-mails I receive is because people forget to do this. If you don't find those files or openssl.exe in the apache zip, get a file called like openssl-version-win32.zip from one of the download sites.

You'll need a config file for OpenSSL.exe. Here is one (right-click on it and 'Save as...'). (There is an openssl.cnf in the distribution with different wording of some questions, but it should do it, too.) Copy it to the directory openssl.exe is in.
(This is a normal text file. It is really called so; however, some Windows versions insist on hiding the extension from you. You can edit it with Windows notepad or a good editor, but it shouldn't be necessary.)

3.: Creating a test certificate

The following instructions are from http://www.apache-ssl.org/#FAQ.

openssl req -config openssl.cnf -new -out my-server.csr
This creates a certificate signing request and a private key. When asked for 'Common Name (eg, your websites domain name)', give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a 'real' one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in my-server.cert -out my-server.der.crt -outform DER

Create an Apache/conf/ssl directory and move my-server.key and my-server.cert into it.

4.: Configuring Apache and mod_ssl

Copy the executable files (*.exe, *.dll, *.so) from the downloaded apache-mod_ssl distribution over your original Apache installation directory (remember to stop Apache first and DO NOT overwrite your edited config files etc.!).

Find the LoadModule directives in your httpd.conf file and add this after the existing ones, according to the file you have found in the distribution:

LoadModule ssl_module modules/ApacheModuleSSL.dll
or
LoadModule ssl_module modules/ApacheModuleSSL.so
or
LoadModule ssl_module modules/mod_ssl.so
in newer versions.

In newer versions of the distribution, it could also be necessary to add
AddModule mod_ssl.c
after the AddModule lines that are already in the config file.

Add the following to the end of httpd.conf:

Don't forget to call apache with -D SSL if the IfDefine directive is active in the config file!

You might need to use regedit to change the key HKEY_LOCAL_MACHINESOFTWAREApache GroupApacheX.Y.Z to the correct number if the apache.exe from modssl.org/contrib is not the same version as the previously installed one. (This seems not to be necessary with recent versions.)

Also, if you use IfDefine directives and start apache as a service, you need to edit the apache command line in the registry (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesApache2) (I haven't tried this).

Start the server, this time from the command prompt (not as a service) in order to see the error messages that prevent Apache from starting. If everything is OK, (optionally) press CTRL+C to stop the server and start it as a service if you prefer.
If it doesn't work, Apache should write meaningful messages to the screen and/or into the error.log and SSL.log files in the Apache/logs directory.
If something doesn't work, set all LogLevels to the maximum and look into the logfiles. They are very helpful.

DON'T e-mail me or the other contributors without having plain Apache installed (Step 1). We will ignore your request; we are not the Free Apache Helpdesk and there is enough good documentation on configuring Apache; if that is not enough for you, you shouldn't run a secure server anyway. Also, DON'T e-mail without having looked into the error.log and SSL.log with LogLevel set to Debug.

Debugging connect problems

Problems connecting to the server with a browser can have many reasons, many of them on the client (proxy, DNS, general IE dumbness).

So, if you encounter problems connecting with SSL, try another browser and/or look into the settings. If even this doesn't work, you can use OpenSSL to debug the problem.

Common problems

Q: I see the following when starting Apache:
A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on Win9x/ME)?
You can verify this by copying openssl.exe into a directory of its own and executing it. If it complains about not being able to find some DLLs, then you haven't copied them into the correct directory.
One user told me that he had this problem even when he did everything right. He then found the problem: corrupt openssl DLLs. So if you get this error despite having done everything correctly, try the openssl DLLs from another version from modssl.org/contrib.

Q: I see the following when starting Apache: or:
A: You didn't add the AddModule line (or not where it belongs, it belongs below the other AddModule lines).

Q: SSL doesn't work in the browser and I see the following in some logfile: A: How much clearer can an error message get? Your VirtualHost or Listen configuration is wrong.

Questions about Java servlets, OpenSSL compilation etc.

Don't ask us about installing servlet extensions, recompiling mod_ssl or Apache with EAPI, recompiled versions etc. We have no idea and won't be able help you. We are just users and not programmers.
If your needs are so special, you are better off with a Debian GNU/Linux or OpenBSD server. It will save you lots of trouble. Really.

Links

Apache Web Server: http://www.apache.org
mod_ssl: http://www.modssl.org
mod_ssl configuration: http://www.modssl.org/docs/2.8/ssl_reference.html
OpenSSL: http://www.openssl.org
PHP Hypertext preprocessor: http://www.php.net

Author of this document: Balázs Bárány (http://tud.at)
(mail me your questions, but only after having looked into the error logs with LogLevel debug. You can mail me in English, German and Hungarian.
If I am constantly ignoring your e-mail, read all the hints in the HOWTO about how to e-mail me.)

Contributor: Horst Bräuner (OpenSSL configuration on NT)
Contributor: Christoph Zich (Windows 98)
Contributor: Torsten Stanienda (Test with 1.3.12, IfDefine directive)
Contributor: Peter Holm (Listen and Port directives)

Last change: 2009-12-24

This document can be redistributed under the GNU Free Documentation License. © Balázs Bárány 1999-2009

Introduction

Process

1. Copy certificates to your server.
   This includes your server certificate, private key, and an intermediate certificate.
   Your server certificate can be obtained from the delivery e-mail. Alternatively you can get it from your GlobalSign Account by clicking Edit on your order and copying the Certificate PEM Format text from the details.
   The private key would have been generated along with the certificate signing request (CSR); it may very well already be on the server. If the private key is lost, you will need to reissue your certificate.
   The intermediate certificate used will vary depending on product type. Click your product type in our intermediate certificate section to identify the correct cert.
   
2. Open your Apache configuration file for editing.
   This will generally be found in one of the following locations, depending on your OS:
   On CentOS/RedHat:
   /etc/httpd/httpd.conf
/etc/httpd/sites-enabled/name-of-virtualhost.conf
   On Debian/Ubuntu:/etc/apache2/apache2.conf
/etc/apache2/sites-enabled/name-of-virtualhost.conf
   The configuration may be in different location. A detailed mapping of configuration paths can be found on the Apache Wiki.
   
3. Configure your virtual host to use the certificates.
   Locate the virtual host for your site.
   <VirtualHost xxx.xxx.x.x:443>
DocumentRoot /var/www/examplesite
ServerName example.com www.example.com
SSLEngine on
SSLCertificateFile /path/to/examplesite.crt
SSLCertificateKeyFile /path/to/privatekey.key
SSLCertificateChainFile /path/to/intermediate.crt
</VirtualHost>
   Point the following directives to the corresponding certificate:
   SSLCertificateFile - This should point to your server certificate.
   SSLCertificateKeyFile - This should point to your server's private key.
   SSLCertificateChainFile - This should point to the intermediate certificate for your product.
   Note: As of Apache 2.4.8, the SSLCertificateChainFile directive was deprecated and SSLCertificateFile was extended to support intermediate certificates. Adding the intermediate certificate to the end of your certificate will create a chain file for your server.
   
4. Test your updated configuration.
   Depending on your system, run the command:
   apachectl configtest or apache2ctl configtest
   This will detect any errors in your configuration such as mismatched public & private keys, or an incorrect path.
   
5. Restart the Apache service.
   For older versions of Red Hat Enterprise Linux use init scripts as stated below:
   CentOS/RedHat:
   service httpd restart
   Debian/Ubuntu:
   service apache2 restart
   For Red Hat Enterprise Linux 7 or CentOS 7.0 use the following commands:
   CentOS/RedHat:
   systemctl restart httpd.service
   Debian/Ubuntu:
   systemctl restart apache2.service