Configure APACHE+HTTPS (leverage SSL) server under Windows

Source: Internet
Author: User
Tags pfx file

1, download the Apache installation package with OpenSSL, I downloaded for apache_2.2.11-win32-x86-openssl-0.9.8i.msi, after installation confirm the bin path under the Openssl.exe, Ssleay32.dll and Libeay32.dll, without error, proceed to the next step.


2, modify two configuration files, one for conf/httpd.conf, the other for conf/extra/httpd-ssl.conf
(a) Modification of httpd.conf
In order for Apache to invoke the SSL service when it starts, we need to make some changes in the configuration file. If you find the following two sentences and remove the comments, you can start the SSL service when you open Apache:
#LoadModule Ssl_module modules/mod_ssl.so
#Include conf/extra/httpd-mpm.conf

(b) Modification of httpd-ssl.conf

The main modification is the path of the certificate we generated (I set the path to the key directory under Conf, put the generated certificate into this directory, and then say how to build)

sslcertificatefile xxx/conf/key/server.crt(Location of server certificate)
sslcertificatekeyfile xxx/conf/key/server.key(Location of the server private key)
sslcacertificatefile xxx/key/conf/ca.crt(The location of the CA root certificate, as required for client authentication)
#SSLVerifyClient require             (Remove the previous ' # ' sign, required for client authentication)
#SSLVerifyDepth 1 (Remove the previous ' # ' number, change 10 to 1, required for client authentication)
Open httpd-ssl.conf,ctrl+f Search keyword modification is possible.

3. Generate certificates for server and client

Win+r:cmd go to the command line, go inside the bin folder of the Apache installation directory, execute the commandset up the OpenSSL configuration:setopenssl_conf=. \CONF\OPENSSL.CNF


(a) generate a private key on the service side

Execute command:OpenSSL gensa-out server.key 1024x768, generate Server.key file under directory Bin


(b) generate a signed application
Execute command: OpenSSL req-new-out server.csr-key server.key-conf. \conf\openssl.cnf, in the directory bin generated SERVER.CSR file, the process to fill in some information, follow the prompts to fill it, but remember common Name must be the same as the ServerName in httpd.conf, or Apache will get an error when it starts.

(c) Generate CA private key

Execute command:OpenSSL gensa-out ca.key 1024x768, generate Ca.key file under directory Bin


(d) generate a CA to generate self-signed certificates

Execute command:OpenSSL req-new-x509-days 365-key ca.key-out ca.crt-conf. \CONF\OPENSSL.CNF, generate the Ca.crt file under directory Bin


(e) The server that generated the CA signs the certificate
Execute command: OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-conf. \CONF\OPENSSL.CNFI have an error here, according to the Internet, in the current directory to create a Democa directory, in which a index.txt empty file, a file named serial, the content of 01, and a folder Newcerts, and then do it again


4. Copy the Server.crt,server.key and CA.CRT files in the current folder to the directory Conf/key described in step 2


5, in order to facilitate, I put httpd.conf and httpd-ssl.conf files in the servername respectively changed to
127.0.0.1:8080 (some software will occupy 80 of this port, so change to 8080)
127.0.0.1:443


6. Restart Apache, execute two commands net stop Apache2.2And net start Apache2.2, if you encounter Apache can not start the time, the choice of my computer-"management-" event Inspector-"Application log, open Apache error report, there will be a hint of what went wrong, generally can find the reason.


7, open IE, input 127.0.0.1:8080 appears it works. Enter the https://127.0.0.1:443 when a verification certificate will pop up where, click Cancel found failed to succeed. On the internet to check a bit, the original also to generate a. PFX certificate and import into IE.
Open the command line just now and execute the command OpenSSL pkcs12-export-in ca.crt-inkey ca.key-out ca.pfx, generate a ca.pfx file under the bin, in the middle there is a process of entering the password, to remember this password. Open IE browser-"Tools-" Internet Options-"Content-" certificate, follow the prompts to import, here to enter the password you just entered in the process of generating the. pfx. After importing, open browser input https://127.0.0.1:443 appears in It works. Get It!!!


(Note: This article is for me in the environment of the approximate process, purely record the work process, not in-depth understanding of the various points)

Configure APACHE+HTTPS (leverage SSL) server under Windows

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.