How to configure SSL for Apache SSL server

1. install necessary software
Reference
I am using apahce2.0.61 and can directly bind OpenSSL Apache.
The file name is: apache_2.0.61-win32-x86-openssl-0.9.7m.msi

Otherwise, it is troublesome to install OpenSSL on Windows separately. You can either find a third-party compilation result or compile it by yourself.

2. Generate a server certificate
Reference
Install openssl.exe in the bin directory to generate certificates and keys.
1) generate the server's private key file server. Key
Enter the conf directory and execute the command line
OpenSSL genrsa-out server. Key 1024

Some documents have pointed out that the use of OpenSSL genrsa-des3-out server. Key 1024 to generate a private key file, so that the generated private key file requires a password.
Apache startup failed. error message: init: sslpassphrasedialog builtin is not supported on Win32 (key file .....)
The reason is that Apache in the window does not support encrypted private key files.

2). Generate unsigned server. CSR
Enter the conf directory and execute the command line
OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF
Prompt to enter a series of parameters,
......
Country name (2 letter code) [au]:
State or province name (full name) [some-State]:
Locality name (eg, city) []:
Organization Name (eg, company) [Internet widgits Pty Ltd]:
Organizational unit name (eg, section) []:
Common name (eg, your name) []:
Email Address []:
.....
Note: The common name must be consistent with the server name in httpd. conf; otherwise, Apache cannot start
When apache is started, the error message is: RSA server certificate CommonName (CN) 'koda' does not match server name !?

3). Sign the server certificate file server. CRT
Enter the conf directory and execute the command line
OpenSSL X509-req-days 365-in server. CSR-signkey server. Key-out server. CRT

The signing of the certificate is only used for testing. when running the certificate, the CSR should be sent to a CA to return the real user book. Some documents on the internet describe the process of generating the Certificate file, because
They created a CA certificate and then signed server. CSR.

Use OpenSSL X509-noout-text-in server. CRT to view the certificate content. The certificate actually contains the public key.

3. configure httpd. conf.
reference
SSL in the conf directory. the conf file is about the SSL configuration, which is httpd. conf.
Find a 443 virtual host configuration item, as shown in the following figure:

sslengine on
sslcertificatefile CONF/SSL. CRT/server. CRT
sslcertificatekeyfile CONF/SSL. key/server. key
# sslcertificatechainfile CONF/SSL. CRT/CA. CRT // not enabled yet
#......
DocumentRoot "C:/programs/apache2/htdocs"
servername www.my.com: 443

1 ). check sslcertificatefile and sslcertificatekeyfile. Establish two subdirectories SSL. CRT, SSL. key, and then put the signed certificate file (. CRT) and private key file (. key) in the corresponding directory
2 ). check the configuration items of DocumentRoot and servername. Modify servername to any domain name you want. the common name entered in CSR must be consistent with the servername here.
after Apache is started, accessing the https://www.my.com will access the contents under the C:/programs/apache2/htdocs directory.
but if you want to retain the access from other directories as HTTP, you should change
to
at this time, even if the servername is arbitrary, the system still runs normally. Only the Apache Log prompts "does not match server name"
3 ). remove comments
loadmodule ssl_module modules/mod_ssl.so

Note that the configuration of SSL. conf is in the label <ifdefine SSL>. To make the ifdefine command valid, add the-d ssl parameter when running Apache.

Reference
Apache-d ssl-K start