How to Configure Apache and OpenSSL on Windows XP

Skyline Research Technical Bulletin Reference 2004-04-06

 


This short article describes how to configure and use Apache 2.0.49 with OpensSSL 0.9.7d on Windows XP SP1.

 

How to Configure Apache and OpenSSL on Windows XP. 1

References and Sources. 26

Configuring Apache2. 34

Basic Setup. 35

Add Virtual Host 43

Preparing Certificates. 69

Create the Certificate Authority (CA) 70

Create the Web Server Certificate. 75

Install the CA Certificate on the Web Server 82

Require a Certificate for Access. 90

Have the Client Request a Certificate. 104

Have the Authority Sign the Certificate. 110

Prepare the Client Certificate. 115

Importing the Client Certificate (Internet Explorer 6) 119

Testing. 150

Known Issues. 152

References. 154

Additional Reading. 159

Document Information. 162

Change History. 163

Statistics. 165

Notices and Credits. 173

 

References and Sources

As of 2004-04-05:

 

  1. For background and an overview of the OpenSSL certificate generation process, see http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html.  This document provides a succinct description of how to perform Client Certificate Authentication with Apache using OpenBSD.

 

  1. For Apache_mod_ssl, see http://tud.at/programm/apache-ssl-win32-howto.php3.  This provides “The Apache + SSL on Win32 HOWTO”, and includes directions to obtain the pre-built Apache+OpenSSl installation.  (Go to http://www.modssl.org/contrib/ or http://hunter.campbus.com/, find a file called like Apache_X-mod_ssl_Y-openssl_Z-WIN32[-i386].zip, then download and unzip it to a new folder.

 

  1. For OpenSSL, see http://www.slproweb.com/products/Win32OpenSSL.html.  Download and install and download and install Win32 OpenSSL v0.9.7d.

Configuring Apache2

Basic Setup

  1. Install Apache.
  2. Change at least the following parameters in <Apache-dir>/conf/httpd.conf, replacing all occurrences of www.my-server.dom with your actual domain name.
    1. Comment out Port 80 as Listen overrides it later.)
    2. If not in addition to IIS, specify Listen 80
    3. Listen 443 (so that your server will listen on the standard SSL port)
    4. ServerName www.my-server.dom
  3. (Install the Apache service (NT/2000/XP), and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors.  Try http://www.my-server.dom:443/.  Communcaitions will not yet be encrypted yet but this will verify that port is properly configured..

Add Virtual Host

Add something like the following to httpd.conf:

 

###  HACK for OpenSSl ####
### See http://www.modssl.org/docs/2.8/ssl_reference.html for more info
#SSLMutex sem THIS GIVES AN ERROR
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none
 
#SSLLog logs/SSL.log THIS GIVES AN ERROR
#SSLLogLevel info THIS GIVES AN ERROR 
 
<VirtualHost www.my-server.dom:443>
SSLEngine On
SSLCACertificateFile conf/ssl/ca.crt
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
 
<Location /testSSL>
   SSLRequireSSL
   SSLVerifyClient require
   SSLVerifyDepth 10
</Location>
 
</VirtualHost>

Preparing Certificates

Create the Certificate Authority (CA)

Generate a private key and a certificate request, and then self-sign the certificate.

openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Create the Web Server Certificate

Create a self-signed certificate for SSL requests:

 
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Make sure the path to the certificates is correct in httpd.conf as above.

Install the CA Certificate on the Web Server

Copy the CA certificate to /conf/ssl.crt/ca.crt, on the web server.

As above, tell the web server (Apache) where to find the CA certificate.  In httpd.conf::

<VirtualHost _default_:443>
... 
SSLCACertificateFile conf/ssl/ca.crt
...
</VirtualHost>

Require a Certificate for Access

As above, the URL (in this case /testSSL) to require authentication for. httpd.conf:

 

<VirtualHost _default_:443>
...
<Location /testSSL>
   SSLRequireSSL
   SSLVerifyClient require
   SSLVerifyDepth 10
</Location>
...
</VirtualHost>
 
Restart Apache.

Have the Client Request a Certificate

Generate a private key and certificate request:

 
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf

Note that OpenSSL won't be able to obtain a nice pseudo-random sample for its key generation, and will complain. However, it will allow you to specify a document for added entropy with the -rand switch. In testing, I created a file on the OpenBSD machine with dd if=/dev/srandom of=output.txt bs=4096 count=1, copied that file to Windows, and generated a key with openssl genrsa -rand output.txt -out client.key 1024.

Have the Authority Sign the Certificate

Sign the client request with the CA's private key:

 

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

Copy the signed certificate (client.crt) back to the client.

Prepare the Client Certificate

Create a PKCS#12 document from the client private key and the signed certificate:

 

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Importing the Client Certificate (Internet Explorer 6)

In Internet Explorer 6:

 

  1. Select Tools/Internet Options/Content/Certificates/Import/Personal.

 

  1. Select the Personal Information Exchange format certificate, client.pi2:

 

 

  1. Click on Open:

 

4.       Click on Next:

5.       Check both checkboxes and type the password specified previously.  Then click Next:

     

6.       Click Next:

     

7.       Click Finish.

8.       Click Set Security Level.

9.       Click High, then Next

10.   Create a password as indicated, then click Finish.  The certificate then appears as follows:

     

11.   Select the certificate and then View:

Note that the CA certificate was imported previously as a Trusted Root Certificate, as was the Server Certificate.

Testing

Finally, attempt to access the protected server page https://www.my-server.dom/testSSL.

Known Issues

The examples generates 1024-bit keys.

References

OpenSSL homepage: http://www.openssl.org

mod_ssl homepage: http://www.modssl.org

Public-Key Cryptography Standards: http://www.rsasecurity.com/rsalabs/pkcs/

X-series Recommendations: X.500 and up: http://www.itu.int//itudoc/itu-t/rec/x/x500up/

Additional Reading

Using Certificate Revocation Lists (Apache Week): http://www.apacheweek.com/features/crl

Using Client Certificates with stunnel: http://www.stunnel.org/faq/certs.html#ToC1

Document Information

Change History

2004-04-06 created.

Statistics

Author: Michael Cook

Title: How to configure Microsoft Internet Information Server SMTP

Created: 2004-04-06 03:59

Last saved by: Michael Cook at 2004-04-06 04:20.

No.bytes: 6666

No. pages: 178

File name: How2configWXP+OpenSSL.htm

Notices and Credits

  1. This document Copyright © 2004 6080545 Canada Inc.
  2. Sections adapted from http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html written by Robert Mooney (rjmooney\@impetus\.us), Copyright (c) 2001 Robert Mooney, All rights reserved.
  3. Other sections adapted from http://tud.at/programm/apache-ssl-win32-howto.php3 by Balázs Bárány (http://tud.at), © Balázs Bárány 1999-2003. Other contributors: Horst Bräuner (OpenSSL configuration on NT), Christoph Zich (Windows 98), Torsten Stanienda (Test with 1.3.12, IfDefine directive), Peter Holm (Listen and Port directives)
  4. This document can be redistributed under the GNU Free Documentation License, or otherwise freely distributed and modified, so long as the original authors are credited.
  5. The specific values shown are examples.