Skyline Research Technical Bulletin Reference 2004-04-06
This short article describes how to configure and use Apache 2.0.49 with OpensSSL 0.9.7d on Windows XP SP1.
As of 2004-04-05:
Apache_X-mod_ssl_Y-openssl_Z-WIN32[-i386].zip, then download and unzip it to a new folder.
Apache-dir>/conf/httpd.conf, replacingall occurrences of
www.my-server.domwith your actual domain name.
Comment out Port 80as
Listenoverrides it later.)
Listen 443(so that your server will listen on the standard SSL port)
Add something like the following to httpd.conf:
### HACK for OpenSSl ####
### See http://www.modssl.org/docs/2.8/ssl_reference.html for more info
#SSLMutex sem THIS GIVES AN ERROR
SSLRandomSeed startup builtin
#SSLLog logs/SSL.log THIS GIVES AN ERROR
#SSLLogLevel info THIS GIVES AN ERROR
Generate a private key and a certificate request, and then self-sign the certificate.
openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Create a self-signed certificate for SSL requests:
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Make sure the path to the certificates is correct in httpd.conf as above.
Copy the CA certificate to /conf/ssl.crt/ca.crt, on the web server.
As above, tell the web server (Apache) where to find the CA certificate. In httpd.conf::
As above, the URL (in this case /testSSL) to require authentication for. httpd.conf:
Generate a private key and certificate request:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
Note that OpenSSL won't be able to obtain a nice pseudo-random sample for its key generation, and will complain. However, it will allow you to specify a document for added entropy with the -rand switch. In testing, I created a file on the OpenBSD machine with dd if=/dev/srandom of=output.txt bs=4096 count=1, copied that file to Windows, and generated a key with openssl genrsa -rand output.txt -out client.key 1024.
Sign the client request with the CA's private key:
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Copy the signed certificate (client.crt) back to the client.
Create a PKCS#12 document from the client private key and the signed certificate:
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
In Internet Explorer 6:
4. Click on Next:
5. Check both checkboxes and type the password specified previously. Then click Next:
6. Click Next:
7. Click Finish.
8. Click Set Security Level.
9. Click High, then Next
10. Create a password as indicated, then click Finish. The certificate then appears as follows:
11. Select the certificate and then View:
Note that the CA certificate was imported previously as a Trusted Root Certificate, as was the Server Certificate.
Finally, attempt to access the protected server page https://www.my-server.dom/testSSL.
The examples generates 1024-bit keys.
OpenSSL homepage: http://www.openssl.org
mod_ssl homepage: http://www.modssl.org
Public-Key Cryptography Standards: http://www.rsasecurity.com/rsalabs/pkcs/
X-series Recommendations: X.500 and up: http://www.itu.int//itudoc/itu-t/rec/x/x500up/
Using Certificate Revocation Lists (Apache Week): http://www.apacheweek.com/features/crl
Using Client Certificates with stunnel: http://www.stunnel.org/faq/certs.html#ToC1
Author: Michael Cook
Title: How to configure Microsoft Internet Information Server SMTP
Created: 2004-04-06 03:59
Last saved by: Michael Cook at 2004-04-06 04:20.
No. pages: 178
File name: How2configWXP+OpenSSL.htm