Apache HTTPS/SSL on Windows procedure 2021 - virtualhost, subdomains
Posted: Sun Apr 04, 2021 5:18 pm
To setup virtual hosts, mysql, apache and php, read this (on bottom about setup virtual hosts), where there is line "To setup custom domain name or subdomains":
https://www.axew3.com/w3/forums/viewtop ... f=7&t=1637
From 2010, when this article has been written http://rubayathasan.com/tutorial/apache-ssl-on-windows/, nothing +- changed about how to setup https ssl on Apache in a Windows os.
Here on 2021 report in steps, with corrections and my hints (to get work my test HTTPS on Apache server in Win, as reminder):
Start assuming that you have an apache web server installed and configured already with virtual hosts on htdocs.conf.
So the htdocs.conf will contain something like this for my working example:
and under System Variables set the correct value to the openssl.cnf file, so for example:
as Variable value set OPENSSL_CONF
as Value set something like:
C:\Apache2.4\conf\openssl.cnf
or C:\Program Files (x86)\Apache Software Foundation\Apache2.4\conf\openssl.cnf
Check that there is not already present a Variable named OPENSSL_CONF maybe due to previous install: in case edit value to correct path only.
(I had to restart win to get effectively loaded as changed the OPENSSL_CONF value after edited and saved it. I have read somewhere that should not be necessary: i do not know, on my test, i had to restart win. Maybe you have not to restart, or you know how to refresh win, loading new or changed environment vars, without restarting).
now from promt as admin, on bin folder of Apache install folder, execute:
openssl req -new -out server.csr
Now we need to remove the passphrase from the private key. The file "server.key" created from the following command should be only readable by the apache server and the administrator. You should also delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
openssl rsa -in privkey.pem -out server.key
Now we need to set up an expiry date, it could be any time of your choice, we use 365 days below:
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
We have the Self-signed SSL certificates ready now on apache bin folder. Now we need to MOVE the "server.csr", "server.crt" and "server.key" files to the
"C:\Apache2.4\conf" location
or to the folder where the SSLCertificateFile directive point to, into file
/conf/extra/httpd-ssl.conf
Now configure Apache to run SSL/HTTPS server:
Now that we have the Self-signed SSL certificate ready, all we need is to configure Apache to start the SSL server.
First we modify the "C:\Apache2.4\conf\httpd.conf" file.
Open up conf\httpd.conf in a text editor and look for these three lines:
LoadModule ssl_module modules/mod_ssl.so and remove pound sign (#) character preceding it.
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so and remove pound sign (#) character preceding it.
Include conf/extra/httpd-ssl.conf and remove pound sign (#) character preceding it.
Now we need to modify the "C:\Apache2.4\conf\extra\httpd-ssl.conf". Let all the default options as it is but make sure to modify the following section according to your need:
<VirtualHost _default_:443>
ServerAdmin some@email.com
DocumentRoot "Your Root folder location"
ServerName http://www.domain.com:443
ServerAlias domain.com:443
#ErrorLog "logs/anyFile-error.log"
#CustomLog "logs/anyFile-access.log" common
SSLEngine on
..... .....
.....
SSLCertificateFile "C:\Apache2.4\conf\server.crt"
..... .....
.....
SSLCertificateKeyFile "C:\Apache2.4\conf\server.key"
</VirtualHost>
Make sure that "SSLCertificateFile" and "SSLCertificateKeyFile" are properly located.
search for line:
SSLPassPhraseDialog builtin
change into:
#SSLPassPhraseDialog builtin
may, may not, search also for line
SSLCertificateChainFile "${SRVROOT}/conf/server-ca.crt"
comment out:
#SSLCertificateChainFile "${SRVROOT}/conf/server-ca.crt"
restart Apache
https://www.axew3.com/w3/forums/viewtop ... f=7&t=1637
From 2010, when this article has been written http://rubayathasan.com/tutorial/apache-ssl-on-windows/, nothing +- changed about how to setup https ssl on Apache in a Windows os.
Here on 2021 report in steps, with corrections and my hints (to get work my test HTTPS on Apache server in Win, as reminder):
Start assuming that you have an apache web server installed and configured already with virtual hosts on htdocs.conf.
So the htdocs.conf will contain something like this for my working example:
Code: Select all
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#NameVirtualHost *:80
<VirtualHost *:80>
# ServerAdmin alias@example.com
DocumentRoot "F:/HTDOCS"
ServerName w3host.com
# ErrorLog "logs/www.w3host.com-error_log"
# TransferLog "logs/localhost-access_log"
</VirtualHost>
<VirtualHost *:80>
# ServerAdmin alias@.example.com
DocumentRoot "F:/HTDOCS/subdomain"
ServerName subdomain.w3host.com
</VirtualHost>
Open Control Panel\System and Security\System\Advanced System Settings choose Environment VariablesWe need to setup the Windows environment variable OPENSSL_CONF ...
and under System Variables set the correct value to the openssl.cnf file, so for example:
as Variable value set OPENSSL_CONF
as Value set something like:
C:\Apache2.4\conf\openssl.cnf
or C:\Program Files (x86)\Apache Software Foundation\Apache2.4\conf\openssl.cnf
Check that there is not already present a Variable named OPENSSL_CONF maybe due to previous install: in case edit value to correct path only.
(I had to restart win to get effectively loaded as changed the OPENSSL_CONF value after edited and saved it. I have read somewhere that should not be necessary: i do not know, on my test, i had to restart win. Maybe you have not to restart, or you know how to refresh win, loading new or changed environment vars, without restarting).
now from promt as admin, on bin folder of Apache install folder, execute:
openssl req -new -out server.csr
NOTE about Common Name: maybe you would like to setup an unique .crt and .key for subdomains, so, enter *.domain.com (for my test i've give *.w3host.com) as Common Name value.It will ask you some questions and you can safely ignore them and just answer the following questions:
PEM pass phrase: Password associated with the private key you’re generating (anything of your choice).
Common Name: The fully-qualified domain name associated with this certificate (i.e. http://www.domain.com).
Now we need to remove the passphrase from the private key. The file "server.key" created from the following command should be only readable by the apache server and the administrator. You should also delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
openssl rsa -in privkey.pem -out server.key
Now we need to set up an expiry date, it could be any time of your choice, we use 365 days below:
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
We have the Self-signed SSL certificates ready now on apache bin folder. Now we need to MOVE the "server.csr", "server.crt" and "server.key" files to the
"C:\Apache2.4\conf" location
or to the folder where the SSLCertificateFile directive point to, into file
/conf/extra/httpd-ssl.conf
Now configure Apache to run SSL/HTTPS server:
Now that we have the Self-signed SSL certificate ready, all we need is to configure Apache to start the SSL server.
First we modify the "C:\Apache2.4\conf\httpd.conf" file.
Open up conf\httpd.conf in a text editor and look for these three lines:
LoadModule ssl_module modules/mod_ssl.so and remove pound sign (#) character preceding it.
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so and remove pound sign (#) character preceding it.
Include conf/extra/httpd-ssl.conf and remove pound sign (#) character preceding it.
Now we need to modify the "C:\Apache2.4\conf\extra\httpd-ssl.conf". Let all the default options as it is but make sure to modify the following section according to your need:
<VirtualHost _default_:443>
ServerAdmin some@email.com
DocumentRoot "Your Root folder location"
ServerName http://www.domain.com:443
ServerAlias domain.com:443
#ErrorLog "logs/anyFile-error.log"
#CustomLog "logs/anyFile-access.log" common
SSLEngine on
..... .....
.....
SSLCertificateFile "C:\Apache2.4\conf\server.crt"
..... .....
.....
SSLCertificateKeyFile "C:\Apache2.4\conf\server.key"
</VirtualHost>
Make sure that "SSLCertificateFile" and "SSLCertificateKeyFile" are properly located.
search for line:
SSLPassPhraseDialog builtin
change into:
#SSLPassPhraseDialog builtin
may, may not, search also for line
SSLCertificateChainFile "${SRVROOT}/conf/server-ca.crt"
comment out:
#SSLCertificateChainFile "${SRVROOT}/conf/server-ca.crt"
restart Apache