Photo from Chile

Enabling SSL on Apache on Windows

I spent a couple of hours the other night attempting to enable SSL on Apache on my local dev machine and figured I'd share what I did in an effort to help the next poor soul who needs to do this.

Of course the first step was to Google enabling ssl on apache on windows, which yielded a bounty of resources. The first link that I saw (and clicked) was to an article by Neil C. Obremski entitled Apache2 SSL on Windows, and it gave me almost all of the info I needed. One missing piece was that Neil's article is for Apache 2.0.x, but I'm running Apache 2.2.x. Luckily, he includes a link to a Word document written by Luke Holladay which includes instructions for Apache 2.2.x. To simplify things I've compiled the necessary steps from both of those articles, and included some stuff that I had to figure out on my own. My step-by-step instructions follow.

Step 1 - What You Need

  • A copy of Apache that includes SSL support.
  • A copy of OpenSSL.
  • An openssl.cnf file.

The copy of Apache that I had installed on my machine did not include SSL support, so I moseyed on down to the Apache download page. You'll notice on that page that there are files named something like apache_2.2.11-win32-x86-openssl-0.9.8i.msi, as well as files named something like apache_2.2.11-win32-x86-no_ssl.msi. You need to have the openssl version installed, not the no_ssl version (duh). I couldn't find any reliable info on manually adding SSL support to a no_ssl install, so I simply downloaded the most up-to-date version of the openssl installer and ran it. It successfully upgraded my version of Apache without overwriting any of my existing config files.

The nice thing about that installer is that it includes a copy of OpenSSL, so you don't need to download that separately.

Finally, you need an openssl.cnf file, which doesn't come with the package. I downloaded one that works from Neil's site. If that link is broken you can find a copy attached to this blog post. I have Apache installed in C:\Apache\, which means that I can find OpenSSL in C:\Apache\bin\, so I copied the openssl.cnf file into that directory.

Step 2 - Create a Self-Signed Certificate

This step will create a number of files related to your certificate. Each of those files has the same name, with a different extension. In the example commands below I've used the name bob. Feel free to replace that with anything you like.

Open a command prompt and switch to the directory that contains OpenSSL (C:\Apache\bin\, in my case). To create a new certificate request type the following:

view plain print about
1openssl req -config openssl.cnf -new -out bob.csr -keyout bob.pem

You'll be prompted to answer a bunch of questions, the answers to which can all be left blank except for:

  • PEM pass phrase: This is the password associated with the private key (bob.pem) that you're generating. This will only be used in the next step, so make it anything you like, but don't forget it.
  • Common Name: This should be the fully-qualified domain name associated with this certificate. I was creating a certificate for a site on my local machine which I browsed to via http://savacms/, so I just entered savacms. If I was creating a cert for my blog I would have entered www.silverwareconsulting.com.

When the command completes you should have a two files called bob.csr and bob.pem in your folder.

Now we need to create a non-password protected key for Apache to use:

view plain print about
1openssl rsa -in bob.pem -out bob.key

You'll be prompted for the password that you created above, after which a file called bob.key should appear in your folder.

Finally, we need to create an X.509 certificate, which Apache also requires:

view plain print about
1openssl x509 -in bob.csr -out bob.cert -req -signkey bob.key -days 365

And that's it - you now have a self-signed certificate that Apache can use to enable SSL. I chose to move the required files from C:\Apache\bin\ to C:\Apache\conf\ssl\, but you can put them anywhere as you'll be pointing to them in your Apache config files.

Step 3 - Enable SSL on Apache

Open your httpd.conf file (which for me is in C:\Apache\conf\) and uncomment (remove the # sign) the following lines:

  • #LoadModule ssl_module modules/mod_ssl.so
  • #Include conf/extra/httpd-ssl.conf

Open your httpd-ssl.conf file (which for me is in C:\Apache\conf\extra\) and update the section entitled <VirtualHost _default_:443>. You'll need to update the values of ServerAdmin, DocumentRoot, ServerName, ErrorLog and CustomLog to match your environment. You'll also need to point SSLCertificateFile to your .cert file and SSLCertificateKeyFile to your .key file.

Restart Apache and browse to https://localhost/. You're now accessing your Apache server over SSL!

Step 4 - Create a VirtualHost Entry for Your Site

If you're like me, you're running Apache because you want to run multiple sites on your local machine. In that case you undoubtedly have multiple <VirtualHost> entries in your httpd-vhosts.conf file. In order to access a particular site via SSL, you need to add an additional <VirtualHost> entry for it. To illustrate I'll show you an existing <VirtualHost> entry that I have, and then the new <VirtualHost> that I created to allow me to access that site via SSL. Here's the original entry:

view plain print about
1<VirtualHost *:80>
2 ServerAdmin bob.silverberg@gmail.com
3 DocumentRoot C:/wwwroot/savaCMS
4 ServerName savaCMS
5 DirectoryIndex index.html, index.cfm
6 ErrorLog logs/savaCMS-error_log
7 CustomLog logs/savaCMS-access_log common
8<Directory C:/wwwroot/savaCMS>
9Options All
10AllowOverride All
11</Directory>
12</VirtualHost>

And here's the additional entry that I added:

view plain print about
1<VirtualHost *:443>
2 SSLEngine on
3 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
4 SSLCertificateFile "C:/Apache/conf/ssl/savacms.cert"
5 SSLCertificateKeyFile "C:/Apache/conf/ssl/savacms.key"
6 ServerAdmin bob.silverberg@gmail.com
7 DocumentRoot C:/wwwroot/savaCMS
8 ServerName savaCMS
9 DirectoryIndex index.html, index.cfm
10 ErrorLog logs/savaCMS-error_log
11 CustomLog logs/savaCMS-access_log common
12<Directory C:/wwwroot/savaCMS>
13Options All
14AllowOverride All
15</Directory>
16</VirtualHost>

I can now browse to http://savaCMS/ as well as https://savaCMS/! Hopefully these instructions will be found by the next person who chooses to attempt this.

TweetBacks
Comments
Bob, Thank you for doing this. I followed your instructions and everything worked perfectly. Nice work.
# Posted By Jason Dean | 4/22/09 2:22 AM
Ho Bob,

This is awesome, thank you very much..., It saved lot of time for me.
Steps were very simple and Easy.
# Posted By Kalyan Chandra | 5/11/09 3:58 AM
Great article.. I had found the Neilstuff article and docs and was wondering how to reconcile this info with the Apache OpenSSL version. This answered all those questions.

One minor note: There is an openssl.cnf file in the distro. It's installed in the conf directory. Maybe it doesn't get installed with an upgrade? You can use this by using openssl -config ../conf/openssl.conf ...
# Posted By CG Monroe | 6/11/09 2:41 PM
In finishing up my install, I found that your SSL info implies something that doesn't work. You can't use Named virtual hosts and use *different* SSL certificates. You can use a single certificate in both VHs but all SSL connections will use the first certificate found. This means that users will get warnings about invalid certificate for all VHs except the one that matches the certificate. Not an issue if you're self certifying and don't care, but a problem if you're working with uninformed users.
# Posted By Greg Monroe | 6/12/09 12:29 PM
Greg,

I was just setting this up for my own local development, so that wasn't an issue for me. Thanks for the heads up though.
# Posted By Bob Silverberg | 6/12/09 12:36 PM
Hey Bob, thanks a lot! I was following lots of tutorials based on older versions of Apache while using the latest one you wrote about. Hence no luck on enabling the SSL. Now it is all sorted out and working.
# Posted By Deepak Kar | 6/29/09 6:31 AM
The two command-line openssl statements in Step 2 did not
work for me, even though I put openssl.cnf in my Apache 2.2
bin directory (where openssl.exe sits): I got error message:
"can't open config file: /usr/local/ssl/openssl.cnf"!

Note, too, that Windows XP gave some grief with the .cnf
extension, which on my system at least is interpreted as the
SpeedDial extension. I had to change the Windows .cnf file type
so it was no longer of type SpeedDial.
# Posted By Murray Eisenberg | 7/13/09 4:38 PM
when i renamed openssl.cnf its type changed to SpeedDial.
in Step6:2 when i run the command it was giving the error

"Error on line -1 of openssl :: system library:fopen:no such filr or directory: .\crypto\bio\bss_file.c:12"fopen<'openssl.cnf' ,''rb'>
# Posted By Naveen | 8/20/09 5:26 AM
In order to Generate a Certificate Signing Request (CSR) on your Apache web server on Windows Server you have go to the Apache bin folder:

- C:\Program Files\Apache Software Foundation\Apache2.2\bin

and than execute this:

- openssl req -config \conf\openssl.cnf -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
# Posted By Luca Zavarella | 9/3/09 4:21 PM
thanks luca ....
now i am able to setup https on my machine

thanks a lot
# Posted By Naveen | 9/4/09 12:33 AM
THANK YOU!!! I have an online store that I've been having a heck of a time with because I couldn't run it on my home machine for development. All the other articles discussing this were worthless. I spent hours trying to get it going. With your great article here, I had it up and running in about 15 minutes. Thanks again you are a lifesaver!
# Posted By Randall Fox | 9/5/09 10:02 AM
Bob - thanks for this, I only had to do it twice and everything works!

One note in Step 2 where it says this:
openssl x509 -in bob.csr -out bob.cert -req -signkey bob.key -days 365

I had to use bob.crt (not bob.cert) - Apache recognized the .crt extension as a Security Certificate then.

Apache wouldn't start for me, with I used .cert.

Thanks Again!
# Posted By Jim Pickering | 10/24/09 12:36 PM
Thanks Bob!

This was very helpful to me. I'm used to setting up SSL on Tomcat, but I've never had to do it in Apache. Your steps got me through it with very little difficulty. Now I can conquer my osCommerce integration problems!
# Posted By Aaron Nance | 11/20/09 1:32 PM
I'm having an issue where I can't see any images or css styles which are to be generated by a PDF file. The PDF file code is 100% because the images and CSS shows once I disable the mod_ssl in apache2. Is there any way to have both SSL and image output.
# Posted By reya276 | 1/26/10 1:30 PM
Thanks Bob.
I was in a world of hurt before I found your article.

Following your steps made the whole thing easy.
# Posted By Mick O'Connor | 2/11/10 12:02 PM
Totally awesome post! Thanks... it really, really helped.

Just wanted to share this piece of info: I have multiple websites setup on Apache - and was hoping that the steps above would allow me to use use SSL on all websites. However, since I am using Windows XP, Server Name Indication (SNI) is not available. Without SNI, you need to use different IP addresses for each Virtual Host - otherwise the first virtual host with SSL will be used, and the root directory for that website will be used as well ... so all of a sudden you are in a completely different website when go from http to https! So to get around that you need to use different IP addresses for each website .... which would normally not be a problem - however the developer version of coldfusion only allows the use of 3 IP addresses, and therefore only 3 different websites. So for now I'm just gonna deal with it. I will get around this problem by upgrading to a new version of windows soon, and that should solve the problem. Other workarounds could also be 1) Use Railo or Open Bluedragon instead 2) Use the same root directory for each website, and use subdirectorys for each website. So instead of https://website1, https://website2, you'd have https://localhost/website1, https://localhost/website2. (Of course the web browser will through an exception in this case, but who cares... it's just for local development use.)

Anyway - I hope this info helps someone. It took me a few hours to figure out why things weren't working the way I wanted.

Thanks again for your awesome post... was really helpful!
# Posted By Dudley | 5/14/10 4:48 PM
I have followed the steps and everything seemed ok until I added the second virtual host for https.
Restarting Apache now fails with
====
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
====

Any hints as why this is happening?
# Posted By Dan S | 7/29/10 12:47 PM
Sorry, Dan, I'm actually no longer on Windows, so I don't really know.
# Posted By Bob Silverberg | 7/29/10 12:51 PM
hi
after install apache -2.2.11-win32-x86-openssl-0.9.8.msi
, I want to openssl.cnf to create a self signed certifiate
"openssl req -config openssl.cnf -new -out bob.csr -keyout bob.pem
"
when i make follwing up, i have a message "error on line -1 of openssl.cnf
4600:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:126:fopen('openssl.cnf','rb')
4600:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:129:
4600:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\conf\conf_def.c:197:"


how can help me !!
10x
# Posted By shadi Q | 10/5/10 8:36 AM
Hello, I know this topic is old, but I have one problem :)

When I try to uncomment Include conf/extra/httpd-ssl.conf I cant start Apache !!

It says: The request operation has failed...

I do not know what should i do with it. Any ideas how to fix it?

Thanks.
# Posted By Spectrik | 10/17/10 3:52 PM
I knew how to do it on linux but I couldn't be bothered to learn how to do it on win, and that tutorial is a quick and easy one to get it done, so kudos to you. :)
# Posted By mathieu | 12/28/10 10:17 AM
Super precise instructions. Saved hours of work. Thank you, Thank you.
# Posted By Bijoy | 7/29/11 1:41 AM
Hey Guys, I’ve been followed each step, however my Apache doesn’t restart once I uncomment the line “Include conf/extra/httpd-ssl.conf” at the httpd.conf. No further errors’ logs either.

Any idea what could be happening???

Tks anyway.
# Posted By Renato Medina | 8/3/11 10:56 AM
Problem fixed!!!!

The port 443 was busy.. I just used at the command line:

netstat -abnovp tcp

It will show you the number of the service PID, then type that

taskkill /pid XXX (XXX change for the number of the PID)
# Posted By Renato Medina | 8/3/11 12:46 PM
Note that Skype by default attaches to ports 443 (and 80) so Apache will not start unless you stop Skype then start Apache or set Skype (in Tools / Options / Advanced I think) to not use ports 80 and 443.
BTW, when Apache fails to attach to the specified port it can't write to its log file for some reason; you can only see the error in the Windows Event Viewer.
# Posted By Bill Hayes | 1/12/12 7:39 PM
For apache server it's working. In our application we using apache2 with tomcat . the connector was mod_jk. How we will use this.
# Posted By Anbarasu | 1/23/12 1:44 AM
Thanks for this tutorial; it's very helpful. (BTW, Apache 2.2.22 has a bug that does not allow parentheses in SSL session cache destination. I removed (x86) and it worked.)

I want a browser request that comes to http://localhost to be redirected to https://localhost, so the only access will be over SSL. How can I do this?

Thanks.
# Posted By Aneesh Kumar | 4/4/12 6:52 AM
I spent 15 minutes to set SSL on windows XP and 6 hours on windows 7. Someone may find useful notes about installation on win 7.
-I install version 2.2.22. File openssl.cnf is included in package. Step1 is now just to install apache web server.
-Install Apache on C:\Apache folder (or any other "non system" folder without spaces in path) and not on default C:\Program Files...
-Step2 then can be done as openssl req -config ..\conf\openssl.cnf -new -out bob.csr -keyout bob.pem
-Step3 You set values of ServerAdmin, DocumentRoot, ServerName, ErrorLog and TransferLog during the installation. You just need to point SSLCertificateFile to .cert file and SSLCertificateKeyFile to .key file.
First I got error: (OS 5)Access is denied. : Failed to open the Apache2.2 Service. It was Windows Firewall issue. Stop Apache service and run httpd.exe as administrator. Windows Firewall dialog appear so you can allow connections to Apache.
If you want you can refine settings in Apache HTTP inbound rule.
After that SSL works!
# Posted By Miro | 6/30/12 5:32 AM
I too was having a problem getting SSL to run. I learned some things that will help someone trying to get SSL on Win7. 1) make sure when you do the command line openssl commands to open the CMD window in Administrator mode. 2) Make sure your paths to the .cert, .key file are correct. 3) make the extension .cert .crt since that is how it's defined in the httpd-ssl.conf file around line 50. 4) Check the event viewer if you have a fail to start the Apache after making the changes and in httpd-smteisl.conf 5) explicitly name localhost in the etc/hosts file even though it's handled in DNS itself.
# Posted By Mark Richards | 7/5/12 8:18 PM
Oh. My. God. I also previously had Apache2.2 with OpenSSL up and running on WinXP x86 in a matter of minutes. And now i have been trying to set it up on Win7 x64 for nearly 5 hours. The problem i had was the parenthesis in the "Program Files (x86)" directory. I absolutely never would have figured that out if i hadn't read this thread. Apparently the parser that reads the SSLSessionCache line in httpd-ssl.conf gets tripped up by "(x86)" when it's looking for "ssl_scache(512000)"

Installed to another path that is free of parenthesis and it works exactly like i expected it to all along.

Unbelievable...
# Posted By mike3 | 7/7/12 6:41 AM
Thank you! It was really helpful!
# Posted By Marko | 7/30/12 2:31 PM
FANTASTIC guide, worked like a charm, cheers :)
# Posted By Rich | 8/3/12 11:02 AM
Thanks, man, you're a life saver! This worked like a charm!

I had one difficulty, only, that I'd like to share... Every time I restarted the server I got a message saying that my SSLCertificateFile did not exist or was empty. This happened because the generated certificate file had a .cert file type, while the example in the conf-ssl file was .crt, and that slipped my attention for almost 4 hours. Fixed that, got it working.

Thanks again.
# Posted By Igor Donin | 8/15/12 9:41 PM
very informative thank you. How can I configure SSL in cluster mode?
# Posted By S2S | 8/30/12 2:11 PM
I just keep getting "The requested operation has failed" when trying to start, and nothing in the error.log - very frustrating! I had originally generated my key and certificate slightly differently, but even when I copy your method identically, it makes no difference.
The one thing that was not clear to me in the instructions was what to put in httpd-ssl.conf. Maybe I have something wrong in there as I'm not sure what to enter for ServerName etc in the _default_:443 section. Any chance someone could tell me if it should be the same as in the httpd-vhosts.conf file please?
# Posted By Paul | 9/6/12 1:05 PM
If your getting and error without any error log showing the problem look at the Event log in Windows. I had a problem and was able to isolate the root and fix it. It could be a simple typo.
# Posted By Mark | 9/11/12 8:37 PM
I apologize for asking this question (as a newbie), but I am running Apache 2.2.21 (without SSL) and when trying to run the opensll .msi to "upgrade" in Step 1, I get an error that "Another version of this product is already installed." This occurs even when Apache is not running. What do I need to do to get the .msi to run in order to upgrade my non-ssl install?
# Posted By Newbie | 9/25/12 12:09 PM
If using Windows 7 you might have to run CMD as administrator even if your account has admin privileges. I couldn't create them cert and pem files without this step.
# Posted By Rachel Reveley | 10/15/12 8:49 AM
always check this part
C:\Programs\Apache\conf\extra\httpd-ssl or whatever path you have.

SSLCertificateFile "E:/Programs/Apache/conf/dev.cert"
SSLCertificateKeyFile "E:/Programs/Apache/conf/dev.key"

double check that you put the exact path.
# Posted By S2S | 10/18/12 3:17 PM
PLEASE HELP! How do I configure my openssl in cluster mode. like i have application running in node1,node2 and node3, I will put my apache_openssl in node1 only.
# Posted By S2S | 10/18/12 3:20 PM
its really nice article you can find the same one at with step
by step guide http://www.ittechguru.net/?p=663
# Posted By Muhammad Abid Adnan | 10/28/12 11:30 PM
Thanks lot . I done it.
# Posted By Anwar | 12/16/12 11:22 AM
Simple, sweet and straight to the point. the only drawback is that windows xp will not resolve other hostnames with on ssl certificate. What I attempted to do was create another ssl certificate for may other domain and place that key and cert file into a new folder
# Posted By surgio | 2/5/13 2:39 PM
great guide got it up and running but now faced with The site's security certificate is not trusted error page with the https crossed out and the padlock crossed.
# Posted By Paul | 2/6/13 2:45 PM
Thanks for sharing! Instructions were simple and to the point.
# Posted By Phing Chov | 4/19/13 12:20 PM
thanks for post. it saved our timing.

I am facing one issue. Issue is that if I uncomment "Include conf/extra/httpd-ssl.conf" in httpd.conf. Apache server doesn't start if I tries to restart. It remains remains yellow. In notification, it says, offline.

Regards,
Subhash
# Posted By Subhash Karemore | 5/30/13 4:23 AM