How to Configure Apache and OpenSSL on Windows XP

For background and an overview of the OpenSSL certificate generation process, see http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html. This document provides a succinct description of how to perform Client Certificate Authentication with Apache using OpenBSD.

For Apache_mod_ssl, see http://tud.at/programm/apache-ssl-win32-howto.php3. This provides “The Apache + SSL on Win32 HOWTO”, and includes directions to obtain the pre-built Apache+OpenSSl installation. (Go to http://www.modssl.org/contrib/ or http://hunter.campbus.com/, find a file called like Apache_X-mod_ssl_Y-openssl_Z-WIN32[-i386].zip, then download and unzip it to a new folder.

For OpenSSL, see http://www.slproweb.com/products/Win32OpenSSL.html. Download and install and download and install Win32 OpenSSL v0.9.7d.

Configuring Apache2

Basic Setup

Install Apache.
Change at least the following parameters in <Apache-dir>/conf/httpd.conf, replacingall occurrences of www.my-server.dom with your actual domain name.

Comment out Port 80 as Listen overrides it later.)
If not in addition to IIS, specify Listen 80
Listen 443 (so that your server will listen on the standard SSL port)
ServerName www.my-server.dom

(Install the Apache service (NT/2000/XP), and start the server. Verify that everything works before proceeding to the SSL installation because this limits the possible errors. Try http://www.my-server.dom:443/. Communcaitions will not yet be encrypted yet but this will verify that port is properly configured..

Add Virtual Host

Add something like the following to httpd.conf:

###  HACK for OpenSSl ####

### See http://www.modssl.org/docs/2.8/ssl_reference.html for more info

#SSLMutex sem THIS GIVES AN ERROR

SSLMutex default

SSLRandomSeed startup builtin

SSLSessionCache none

#SSLLog logs/SSL.log THIS GIVES AN ERROR

#SSLLogLevel info THIS GIVES AN ERROR

<VirtualHost www.my-server.dom:443>

SSLEngine On

SSLCACertificateFile conf/ssl/ca.crt

SSLCertificateFile conf/ssl/server.crt

SSLCertificateKeyFile conf/ssl/server.key

<Location /testSSL>

   SSLRequireSSL

   SSLVerifyClient require

   SSLVerifyDepth 10

</Location>

</VirtualHost>

Preparing Certificates

Create the Certificate Authority (CA)

Generate a private key and a certificate request, and then self-sign the certificate.

openssl genrsa -out ca.key 1024

openssl req -new -key ca.key -out ca.csr

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Create the Web Server Certificate

Create a self-signed certificate for SSL requests:

openssl genrsa -out server.key 1024

openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Make sure the path to the certificates is correct in httpd.conf as above.

Install the CA Certificate on the Web Server

Copy the CA certificate to /conf/ssl.crt/ca.crt, on the web server.

As above, tell the web server (Apache) where to find the CA certificate. In httpd.conf::

<VirtualHost _default_:443>

...

SSLCACertificateFile conf/ssl/ca.crt

...

</VirtualHost>

Require a Certificate for Access

As above, the URL (in this case /testSSL) to require authentication for. httpd.conf:

<VirtualHost _default_:443>

...

<Location /testSSL>

   SSLRequireSSL

   SSLVerifyClient require

   SSLVerifyDepth 10

</Location>

...

</VirtualHost>

Restart Apache.

Have the Client Request a Certificate

Generate a private key and certificate request:

openssl genrsa -out client.key 1024

openssl req -new -key client.key -out client.csr -config openssl.cnf

Note that OpenSSL won't be able to obtain a nice pseudo-random sample for its key generation, and will complain. However, it will allow you to specify a document for added entropy with the -rand switch. In testing, I created a file on the OpenBSD machine with dd if=/dev/srandom of=output.txt bs=4096 count=1, copied that file to Windows, and generated a key with openssl genrsa -rand output.txt -out client.key 1024.

Have the Authority Sign the Certificate

Sign the client request with the CA's private key:

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

Copy the signed certificate (client.crt) back to the client.

Prepare the Client Certificate

Create a PKCS#12 document from the client private key and the signed certificate:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Importing the Client Certificate (Internet Explorer 6)

In Internet Explorer 6:

Select Tools/Internet Options/Content/Certificates/Import/Personal.

Select the Personal Information Exchange format certificate, client.pi2:

Click on Open:

4. Click on Next:

5. Check both checkboxes and type the password specified previously. Then click Next:

6. Click Next:

7. Click Finish.

8. Click Set Security Level.

9. Click High, then Next

10. Create a password as indicated, then click Finish. The certificate then appears as follows:

11. Select the certificate and then View:

Note that the CA certificate was imported previously as a Trusted Root Certificate, as was the Server Certificate.

Public-Key Cryptography Standards: http://www.rsasecurity.com/rsalabs/pkcs/

X-series Recommendations: X.500 and up: http://www.itu.int//itudoc/itu-t/rec/x/x500up/

Created: 2004-04-06 03:59

Last saved by: Michael Cook at 2004-04-06 04:20.

No.bytes: 6666

No. pages: 178

File name: How2configWXP+OpenSSL.htm

Notices and Credits

Other sections adapted from http://tud.at/programm/apache-ssl-win32-howto.php3 by Balázs Bárány (http://tud.at), © Balázs Bárány 1999-2003. Other contributors: Horst Bräuner (OpenSSL configuration on NT), Christoph Zich (Windows 98), Torsten Stanienda (Test with 1.3.12, IfDefine directive), Peter Holm (Listen and Port directives)
This document can be redistributed under the GNU Free Documentation License, or otherwise freely distributed and modified, so long as the original authors are credited.
The specific values shown are examples.