Setup SSL Support for Apache 2

* Make sure you install Apache 2 with SSL support. For an example of installation on Windows platform, see this post.

* Open Apache2/conf/httpd.conf file
* Uncomment the following line:

LoadModule ssl_module modules/mod_ssl.so

* See this post for an example on how to setup CA with OpenSSL.
* Generate server key and a certificate signing request (CSR)

C:\OpenSSL\exampleca>set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf

C:\OpenSSL\exampleca>openssl req -newkey rsa:1024 -keyout apache_key.pem -keyform PEM -out apache_req.pem -outform PEM
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............................++++++
...++++++
writing new private key to 'apache_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
commonName, e.g. www.exampleca.com [Example CA]:www.my.com
stateOrProvinceName, e.g. Virginia [Virginia]:
countryName, e.g. US [US]:
emailAddress, e.g ca@exampleca.com [ca@exampleca.com]:me@my.com
organizationName, e.g. Example CA [Example CA]:My Company

* Sign the CSR

C:\OpenSSL\exampleca>openssl ca -in apache_req.pem
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'www.my.com'
stateOrProvinceName   :PRINTABLE:'Virginia'
countryName           :PRINTABLE:'US'
emailAddress          :IA5STRING:'me@my.com'
organizationName      :PRINTABLE:'My Company'
Certificate is to be certified until Jun 26 18:00:25 2012 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example C
        Validity
            Not Before: Jun 27 18:00:25 2011 GMT
            Not After : Jun 26 18:00:25 2012 GMT
        Subject: CN=www.my.com, ST=Virginia, C=US/emailAddress=me@my.com, O=My Company
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:0d:38:98:d6:95:33:a0:14:ce:a8:1f:f7:ac:
                    d4:83:44:1c:89:bf:61:2b:08:6d:fe:7f:e3:b1:82:
                    12:80:a2:24:84:e6:21:6f:59:71:ff:49:dd:27:30:
                    ac:d8:9a:5d:56:d9:68:f4:ad:e1:05:00:a5:c9:a4:
                    9e:f1:0f:aa:07:b8:a6:20:87:d5:cd:ad:ba:4a:a9:
                    6e:99:7a:a5:63:85:cd:20:c8:d1:14:64:d1:2b:2d:
                    27:d3:5f:ee:94:27:26:b4:ef:01:28:9b:52:36:11:
                    a7:62:4d:7b:b1:8e:41:14:2f:8e:ee:88:d2:2c:04:
                    6c:87:4d:94:a8:58:ee:a4:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption
        a2:f5:29:c1:30:f6:0a:9f:6d:f6:56:ea:12:3c:1d:e5:4a:d5:
        46:7d:dd:4f:c6:ea:5b:70:c5:2d:d2:8b:cd:72:ad:e9:b3:01:
        83:3c:93:a5:4d:95:89:64:f4:7a:56:61:f6:4f:bc:f7:74:1b:
        1b:60:f0:26:43:a3:4e:ad:03:37:91:1b:b5:fe:3f:81:97:0f:
        f5:ba:92:3c:b8:86:41:37:c8:42:53:73:3d:00:40:10:2a:0f:
        be:78:af:53:3a:9a:7b:44:cf:45:80:53:26:3d:2b:dc:a7:40:
        24:2a:f6:bf:52:ba:9a:33:0a:8c:75:bc:22:79:78:c8:66:39:
        c4:3e:02:50:1b:f6:d1:b2:9c:5b:6b:72:3c:ae:97:36:a8:e8:
        0f:55:7d:35:10:7d:2c:83:ac:f9:6f:4b:a3:b2:56:c2:49:f3:
        d8:76:06:d9:0a:b6:07:ad:98:38:9e:bc:78:5a:36:b7:8f:82:
        6e:ef:6c:08:da:23:a6:20:09:de:35:08:65:47:2b:ce:cb:f7:
        4e:c8:b8:13:07:59:67:ae:1b:b9:e4:e7:aa:3d:b8:be:0d:8b:
        d1:be:ef:23:db:7d:31:92:94:2e:18:50:fd:2f:3a:65:0b:03:
        b7:70:cc:f5:56:0d:bb:c7:e4:a7:12:2a:dc:3c:8f:92:ae:df:
        4f:5f:d2:61
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIBAjANBgkqhkiG9w0BAQQFADBrMRMwEQYDVQQDEwpFeGFt
cGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG
9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xEzARBgNVBAoTCkV4YW1wbGUgQ0EwHhcN
MTEwNjI3MTgwMDI1WhcNMTIwNjI2MTgwMDI1WjBkMRMwEQYDVQQDEwp3d3cubXku
Y29tMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxGDAWBgkqhkiG9w0B
CQEWCW1lQG15LmNvbTETMBEGA1UEChMKTXkgQ29tcGFueTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAqQ04mNaVM6AUzqgf96zUg0Qcib9hKwht/n/jsYISgKIk
hOYhb1lx/0ndJzCs2JpdVtlo9K3hBQClyaSe8Q+qB7imIIfVza26SqlumXqlY4XN
IMjRFGTRKy0n01/ulCcmtO8BKJtSNhGnYk17sY5BFC+O7ojSLARsh02UqFjupGsC
AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQQFAAOCAQEAovUpwTD2Cp9t
9lbqEjwd5UrVRn3dT8bqW3DFLdKLzXKt6bMBgzyTpU2ViWT0elZh9k+893QbG2Dw
JkOjTq0DN5Ebtf4/gZcP9bqSPLiGQTfIQlNzPQBAECoPvnivUzqae0TPRYBTJj0r
3KdAJCr2v1K6mjMKjHW8Inl4yGY5xD4CUBv20bKcW2tyPK6XNqjoD1V9NRB9LIOs
+W9Lo7JWwknz2HYG2Qq2B62YOJ68eFo2t4+Cbu9sCNojpiAJ3jUIZUcrzsv3Tsi4
EwdZZ64bueTnqj24vg2L0b7vI9t9MZKULhhQ/S86ZQsDt3DM9VYNu8fkpxIq3DyP
kq7fT1/SYQ==
-----END CERTIFICATE-----
Data Base Updated

* Rename signed certificate

C:\OpenSSL\exampleca>cd certs

C:\OpenSSL\exampleca\certs>dir
 Directory of C:\OpenSSL\exampleca\certs

06/27/2011  02:00 PM             3,267 02.pem

C:\OpenSSL\exampleca\certs>rename 02.pem apache_cert.pem

C:\OpenSSL\exampleca\certs>dir
 Directory of C:\OpenSSL\exampleca\certs

06/27/2011  02:00 PM             3,267 apache_cert.pem

C:\OpenSSL\exampleca\certs>cd ..

C:\OpenSSL\exampleca>

* Remove pass phrase from server key

C:\OpenSSL\exampleca>openssl rsa -in apache_key.pem -out apache_key_nopass.pem
Enter pass phrase for apache_key.pem:
writing RSA key


C:\OpenSSL\exampleca>dir apache_*.pem
 Directory of C:\OpenSSL\exampleca

06/27/2011  01:58 PM             1,041 apache_key.pem
06/27/2011  02:16 PM               887 apache_key_nopass.pem
06/27/2011  01:58 PM               647 apache_req.pem

* Copy server key (apache_key_nopass.pem) and certificate files (apache_cert.pem) to Apache 2 conf directory

C:\OpenSSL\exampleca>copy apache_key_nopass.pem C:\prog\Apache2.2\conf
        1 file(s) copied.

C:\OpenSSL\exampleca>copy certs\apache_cert.pem C:\prog\Apache2.2\conf
        1 file(s) copied.

C:\OpenSSL\exampleca>dir C:\prog\Apache2.2\conf\apache_*.pem
 Directory of C:\prog\Apache2.2\conf

06/27/2011  02:00 PM             3,267 apache_cert.pem
06/27/2011  02:16 PM               887 apache_key_nopass.pem

* Create a new directory named vhosts within the conf directory. The advantage of creating a separate vhosts directory is that all files within that directory can be included in httpd.conf by a single Include directive

Include conf/vhosts/*.conf

* Create a new text file named ssl.conf in the newly created vhosts directory with the following content:

Listen 443
<VirtualHost _default_:443>
  SSLEngine on
  SSLCertificateFile conf/apache_cert.pem
  SSLCertificateKeyFile conf/apache_key_nopass.pem
</VirtualHost>

* Include the newly created ssl.conf in the main httpd.conf file by append the following line to httpd.conf file:

Include conf/vhosts/ssl.conf

* Restart Apache 2

* Start Firefox
* Go to Tools -> Options -> Advanced -> Encryption -> View Certificates -> Authorities -> Import
* Browse to C:\OpenSSL\exampleca\cacert.pem and click Open on Select File dialog
* Check Trust this CA to identify web sites and click OK on Downloading Certificate dialog
* Click OK on Certificate Manager
* Click OK on Options dialog

* Point browser to https://www.my.com
* You should see the following message

It works!