Topic: Update SSl

[cliff.ha]

Hey I'm new to apache and in need of some help getting it running with SSL.

I have brought a wildcard certificate from Comodo, and need to create the CSR, but I’m getting an error when I try to create it.
I have written with Comodo support, and the say I need to be running at least version 0.9.8q of openssl.
And the newest version of apache with openssl in it is only running version 0.9.8o, how do I upgrade the openssl in apache?
Do I just install the win32openssl version 1.0.0c witch is the newest version.
I’m running the server on a windows 2008 r2 server, so is it possible to run 32 bit apache and 64 bit openssl?

[James Blond]

it is not that easy. OpenSSL needs to be compiled into Apache. Simply installing won't help you.
But you can obtain Apache 2.2.17 (32 bit) and the upgrade to OpenSSL 1.0.0c (32 bit) form this page (see Downloads) or grab 64 bit apache 2.2.17 from apachehaus.com with OpenSSL 1.0.0c

I wonder why you shall upgrade to OpenSSL 0.9.8q cause if they talk about SNI that is in OpenSSL since 0.9.8f. But I don't think that it is SNI releated cause Internet Explorer doesn't support SNI only in Windows Vista or newer. That would keep a lot of XP / 2000 user out / leads to certificate errors.

[glsmith]

To just generate a CSR & key, you could use any Windows build of OpenSSL 098q or 100c. I doubt it will matter what OpenSSL you are running on the server once you have you cert in hand. If it does matter, then James has spelled out the Apache alternatives you could use.

I'd even suggest creating the CSR & key on a computer other than the server, I always do. That way there is no worry about mixing versions of openssl on the server.

Once you have your cert, key & ca files you just copy them onto the server, configure & run.

[cliff.ha]

The error I'm getting is because the openssl can't locate the directory it uses as standard.
This is because it is a directory for Unix and not windows.

I can see that the versions on apachehaus is using Openssl version 1.0.0a how do I upgrade this to the 1.0.0c version?

Is there any advantages of running the 64 bit version or is it better to use the once posted on apache.org?

[glsmith]

that pesky openssl.cnf file, I forgot about it how I don't know.

Two options:

I think that default is usr\local\ssl

If openssl.exe is on the C drive, then C:\usr\local\ssl is the same path. If you created those folders and dropped the openssl.cnf file in there, things will work.

Option 2 using the enviroment. see the last post

http://www.apachelounge.com/viewtopic.php?t=3008

[cliff.ha]

It worked making the directory on the c drive, so now I was able to create my *.csr and *.key files.
So now I finally could submit the CSR to Comodo!
Thanks for the help, now the next problem is to configure the apache server to run on SSL.

[James Blond]

quick example

[cliff.ha]

Thanks, do i need to do this for every one of my subdomains, or is it possible to make most of the settings apply on all subdomains?

[James Blond]

Depends. If all subdomains have the same document root you can use ServerAlias else you have to do that for every subdomain.

[cliff.ha]

Ok, this i how my virtual hosts look to day, on an apache server not running SSL:

<VirtualHost *>
ServerAdmin email address
DocumentRoot c:/www/directory for every subdomain
ServerName subdomain.domain.dk
</VirtualHost>

Do I need to input that information in the httpd.conf file?

What do i need to do if the server only is to accept https requests?

[glsmith]

Well, he has a wildcard, so regardless of how many subdomain and document roots some things will not change, what doesn't change can easily be moved outside the vhost.

[cliff.ha]

Ok, does it matter where i put the code in the httpd.conf file?
I’m not sure witch files I need to set up for the different SSL files, I have these 4 files:
STAR_domain.ca-bundle
STAR_domain.crt
MyServer.key
MyServer.csr
And I do not need to enable any other modules?
Do I need to change the listing port to 443?