Vanadium Vanadium

web design

WAMP Part 3 – SSL

2 Comments

Part 3  continues from WAMP Part 2 – virtual hosts. Enabling SSL allows you to access your sites securely, via SSL (https).

Enable SSL

  1. Open Notepad (you will have to right click it and Run as administrator to be allowed to save the file) and open C:\Program Files\Apache\Apache 2.4\conf\httpd.conf.
  2. Uncomment the line near the bottom to beome Include conf/extra/httpd-ssl.conf. This allows you to use the httpd-ssl.conf file for configuring SSL. SSL can be configured right in the httpd.conf file, but this keeps things more organized.
  3. Uncomment the line near the top to become LoadModule ssl_module modules/mod_ssl.so.
  4. Uncomment another the line near the top to become LoadModule socache_shmcb_module modules/mod_socache_shmcb.so.

Create a self-signed certificate

If you already have a certificate from another source that matches your website URL, you can use that. Otherwise you can create a self-signed certificate for free.

  1. In File Explorer, create a new folder in C:\Program Files\Apache\Apache 2.4\conf called ssl to store the certificates and keep things organized.
  2. Open the command prompt (you will have to right click it and Run as administrator for the necessary permissions), and change to the bin folder with the command CD C:\Program Files\Apache\Apache 2.4\bin.
  3. Generate a server key by running the command openssl genrsa -out ../conf/ssl/server.key 2048. This will create a server key, without a passphrase, in the file server.key in the ssl folder that you created above. Ignore the warning WARNING: can’t open config file: /usr/local/ssl/openssl.cnf.
  4. Generate a certificate by running the command C:\Program Files\Apache\Apache 2.4\bin>openssl req -new -x509 -nodes -days 3650 -config ../conf/openssl.cnf -key ../conf/ssl/server.key -out ../conf/ssl/localhost.crt. Use the website URL as the filename to keep track of it. Use 3650 days (10 years) so you don’t have to worry about it expiring anytime soon.
  5. Ignore the warning WARNING: can’t open config file: /usr/local/ssl/openssl.cnf, and enter your website information at the prompts, following the example below. This will create a certificate in the file website.localhost.crt in the ssl folder that you created above.
    1. Country Name (2 letter code) [AU]:CA
    2. State or Province Name (full name) [Some-State]:AB
    3. Locality Name (eg, city) []:Calgary
    4. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vanadium
    5. Organizational Unit Name (eg, section) []:Vanadium
    6. Common Name (e.g. server FQDN or YOUR name) []:website.localhost
    7. Email Address []:leon@vanadiumdesign.ca
  6. Repeat steps 4 and 5 for any additional certificates that you want to create. You do not need to generate new server keys for each additional certificate.
  7. More information can be found at http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#selfcert.

Configuring SSL

  1. In Notepad (Run as administrator) open C:\Program Files\Apache\Apache 2.4\conf\extra\httpd-ssl.conf.
  2. Just under the line Listen 443 near the top, add the new line SSLStrictSNIVHostCheck off.
  3. Delete the entire <VirtualHost _default_:443> block, which is most of the file, since we will be adding these SSL directives to the virtual hosts configuration file instead (httpd-vhosts.conf), and this default secure virtual host will not allow Apache to start unless it is configured correctly first.
  4. Save the file, and open the Apache Monitor from the system tray, and restart Apache, just to see if everything is correct so far (no errors when starting Apache).
  5. In Notepad (Run as administrator) open C:\Program Files\Apache\Apache 2.4\conf\extra\httpd-vhosts.conf.
  6. For the virtual host that you want to enable for SSL, change the <VirtualHost *:80> line to <VirtualHost *:80 *:443> so it will listen on the SSL port.
  7. Add the following lines inside the <VirtualHost *:80 *:443> block.
    1. SSLEngine on – This turns on the SSL engine for this virtual host.
    2. SSLCertificateFile “C:/Program Files/Apache/Apache 2.4/conf/ssl/website.localhost.crt” – This points to the certificate file that we created above.
    3. SSLCertificateKeyFile “C:/Program Files/Apache/Apache 2.4/conf/ssl/server.key” – This points to the server key file that we created above.
    4. BrowserMatch “.*MSIE.*” \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
      This is some kind of necessary configuration for improving the way IE handles the SSL connection.
  8. More information can be found at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html.
  9. Save the file, and Open the Apache Monitor from the system tray, and restart Apache.
  10. Test it out by going to your website using the https:// prefix.

Install the certificate to Trusted Root Certification Authorities

With a self signed certificate, your browser will display a security warning every time you use your site, and browsers like Chrome will not offer to save passwords for any untrusted sites. To prevent this, we have to install the certificate to Trusted Root Certification Authorities.

image21

  1. In File Explorer, navigate to C:\Program Files\Apache\Apache 2.4\conf\ssl\ where the certificates are stored.
  2. Double click the file to allow Windows to open it as a certificate.
    image22
  3. Click the Install Certificate… button and walk through the Certificate Import Wizard.
    1. Under Store Location, choose Local Machine so that the trust will be applied to all users of your computer.
      image23
    2. In the next step, under Certificate Store, select Place all certificates in the following store, and then select Trusted Root Certification Authorities.
      image24
      image25
  4. Finish importing it, and click OK to any dire warnings that it gives you about trusting a self-signed certificate.
  5. You may have to restart your browser for it to refresh the list of Trusted Root Certification Authorities and make it stop displaying the warning.

Anytime you update or recreate the certificate you will have to re-install it to the Trusted Root Certification Authorities.

The list of installed certificates can be found in the Control Panel under Internet Options Go to the Content tab, click the Certificates button, go to the Trusted Root Certification Authorities tab, and then you can view or remove any certificates that you have added.

Congratulations, you can now access your pages securely, via SSL (https).

Next

 

2 Comments

  1. pablo

    This was excellent. The most thorough and easiest explanation on this topic. Thank you.