The Blog

How to setup SSL on WAMP

Alright. I Just finished setting up a WAMP server (wampserver) on Windows 7 using virtual hosts and SSL. I’m going to try and outline the steps in this post. This tutorial should apply if wampserver has already been installed and virtual hosting has been enabled (The “LoadModule vhost_alias_module modules/mod_vhost_alias.so” has been uncommented in the http.conf file).

First of all, you need OpenSSL for this to work. OpenSSL comes with wampserver and can be found in the following folder:

C:\wamp\bin\apache\Apache2.2.11\bin\openssl.exe
'Locations may vary in different installations of wampserver

To use openssl.exe, you need to open a command prompt, then navigate to the directory where it’s located to run commands. Alternatively, you can add the directory the windows “path” variable. Then you can run OpenSSL from any directory; it will save a lot of typing if you set it up this way.

Some tutorials mention the need to use the java keytool and keystore. I found that I didn’t need to use either for wampserver and that OpenSSL took care of everything.

Creating the Server Certificates

First, the ssl certificates for the server have to be created. Later on, these certificates will be referenced in the httpd-ssl.conf file.

Create a certificate authority (CA) for the server (this doesn’t have to be done, but provides a way to sign a bunch of your own certificates)

openssl req -x509 -new -out my.root.ca.crt -keyout my.root.ca.key -days 3650
  • After you run this command will be prompted for some information (e.g. country, state, organization, etc.). These should tie into your server location and company. The “Common Name” should be the domain name you want to use for your server. In my case, I used the active directory machine name and domain address (e.g. my-machine-name.adserver.mycompany.com).
  • This creates the the my.root.ca.crt certificate and my.root.ca.key private key.
  • You can use the the my.root.ca.key to sign certificates.

Create the Server Certificate Signing Request
When using virtual hosts, you have the option of assigning separate ssl certificates to each of them (e.g. mydomain1.com, mydomain2.com, etc.). However, you need to have an IP address for each of them as well (setting up Apache with multiple IP addresses is beyond the scope of this article).

For now, we only need a single ssl certificate for multiple virtual hosts. Apache will run all of the sites over ssl. It just uses the single certificate to do it; it causes browser errors, but doesn’t stop ssl.

openssl req -newkey rsa:2048 -out my.domain.com.csr -pubkey -new -keyout my.domain.com.key 
  • This creates a private key for your certificate (my.domain.com.key) as well as a certificate signing request (CSR).

Create the Server Certificate
Now we need to use the certificate authority, that was previously created, to sign the my.domain.com.csr certificate request.

openssl x509 -req -in my.domain.com.csr -CA my.root.ca.crt -CAkey my.root.ca.key -CAcreateserial -out my.domain.com.crt -days 3650

In the end of this process, you should have the following three files:

  • my.root.ca.crt (certificate authority certificate)
  • my.domain.com.key (primary private key for the Apache server)
  • my.comain.com.crt (primary server certificate)

Make Sure the Server Key is not Encrypted
When you create keys with OpenSSL, they prompt you to encrypt them with a password. I found that if the password stays encrypted with the key, it causes Apache server to fail with a useless error message.

openssl rsa -in my.domain.com.key >> my.domain.com.nopass.key  
  • This will decrypt the my.domain.com.key and make it ready to use with Apache.

Configure the Apache Server

The Apache server configuration files (httpd.conf, httpd-ssl.conf), as well as PHP (php.ini), need to be updated.

  1. Uncomment “;extension=php_openssl.dll” in the php.ini file.
  2. Uncomment “#LoadModule ssl_module modules/mod_ssl.so” in the httpd.conf file.
  3. Uncomment “#Include conf/extra/httpd-ssl.conf” in the httpd.conf file;under #Secure (SSL/TLS) connections.
  4. Uncomment IfModule ssl_module tags (see below).
#<IfModule ssl_module>
#SSLRandomSeed startup builtin
#SSLRandomSeed connect builtin
#</IfModule>

#Uncommented
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Next, the httpd-ssl.conf file needs to be updated. I’ll just include the file I was using here, which has been configured to work with two separate virtual hosts. I modified it to fit this tutorial.

#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:C:/wamp/bin/apache/Apache2.2.11/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex default

NameVirtualHost *:443

<VirtualHost *:443>
ServerName "my.domain.com"
DocumentRoot "m:/sites/my.domain.com/public"

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "M:/etc/ssl/certificate/wildcard.my.domain.com.crt"
SSLCertificateKeyFile "M:/etc/ssl/certificate/wildcard.my.domain.com.nopass.key"
SSLCACertificateFile "M:/etc/ssl/certificate/my.root.ca.crt"
</VirtualHost>  

<VirtualHost *:443>
ServerName "my.domain2.com"
DocumentRoot "m:/sites/my.domain2.com/public"

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "M:/etc/ssl/certificate/wildcard.my.domain.com.crt"
SSLCertificateKeyFile "M:/etc/ssl/certificate/wildcard.my.domain.com.nopass.key"
SSLCACertificateFile "M:/etc/ssl/certificate/my.root.ca.crt"
</VirtualHost> 

The “NameVirtualHost *:443” line is important here. If omitted, things will seems to be working right, but all of the sites will link to the DocumentRoot of the first VirtualHost.

Spread the love

Tags: , , ,

No comments yet.

Leave a Comment

Remember to play nicely folks, nobody likes a troll.

You must be logged in to post a comment.