How to install: OpenSSL + WAMP

by

Guide: Openssl in WampServer 2.5

Prerequisite: There is normally no need to install openssl (it comes bundled with Wamp). Apache 2.4.9 includes 1.0.1g for instance.

System-Variable:

  • Open the Windows System panel (“WIN+Q” Search: system) > Advanced System Settings > Advanced > Environment variables
  • Add a new entry in system variables with name OPENSSL_CONF and its value being the path to openssl.cnf (usually somethings like C:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf)

openssl folder structure:

  • In C:\wamp\bin\apache\apache#.#.#\conf create the following folder structure:

    ..
demoCA
|-----certs
|-----crl
|-----newcerts
|-----private

Configuring openssl.cnf:

  • I’ve followed Neil C. Obremski advice and cleared the following defaults:
    • countryName_default (was “AU”)
    • stateOrProvinceName_default (was “Some-State”)
    • 0.organizationName_default (was “Internet Widgits Pty Ltd”)
    • organizationalUnitName_default (was already empty)

Creating the certificate:

  • From command line browse to C:\wamp\bin\apache\apache#.#.#\bin\ and call “openssl req -new -out cacert.csr -keyout cacert.pem”. If prompted enter a password and after that the DN informations like below.

    Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......................++++++
....++++++
writing new private key to 'cacert.pem'
Enter PEM pass phrase: my_secret_pass
Verifying - Enter PEM pass phrase: my_secret_pass
`-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
`-----
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:local
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

C:\wamp\bin\apache\apache2.4.9\bin>

  • In the same console window now use “openssl rsa -in cacert.pem -out cacert.key” and if asked enter the password previously entered.

    Enter pass phrase for cacert.pem: my_secret_pass
writing RSA key

  • Remove the “.rnd” file in C:\wamp\bin\apache\apache2.4.9\bin

  • Still in the same window call “openssl x509 -in cacert.csr -out cacert.cert -req -signkey cacert.key -days 365”. If you experience the following error “unable to write ‘random state'”. This is a known bug! To workaround this call “set RANDFILE=.rnd” and retry the previous command.

Congrats you are now the owner of a self signed certificate!

I’ve placed the built files (they are currently in bin folder) according this Site:

  • cacert.pem, cacert.key in C:\wamp\bin\apache\apache#.#.#\conf\demoCA\private
  • cacert.cert, cacert.csr in C:\wamp\bin\apache\apache#.#.#\conf\demoCA\certs

In httpd.conf enable SLL (search for “#Include conf/extra/httpd-ssl.conf”) + alter the following entries in httpd-ssl.conf:

SSLSessionCache        "shmcb:C:/wamp/logs/ssl_scache(512000)"
DocumentRoot "C:/wamp/www"
#ErrorLog
#TransferLog
SSLCertificateFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/certs/cacert.cert"
SSLCertificateKeyFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/private/cacert.key"
CustomLog "C:/wamp/logs/ssl_request.log" \

Now test your Apache installation by calling httpd -t.
If you get the following error “SSLSessionCache: ‘shmcb’ session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).” enable the following entry “LoadModule socache_shmcb_module modules/mod_socache_shmcb.so” in httpd.conf

Wamp is now configured with https support 🙂

I’ve also enabled “LoadModule status_module modules/mod_status.so” using the following configuration in httpd.conf:

<IfModule status_module>

ExtendedStatus On
<Location /server-status>
    SetHandler server-status
</Location>

</IfModule>

You can check now your server status here

https://localhost/server-status/

Apache/2.4.9 (Win64) OpenSSL/1.0.1g PHP/5.5.12 Server at localhost Port 443

Notes:

  • I’ve made this tute while trying to get it working on my machine (this was my first attempt in using OpenSSL on windows/wamp).
  • This guide is not meant for production systems!
  • You might have to change a few things like names depending on your openssl.cnf
  • My intention was not to make the best tutorial around but instead to simply note all required changes to get SSL working in WAMP.
  • Make sure to set the right -days amount for your x509 certificate
  • I finally know why NSA can easily break into servers with such a complex process 😀
  • Since Wamp bundles apache together with OpenSSL it might be better to separately install it??

More Related Contents:

  1. How to generate a self-signed SSL certificate using OpenSSL?
  2. How do you sign a Certificate Signing Request with your Certification Authority?
  3. How to get .pem file from .key and .crt files?
  4. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  5. How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
  6. “verify error:num=20” when connecting to gateway.sandbox.push.apple.com
  7. How to install OpenSSL in windows 10?
  8. OpenSSL: unable to verify the first certificate for Experian URL
  9. Is a HTTPS query string secure?
  10. HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK
  11. Python referencing old SSL version
  12. Python and OpenSSL version reference issue on OS X
  13. Import certificate as PrivateKeyEntry
  14. How to do a https request with bad certificate?
  15. Unable to establish SSL connection, how do I fix my SSL cert?
  16. OpenSSL DH Key Too Small Error
  17. Nginx configuration leads to endless redirect loop
  18. Enabling SSL with XAMPP
  19. How to determine SSL cert expiration date from a PEM encoded certificate?
  20. pip always fails ssl verification
  21. kubectl unable to connect to server: x509: certificate signed by unknown authority
  22. Generate certificates, public and private keys with Java [closed]
  23. PushSharp APNS production: The credentials supplied to the package were not recognized (development works fine though)
  24. Self-signed SSL Cert or CA? [closed]
  25. Generating client side certificates in browser and signing on server
  26. How to use .key and .crt file in java that generated by openssl?
  27. Jenkins Windows slave connection getting terminated with java.nio.channels.ClosedChannelException
  28. Creating .p12 truststore with openssl
  29. OpenSSL hangs during PKCS12 export with “Loading ‘screen’ into random state”
  30. SSLError: sslv3 alert handshake failure

Leave a Comment