ssl - How to install: OpenSSL + WAMP

Question

Does anyone here have clear and detailed steps on how to get SSL on my local development machine? I've installed the latest version of WAMP (2.2c) on c:wamp. The instructions I find on the net seem to be outdated in most cases and lacking the details I need to get things done right.

Answer 1

Guide: Openssl in WampServer 2.5

Prerequisite: There is normally no need to install openssl (it comes bundled with Wamp). Apache 2.4.9 includes 1.0.1g for instance.

System-Variable:

• Open the Windows System panel ("WIN+Q" Search: system) > Advanced System Settings > Advanced > Environment variables
• Add a new entry in system variables with name OPENSSL_CONF and its value being the path to openssl.cnf (usually somethings like C:wampinapacheapache2.4.9confopenssl.cnf)

openssl folder structure:

• In C:wampinapacheapache#.#.#conf create the following folder structure:

  ..
  demoCA
  |-----certs
  |-----crl
  |-----newcerts
  |-----private
  

Configuring openssl.cnf:

• I've followed Neil C. Obremski advice and cleared the following defaults:
  • countryName_default (was "AU")
  • stateOrProvinceName_default (was "Some-State")
  • 0.organizationName_default (was "Internet Widgits Pty Ltd")
  • organizationalUnitName_default (was already empty)

Creating the certificate:

• From command line browse to C:wampinapacheapache#.#.#in and call "openssl req -new -out cacert.csr -keyout cacert.pem". If prompted enter a password and after that the DN informations like below.

  Loading 'screen' into random state - done
  Generating a 1024 bit RSA private key
  .......................++++++
  ....++++++
  writing new private key to 'cacert.pem'
  Enter PEM pass phrase: my_secret_pass
  Verifying - Enter PEM pass phrase: my_secret_pass
  `-----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  `-----
  Country Name (2 letter code) []:
  State or Province Name (full name) []:
  Locality Name (eg, city) []:
  Organization Name (eg, company) []:
  Organizational Unit Name (eg, section) []:
  Common Name (e.g. server FQDN or YOUR name) []:local
  Email Address []:
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
  
  C:wampinapacheapache2.4.9in>
  

• In the same console window now use "openssl rsa -in cacert.pem -out cacert.key" and if asked enter the password previously entered.

  Enter pass phrase for cacert.pem: my_secret_pass
  writing RSA key
  

• Remove the ".rnd" file in C:wampinapacheapache2.4.9in

• Still in the same window call "openssl x509 -in cacert.csr -out cacert.cert -req -signkey cacert.key -days 365". If you experience the following error "unable to write 'random state'". This is a known bug! To workaround this call "set RANDFILE=.rnd" and retry the previous command.

Congrats you are now the owner of a self signed certificate!

I've placed the built files (they are currently in bin folder) according this Site:

• cacert.pem, cacert.key in C:wampinapacheapache#.#.#confdemoCAprivate
• cacert.cert, cacert.csr in C:wampinapacheapache#.#.#confdemoCAcerts

In httpd.conf enable SLL (search for "#Include conf/extra/httpd-ssl.conf") + alter the following entries in httpd-ssl.conf:

SSLSessionCache        "shmcb:C:/wamp/logs/ssl_scache(512000)"
DocumentRoot "C:/wamp/www"
#ErrorLog
#TransferLog
SSLCertificateFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/certs/cacert.cert"
SSLCertificateKeyFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/private/cacert.key"
CustomLog "C:/wamp/logs/ssl_request.log" 

Now test your Apache installation by calling httpd -t. If you get the following error "SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)." enable the following entry "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" in httpd.conf

Wamp is now configured with https support :-)

I've also enabled "LoadModule status_module modules/mod_status.so" using the following configuration in httpd.conf:

<IfModule status_module>

ExtendedStatus On
<Location /server-status>
    SetHandler server-status
</Location>

</IfModule>

You can check now your server status here

https://localhost/server-status/

Apache/2.4.9 (Win64) OpenSSL/1.0.1g PHP/5.5.12 Server at localhost Port 443

Notes:

• I've made this tute while trying to get it working on my machine (this was my first attempt in using OpenSSL on windows/wamp).
• This guide is not meant for production systems!
• You might have to change a few things like names depending on your openssl.cnf
• My intention was not to make the best tutorial around but instead to simply note all required changes to get SSL working in WAMP.
• Make sure to set the right -days amount for your x509 certificate
• I finally know why NSA can easily break into servers with such a complex process :D
• Since Wamp bundles apache together with OpenSSL it might be better to separately install it??