Frequently Asked Questions >> SSL Set-up on Apache for HTTPS
Setting up SSL should be undertaken by a competent IT Administrator or personnel with equivalent technical skills.
If you are unsure and require help with this task, please contact our Technical Support team who can assist at our normal hourly rate.
Backup each Configuration file, BEFORE making changes!
Note 1: Hanwell cannot interact with a Signing Authority on your organisation’s behalf; you must handle obtaining certificate files yourselves.
|Note 2:||All paths shown assume the default path was used during installation; if non-default path was used, the User will need to alter paths to suit their particular installation.|
Ellab Monitoring Solutions Ltd DOES NOT recommend the use of Self-signed Certificates, as browsers cannot verify Self-signed Certificates.
Most browsers will not trust these certificates; they may show off-putting warnings to users and/or refuse to allow a connection.
|Note 3:||Cipher Suites|
•When configuring TLS/SSL it is important to consider the Cipher suites that are going to be used; these are set using the SSLCipherSuite command.
•The default settings for this command may not be optimal for your implementation and will depend on your security requirements and other limitations including, for example your, Operating System.
•You should consult your IT Department's policies for guidance on choosing the best Ciphers for you.
•For more details on how to choose and configure this setting, please see the Apache Online Manual:
•Please note that Ellab Monitoring Solutions cannot provide direct support for configuring ciphers.
To Set Up SSL
1.Set Windows Environment Variable OPENSSL_CONF to:
C:\Program Files (x86)\Hanwell Solutions Ltd\Apache24\conf\openssl.cnf
2.Open a Command prompt in Administrator mode, go to the following directory:
C:\Program Files (x86)\Hanwell Solutions Ltd\Apache24\bin
3.Type the following Command, replacing yourdomain with the domain name you are securing:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
For example, if your domain name is EMSserver.com, you would type EMSserver.key and EMSserver.csr.
4.Enter the requested information:
|Common Name:||The fully-qualified domain name or URL you are securing.|
If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example: *.coolexample.com
|Organization:||The legally-registered name for your business. If you are enrolling as an individual, enter the Certificate Requestor's name.|
|Organization Unit:||If applicable, enter the DBA (Doing Business As) name.|
|City or Locality:||Name of the City where your organization is registered/located. Do not abbreviate.|
|State or Province:||Name of the State or Province where your organization is located. Do not abbreviate.|
|Country:||The two-letter International Organization for Standardization (ISO) Format Country Code for where your organization is legally registered:[https://www.iso.org/obp/ui/#search]|
5.Send CSR text to a signing authority and they will send you back CRT files.
6.You can find more information about CRT files by double clicking them i.e. if your Signing Authority does not specify which file is which.
Look under the General tab:
•If it is issued to yourdomain and issued by the Signing Authority, then it is an SSL Certificate File.
•If it is issued to and by the Signing Authority then it is a SSL CA Certificate File. Its file size is generally bigger than SSL Certificate File.
7.Copy .CRT and .KEY files to the CONF folder.
8.Read related comments in httpd.conf & httpd-ssl.conf files when following changes are made; httpd.conf file resides in the CONF folder & httpd-ssl.conf in the EXTRA folder.
9.Uncomment the following in httpd.conf i.e. by removing ‘#’ :
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
10.In httpd-ssl.conf find and replace existing commands with the following:
Find the following and change as per user requirements:
"C:/Program Files (x86)/Hanwell Solutions Ltd/Apache24/logs/error.log"
[Comment this out for better performance]
"C:/Program Files (x86)/Hanwell Solutions Ltd/Apache24/conf/server.crt"
[Signing Authority will provide this file under a different name, Change file name accordingly]
"C:/Program Files (x86)/Hanwell Solutions Ltd/Apache24/conf/EMSserver.key"
[File generated in Step-2]
"C:/Program Files (x86)/Hanwell Solutions Ltd/Apache24/conf/server-ca.crt"
[Signing Authority might provide this file under a different name, Change file name accordingly. Use SSL Certificate file name if this file is not provided OR comment the line by putting ‘#’ in front of it.]
"C:/Program Files (x86)/Hanwell Solutions Ltd/Apache24/conf"
"C:/Program Files (x86)/Hanwell Solutions Ltd/Apache24/conf/ca-bundle.crt"
[Signing Authority will provide this file under a different name, Change file name accordingly.]
11.After saving changes restart Apache service.