SSL Private Key and Public Certificates Setup for a Website with WampDeveloper
Generating the Private Key and Certificate Signing Request
The first step is to use OpenSSL to create a private key (key) and a certificate signing request (csr). The csr file will then be sent to the provider/signer that you are purchasing the certificate (crt) from.
Run 'cmd.exe' to open the command line (or click WampDeveloper's System Tab, 'Command Line' button), enter the following commands...
C: cd \WampDeveloper\Websites\www.example.com\certs\ openssl genrsa -out private.key 2048 openssl req -new -key private.key -out public.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf
These lines will:
- Switch to drive C: (change this if WampDeveloper is installed on a different drive).
- Change working directory to the "certs" folder of your website (we are using www.example.com as an example, substitute your website's primary domain name here instead).
- Generate a no-passphrase 2048-bit private key file named private.key (usually we see the -des3 switch here but we don't want a passphrase encrypted private key, as Apache does not work with passphrase-encrypted keys on Windows).
- Generate a Certificate Signing Request file named public.csr (using our openssl.cnf file path/location).
The last line will prompt you for additional information. You can leave every field blank by just entering "." (a dot, with no quotes), except for the 'Common Name' field...
The most important field is the 'Common Name' field, which is the fully qualified domain name that visitors use to browse to your website... If it is 'www.example.com', input it as that and not as 'example.com'.
Also take note that when asked for 'A challenge password', just leave that blank by entering "." (a dot, with no quotes) ... and press enter.
----- You are about to be asked to enter information that will be incorporated into your certificate request. ... ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Your State Locality Name (eg, city) : City Name Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name Organizational Unit Name (eg, section) : Company Name or Unit Common Name (eg, YOUR name) : www.example.com Email Address : firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : . An optional company name : .
Send the contents of file C:\WampDeveloper\Websites\www.example.com\certs\public.csr to whomever you are getting a certificate from. They will sign it and return the contents of what will become a file named public.crt...
Creating a Temporary Self-Signed Certificate
Generate a temporary self-signed certificate for Apache to use until you receive the authentic certificate.
openssl x509 -req -days 365 -in public.csr -signkey private.key -out public.crt
Without a certificate file for an SSL-enabled website, Apache will not be able to start.
Utilizing the Public Certificate
When you receive your public certificate, save/rename it as file "public.crt" and place it into the "certs" folder of your website: C:\WampDeveloper\Websites\www.example.com\certs\
This folder should now contain files: private.key and public.crt. You can delete the original Certificate Signing Request file: public.csr.
If your certificate is "intermediate/chained" (there's a 2nd file besides public.crt received from the signer, often named something_bundle.crt), you will also need to place this extra certificate file into the "certs" folder and then modify the website's SSL VirtualHost configuration (Websites Tab, select website, 'Configurations' button) to include this extra file in (change file name and path to reflect your WampDeveloper install path and website):
Your SSL VirtualHost will end up with these 3 lines (first two are already present, 3rd is the one you have inserted):
SSLCertificateFile "C:/WampDeveloper/Websites/www.example.com/certs/public.crt" SSLCertificateKeyFile "C:/WampDeveloper/Websites/www.example.com/certs/private.key" SSLCertificateChainFile "C:/WampDeveloper/Websites/www.example.com/certs/xxx_bundle.crt"
Save file. Restart Apache.
Removing Private Key's Passphrase
If you followed other instructions to generate the private.key, and get the following error when starting the Apache Service (error located in Apache's error log and/or wesbite's error log):
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/WampDeveloper/Websites/www.example.com/certs/private.key)
...you will need to remove the passphrase from the private key. Apache does not work with passphrase encrypted keys on Windows.
Run cmd.exe, switch the working directory to the "certs" folder of your website, and run the following command:
openssl rsa -in private.key -out private.nophrase.key
This will remove the passphrase encryption from the key and create a "private.nophrase.key" file. Then rename "private.key" to "private.passphrase.key", and then rename "private.nophrase.key" to "private.key". Restart Apache.
The C:\WampDeveloper\Resource\ folder contains the fake (default) private.key and public.crt file that are used when a new website is created.
When Apache does not start, check Apache's error log (http and ssl) for the specific website (locate via the User Interface) and the main http and ssl error logs located here: C:\WampDeveloper\Logs\Apache\. They should have a message about why it's not loading your keys and certs.
If your private.key and public.crt files mis-match (certificate was generated with another private key), the following error will be generated in the website's error log.
[error] Unable to configure RSA server private key [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
You can see what data was entered into the Certificate Signing Request by running...
openssl req -noout -text -in public.csr