When i went searching for info on generating CSRs (certificate signing requests) to get an SSL cert to use in apache+openSSL i was met with a sea of confusion, i think mostly surrounding the fact there wasn't a pre-compiled offical win32 binary of apache installer with openSSL baked in, requiring a lot of manual fudging. After a bit of research the process is now really quite trivial: Download the apache 2.2.9 with openSSL (mod_ssl) from apache Now the regular command you'd use to generate a non-passphrase private key and CSR will not work the same in windows as it's looking for a config in a unix path /usr/ so you need to specify the full path to the openssl.cnf file (found in the apache conf dir) Open up a cmd window and cd to your apache bin folder then enter the following (changing the url and company details):
openssl req -new -nodes -keyout www_mysite_com_au.key -out www_mysite_com_au.csr -subj "/C=AU/ST=New South Wales/L=Sydney/O=My Company/OU=IT/CN=www.mysite.com.au" -config "C:/Program Files/Apache Software Foundation/Apache2.2/conf/openssl.cnf"
This should leave two new files www_mysite_com_au.key and www_mysite_com_au.csr which you copy to your conf folder for referencing in your ssl configs as noted in the docs and ssl sample conf
To get your key signed, go to a certificate issuer and cut and paste the contents of the .csr file
Too easy!
Jul 15, 2008 at 10:58 AM Thanks David! You saved me so much time. FYI, I had to remove the quotes from the -subj and -config parameters in order for it to work. Otherwise, I was getting the following error: Unknown error:.\crypto\bio\bss_file.c
I just wanted to post that in case others came across the same issue.
Jul 31, 2008 at 8:21 AM Thanks guys! You just saved me an afternoon! :)
Sep 5, 2008 at 8:48 AM Thanks David... I was having a tough time, locating a windows-way of generating a self-signed cert and you showed the way!
I did a variation to generate a .crt (self-signed cert) instead. I've pasted it here so that anyone else interested can use it. Post a reply if its useful to anyone else.... (I run this in a command window in the .../Apache/bin directory)
openssl req -new -x509 -nodes -keyout server.key -out server.crt -subj /C=US/ST=Desert/L=SnakeTown/O=SnakeOilCo/OU=IT/CN=snakeoil.com -config ../conf/openssl.cnf
Note: For some reason, openssl complained about the " quotes, so I removed them, and it still worked.
Thanks a bunch!