How to deploy SSL certificate in windows apache environment to make the website support https

I won’t talk about the use of SSL certificates. Friends who need to deploy them should have already understood them. Let’s get straight to the point.

Install Apache. When downloading and installing Apache, please download the Apache installer with SSL version.

The first step is of course to obtain a certificate.

I applied on Tencent Cloud and it was done in just a few minutes.

After the domain name verification is passed, just download the certificate

1_root_bundle.crt (certificate chain file)

2_www.domain.com_cert.crt (certificate file)

3_www.domain.com.key (private key file)

Put the certificate in the environment. I put it in apache/cert. The cert folder is created by myself.

The second step is to modify the server environment configuration

First: Find the line [LoadModule ssl_module modules/mod_ssl.so]. If there is a # in front of it, remove it. If not, there is no need to change it and just leave it unchanged.

Second: Find the line [Include conf/extra/httpd-ssl.conf]. If there is a # in front of it, remove it. If not, there is no need to change it and just leave it unchanged.

#The following three lines are to configure the certificate file. Pay attention to modify the path and the corresponding file name, don't get confused

SSLCertificateFile "/phpStudy/PHPTutorial/Apache/cert/2_tktx.nichousha.cc.crt"

SSLCertificateKeyFile "/phpStudy/PHPTutorial/Apache/cert/3_tktx.nichousha.cc.key"

SSLCertificateChainFile "/phpStudy/PHPTutorial/Apache/cert/1_root_bundle.crt"

cart+f Search and replace the following names one by one

Another thing is to modify the site directory. I stepped on this little pit today.

Many site paths in the file are incorrect and need to be modified

SSLOptions +StdEnvVars

</FilesMatch>

<Directory "C:\phpStudy\WWW">

For example, the path of WWW is \phpStudy\PHPTutorial\WWW. I am using the new version of PHPSTUDY, so the path is \phpStudy\PHPTutorial\WWW. Just search for the wrong place and change it in batches.

Step 3 Set up 301 redirect

I use .htaccess

RewriteBase /

RewriteCond %{SERVER_PORT} !^443$

RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Just add this paragraph in it.

The whole process is relatively simple. If you have any questions, you can leave a message to tell me. The comments will be sent to me via email so I will reply quickly.

The following are the additions from other netizens

1. Preparation

1) Before setting up Apache + SSL, you need to do:

Install Apache. When downloading and installing Apache, please download the Apache installer with SSL version.

And the files required by ssl are in the following locations:

[Apache installation directory]/modules/ mod_ssl.so

[Apache installation directory]/bin/ openssl.exe, libeay32.dll, ssleay32.dll, openssl.cnf

[Apache installation directory]/conf/ openssl.cnf

Create an SSL certificate (note that some integrated environments come with openssl, but there is no openssl.cnf in the bin directory. You need to copy the openssl.cnf under conf to the bin directory, but the overall principle is the same)

2) In Windows environment, you need to set the OpenSSL environment variable first:

Execute the command set OPENSSL_CONF=..\conf\openssl.cnf

Open CMD and go to the bin directory under the Apache installation directory:

Step 1 : Execute the command openssl genrsa 1024 >server.key

Note: The default length of an RSA key pair is 1024, which is an integer power of 2. The longer the key length, the higher the security.

After the key server.key is generated, proceed to step 2.

Step 2: Produce unsigned server.csr and continue to execute commands in the bin directory:

openssl req -new -config openssl.cnf -key server.key >server.csr

Note: If you do not add the -config .openssl.cnf parameter, you will often get the message "Unable to load config info from .../ssl/openssl.cnf"

You will then be asked to enter a series of parameters:

Country Name (2 letter code) [AU]:CN ISO country code (only two characters are supported)

State or Province Name (full name) [Some-State]:ZJ Province

Locality Name (eg, city) []:HZ city

Organization Name (eg, company):

Organizational Unit Name (eg, section) []:yiban Organizational Unit Name

Common Name (eg, YOUR name) []: localhost:80 The domain name for applying for the certificate (it is recommended that it must be consistent with the serverName in httpd.conf)

Email Address []:[email protected] Administrator Email

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: 1234Exchange key

An optional company name []:CD

Note: The Common Name must be consistent with the serverName in httpd.conf, otherwise Apache may not start.

(When starting Apache, the error message is: server RSA certificate CommonName (CN) `Kedou' does NOT match server name!?) Complete the signed server.csr configuration.

Step 3:

Sign the server certificate file server.crt

Execute the command in the bin/directory:

openssl req -x509 -days 5000 -config openssl.cnf -key server.key -in server.csr >server.crt

Note: This uses the key and certificate request from steps 1 and 2 to generate the certificate server.crt. The -days parameter indicates the validity period of the certificate in days. x509 indicates that the generated certificate is an X.509 certificate.

Step 4:

In the bin directory, find the server.crt, server.csr, and server.key files, and cut them into the Apache conf directory.

Step 5:

Configure httpd.conf. The httpd_ssl.conf file in the Apache conf\extra directory is about SSL configuration and is part of httpd.conf.

Add the following two lines to httpd.conf (remove the comment "#" symbol in front of the file if any):

LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

Step 6:

(Note: the same parts are omitted)

In the conf\extra directory, edit httpd_ssl.conf

Listen 443

SSLPassPhraseDialog builtin

SSLSessionCache "dbm:c:/Apache24/logs/ssl_scache"

#SSLSessionCache "shmcb:c:/Apache24/logs/ssl_scache(512000)"

(Please monitor the above two types yourself. If one of them causes the server to fail to start, switch to the other one)

SSLSessionCacheTimeout 300

<VirtualHost www.my.com:443>
#DocumentRoot "D:/wamp/bin/apache/apache2.4.9/htdocs"
DocumentRoot "C:/wamp/www/hxq"
ServerName www.my.com:443
ServerAlias ​​my.com:443
ServerAdmin [email protected]
DirectoryIndex index.html index.htm index.php default.php app.php u.php
ErrorLog logs/example_error.log
CustomLog logs/example_access.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine On
SSLCertificateFile "C:/wamp/bin/apache/apache2.4.9/conf/server.crt"
SSLCertificateKeyFile "C:/wamp/bin/apache/apache2.4.9/conf/server.key"
#SSLCertificateChainFile "C:/upupw/Apache2/conf/1_root_bundle.crt"
<FilesMatch "\.(shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Directory "C:/wamp/www/hxq">
Options FollowSymLinks
AllowOverride All
Order allow, deny
Allow from all
</Directory>
</VirtualHost>

The most likely problem is the path problem of logs in http_ssl.conf. It is recommended to set it according to the physical path.

Step 7:

Debug and run Apache, for Apache. If you start Apache Server in an integrated environment such as xampp, wampserver, or phpstudy, you may not know what problem has occurred with your server. We recommend that you check the logs under Apache/logs. On this basis, run the httpd command in the bin directory with the cmd command line. If no error is reported, it means that the server is running properly. Otherwise, make changes according to the prompts.

2. Test run

Restart the apahce service and visit https://www.my.com/. Done!

===========Error aggregation occurred==========

1. "Syntax error on line 80 of c:/apache/conf/extra/httpd-ssl.conf:ErrorLog takes one argument,The filename of the error log" or "Syntax error on line 99 of c:/apache/conf/extra/httpd-ssl.conf:SSLCertificateFile takes one argument,SSL Server Certificate file ('/path/to/file' -PEM or DER encoded)"

Solution: Add double quotes to the file path

2、"Syntax error on line 76 of C:/apache/conf/extra/httpd-ssl.conf:SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)."

Solution:

Open httpd.conf,

Find LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Remove the previous comment.