You can also create a new SSL certificate or wildcard certificate. When you do this, you generate a .key file (private key), as well as a .csr file (certificate signing request file), using your OpenSSL application. You then submit the .csr file to the SSL Certificate Authority of your choice (for example, GoDaddy, Thawte, Verisign, and so forth) in order to receive the appropriate .crt (certificate file) and bundle .crt files, which are then installed on your Apache web server.
NOTE
This process is for new SSL certificates or wildcard certificates. If you already have an existing SSL certificate, please reference the How to Use an Existing SSL Certificate with Apache section of the Guide.
NOTE
If you already have an existing IIS .pfx file, you must convert it to a .key file using the OpenSSL application. For more information, please reference the How to Convert an Existing IIS .pfx File to a Private Key File section of the Guide.
This article will review the following steps in detail:
- Use the OpenSSL application to generate a .key file
- Use the OpenSSL application to generate a .csr file
- Purchase a certificate from an SSL Certificate Authority using the newly generated .csr file
- Update the SSLCertificateChainFile path in the http.conf file
To generate a .key file using the OpenSSL application:
- From the Start menu, enter cmd into the search box and press the Enter key. A new Command Prompt window displays.
- In the Command Prompt window, navigate to the Apache bin directory using the cd command, and press the Enter key: cd C:\Apache24\bin\  
- While still in the Command Prompt window, launch the openssl application using the openssl command: openssl  
- Within the OpenSSL application, generate a .key file using the genrsa command: genrsa –out yourdomainname.key 2048
 For example:
 genrsa -out yourdomainname.key 2048  
To generate a .csr file using the OpenSSL application:
- While still in the OpenSSL application, generate a .csr file using the following command: req -new –key yourdomainname.key –outyourdomainname.csr-config "C:\Apache24\conf\openssl.cnf"
 For example:
 OpenSSL> req -new -key yourdomainname.key -out yourdomainname.csr -config"C:\Apache24\conf\openssl.cnf"  
- You will be prompted to enter information into the Command Prompt window:- When prompted to enter a Country Name, enter your country’s two letter code (for example, US).
- When prompted to enter a State or Providence Name, enter the full name of your state or providence (for example, California).
- When prompted to enter a Locality Name, enter the full name of your city (for example, San Francisco).
- When prompted to enter an Organization Name, enter the name of your organization.
- When prompted to enter an Organizational Unit Name, enter your organizational unit, or leave this field blank.
- When prompted to enter a Common Name, enter your server FQDN (for example, hostname. yourdomainname.com, or *.yourdomainname.com for a wildcard certificate).
 NOTE
 Make sure you have access to the email account that you provide. Depending upon the SSL Certificate Authority you select, you might need to validate ownership of your domain.
 NOTE
 You must include a * symbol in front of your yourdomainname.com if you are registering a wildcard certificate.
 
- When prompted to enter your email address, enter a valid email address.
- When prompted to enter extra attributes (a challenging password and an optional company name), leave these fields blank.  
 
To Purchase a certificate from an SSL Certificate Authority:
- Purchase a certificate from an SSL Certificate Authority of your choice using your newly generated .csr file. For example, you may wish to purchase from GoDaddy, Thawte, Verisign, and so forth.
- Each of these Certificate Authorities will require a specific set of steps for submitting the content of your newly generated .csr file. Follow the specific set of instructions provided by your selected Certificate Authority.
 NOTE
 Depending upon the SSL Certificate Authority you selected, you might need to validate ownership of your domain.
 
- When prompted to submit your .csr file, you can access the file in the Apache directory (for example, C:\Apache24\bin\_.yourdomainname.com.csr). Your SSL Certificate Authority will provide you with two files: a .crt file and a yourbundle.crt file. Make sure that you specify Apache server type when you download the files.  
- After your SSL Certificate Authority provides you with the .crt file and the yourbundle.crt file, move the files into the C:\Apache24\conf\ssl\ directory. Specifically:- Move the .crt file into Apache’s ssl directory (for example, C:\Apache24\conf\ssl\).
- Move the yourbundle.crt file into Apache’s ssl directory (for example, C:\Apache24\conf\ssl\).
- Move the .key file from Apache’s bin directory to Apache’s ssl directory (for example, from C:\Apache24\bin to C:\Apache24\conf\ssl\).  
 
To update the SSLCertificateChainFile path in the http.conf file:
- Navigate to Apache’s conf directory (for example, C:\Apache24\conf\) and open the httpd.conf file.  
- For single certificates, in the VirtualHost section, update the following lines:- SSLCertificateFile "C:\Apache24\conf\ssl\yourdomainname.crt"
- SSLCertificateKeyFile "C:\Apache24\conf\ssl\yourdomainname.key"
- SSLCertificateChainFile "C:\Apache24\conf\ssl\yourbundle.crt
 <VirtualHost_default_:510>SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLSSLCertificateFile
 "C:\Apache24\conf\ssl\yourdomainname.crt"SSLCertificateKeyFile
 "C:\Apache24\conf\ssl\yourdomainname.key"SSLCertificateChainFile
 "C:\Apache24\conf\ssl\yourbundle.crt"AllowEncodedSlashes On</VirtualHost>
 
- Alternatively, for wildcard certificates, update the following lines:- <VirtualHost *:510>
- ServerName yourdomainname.com
- ServerAlias *.yourdomainname.com
- SSLCertificateFile "C:\Apache24\conf\ssl\yourdomainname.crt"
- SSLCertificateKeyFile "C:\Apache24\conf\ssl\yourdomainname.key"
- SSLCertificateChainFile "C:\Apache24\conf\ssl\yourbundle.crt"
 For example:
 <VirtualHost *:510>
 ServerName anchor.com
 ServerAlias *.anchor.com
 SSLEngine on
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
 SSLCertificateFile "C:\Apache24\conf\ssl\yourdomainname.crt"
 SSLCertificateKeyFile "C:\Apache24\conf\ssl\yourdomainname.key"
 SSLCertificateChainFile "C:\Apache24\conf\ssl\yourbundle.crt"
 AllowEncodedSlashes On
 </VirtualHost>
 
- Save and close the file.
- In the Start menu, enter Services into the search box and press the Enter key. The Services windowdisplays.
- Right-click Apache Service and select Restart. The Apache Service will restart.
