replacing SnakeOil default Apache server certificate

 > To create a self signed certificate:
 > openssl.exe req -config openssl.cnf -new -nodes -out server.csr -keyout
 > server.key
 > openssl.exe x509 -in server.csr -out server.crt -req -signkey
 > server.key -days 365 -set_serial 1
 > (Increment the serial number each time you create a certificate.)
 >
 > Make sure you enter your host name (e.g. <a style='text-decoration: underline;' href="http://www.abc.org" target="_blank">www.abc.org</a>) for the Common Name,
 > when prompted.
 >
 > This assumes you have openssl.exe and openssl.cnf, if not you can grab them
 > from:
<font color=purple> > <a style='text-decoration: underline;' href="http://rab.members.easyspace.com/apache-ssl/</font" target="_blank">http://rab.members.easyspace.com/apache-ssl/</font</a>>
 >
 > Richard.

Thank you Richard for the quick response and help.
In completeness, I compile the following guide of successfully
achieving my aims.

The Ways to Prepare a Web Site for Server and Client Authentications
==================================================
Purpose: To establish server and client authentications for a web site
using self-signed certificates and
done locally on a localhost for testing on Windows.

Software and Platform
Apache 2.0.46 for Win32
Microsoft 2000 Professional
IE 5.5
Openssl 0.9.7b

The followings are important statements and steps taken to configure
Apache's configuration file httpd.conf

# Mod_ssl module loaded with the statement
LoadModule ssl_module modules/mod_ssl.so

ServerName localhost

<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>

The above directive will read the SSL configuration file, ssl.conf
which consists of the following few
important statements:

<IfDefine SSL>
  Listen 8443
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl

  <VirtualHost _default_:8443>

   # General setup for the virtual host
   DocumentRoot "C:/Apache2/htdocs"
   ServerName localhost
   ServerAdmin roychew.DeleteThis@hotmail.com
   ErrorLog logs/error.log
  TransferLog logs/access_log
   LogLevel warn
   SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

   SSLCertificateFile C:/Apache2/conf/demoCA/my-server.der.crt
   SSLCertificateKeyFile C:/Apache2/conf/demoCA/my-server.key

   SSLCACertificateFile C:/Apache2/conf/demoCA/my-server.cert
   SSLCACertificatePath C:/Apache2/conf/demoCA

   SSLVerifyClient require
   SSLVerifyDepth 1

   SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

   <Directory "C:/Apache2/htdocs">
    SSLRequireSSL
    SSLVerifyClient require
    SSLVerifyDepth 1
   </Directory>
  </VirtualHost>
</IfDefine>


Preparations of Certificates
---------------------------------
I've placed all the requests, certificates and keys in a common folder
called demoCA.

I run openssl from the conf subdirectory because I have placed my
openssl.cnf file there.

Run the following commands using the openssl tool to create server's
request, key and certificate

 > openssl req -config openssl.cnf -new -nodes -out demoCA/my-server.csr -keyout demoCA/my-server.key
 > openssl x509 -in demoCA/my-server.csr -out demoCA/my-server.cert -req -signkey demoCA/my-
server.key -days 365 -set_serial 1
 > openssl x509 -in demoCA/my-server.cert -out demoCA/my-server.der.crt -outform DER

While prompted for CN during certificate preparation of the above, I
chose "localhost" as the common name.
Hence, while preparing the client certificate, "localhost" should be
entered for the CN to match it.
Issued by: "localhost" would then appear in the browser's window after
the certificates are installed into
it.
It's important to match them if not Apache would consider it as an
error when a secured connection is
attempted and will be logged for affirmation.

Run the following commands using the openssl tool to create client's
request, key and certificate

 > openssl req -config openssl.cnf -new -out demoCA/clienta.csr -keyout demoCA/clientakey.pem
 > openssl x509 -req -in demoCA/clienta.csr -out demoCA/clienta.pem -CA demoCA/my-server.cert
-CAkey demoCA/my-server.key -CAcreateserial -days 365 -outform
PEM
 > openssl pkcs12 -export -in demoCA/clienta.pem -out demoCA/clienta.p12 -inkey
demoCA/clientakey.pem -name "Test User"


Start apache with
$> apache -D SSL -e warn -k start

Beware that by starting Apache Monitor service on windows would not
set SSL directive option as above

If the server certificate is not installed before connecting to the
web site, the server will prompt user's
browser to accept server's certificate.

IE 5.5 browser changes made in order to get the window prompt for
client certificate, with client certificate
installed beforehand, while connecting to web site. Setting for local
intranet because I used localhost.

Then try to access <a style='text-decoration: underline;' href="https://localhost:8443" target="_blank">https://localhost:8443</a>

That's about it for certificates. Yet to do the LDAP part.
Roy<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: replacing SnakeOil default Apache server certificate 

"RoyCTC" <roychew.RemoveThis@hotmail.com> wrote in message
news:2cdd170a.0307181713.5b3384f6@posting.google.com...

 > Start apache with
 > $> apache -D SSL -e warn -k start
 >
 > Beware that by starting Apache Monitor service on windows would not
 > set SSL directive option as above

And the easiest way around that, is just to remove/comment out the <IfDefine
SSL> and matching </IfDefine> from the ssl.conf file. If you plan to run
with SSL and you don't need the quick and easy way to enable/disable it from
the command line, then these really aren't required.

Richard.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: replacing SnakeOil default Apache server certificate