Install Apache on Windows using PowerShell, configure it as a service, then enable HTTPS by extracting certificates from a PFX file using OpenSSL and configuring mod_ssl in Apache's httpd.conf and httpd-ssl.conf files.
Introduction
Apache started on Unix and is still mostly used there, but it runs fine on Windows when that's where the team lives. This post covers installing Apache on Windows via PowerShell, registering it as a Windows service, and putting it behind HTTPS by extracting the cert and key from a PFX file using OpenSSL.
I'll skip getting the PFX file itself and the OpenSSL install, since both are well-covered elsewhere.
Workflow
Download and Extract Apache
Please note all commands are done in PowerShell.
- Download Apache
start-bitstransfer https://www.apachelounge.com/download/VS17/binaries/httpd-2.4.56-win64-VS17.zip
- Extract zip file
expand-archive httpd-2.4.56-win64-VS17.zip
- Copy Apache directory to your desired location
copy-item -path ".\httpd-2.4.56-win64-VS17\Apache24" -Destination "C:\Apache24" -recurse
Apache from ApacheLounge requires the Visual C++ Redistributable for Visual Studio to be installed. Download and install the appropriate version (VS17 = Visual Studio 2022) if Apache fails to start.
Install and Run Apache on Port 80
- Move to the bin directory of Apache
cd c:\apache24\bin
- Install Apache as a service with your desired service name (e.g. arunapache)
.\httpd.exe -k install -n "arunapache"
- Confirm service has been created
get-service arunapache
- From another machine, confirm you can browse to the IP address of the server hosting Apache. You should see the 'It works' page
Ensure Windows Firewall allows inbound connections on port 80 (HTTP) and port 443 (HTTPS). Create firewall rules if the default Apache test page is not accessible from other machines.
Configure and Run Apache on Port 443
Please note I will not go into how to obtain a pfx file, nor installation of OpenSSL.
Export Files from PFX
- Create a key to use to export only the private key. In the example below i have a pfx file called arunssl.pfx and i am exporting the private key (myexport.key). You will be asked for the password for the pfx file and then you will be asked to create your own passphrase (twice) for the myexport.key file
openssl pkcs12 -in arunssl.pfx -cacerts -out myexport.key
- Using the export key (myexport.key), you will export the decrypted private key (server.key). You will be asked to input your passphrase you stated when exporting the myexport.key
openssl rsa -in myexport.key -out server.key
- Export only the certificate file (server.crt) from the pfx file (arunssl.pfx). You will be asked for the password for the pfx file
openssl pkcs12 -in arun.pfx -clcerts -nokeys -out server.crt
- Export the chain of certificates under one file (server-ca.crt) from the pfx file (arunssl.pfx) without including the private key. You will be asked for the password for the pfx file
openssl pkcs12 -in arunssl.pfx -chain -nokeys -out server-ca.crt
Keep your private key (server.key) secure with restricted file permissions. Never commit private keys to version control or share them over insecure channels.
Copy Files to Apache Root
- Copy the three files created (server.key, server.crt, and server-ca.crt) to the Apache Server root directory (C:\Apache24)
copy server.key, server.crt, server-ca.crt c:\Apache24\
Configure Apache for HTTPS
- Open httpd.conf from the conf directory
notepad C:\Apache24\conf\httpd.conf
- Find and uncomment the following lines (remove the hash mark, #)
- LoadModule ssl_module modules/mod_ssl.so
- Include conf/extra/httpd-ssl.conf
- If you named any of the exported files to anything else, you will have to modify the httpd-ssl.conf file located in C:\Apache24\conf\extra\httpd-ssl.conf file. The lines you will have to modify are:
- SSLCertificateFile - this is the location of your server crt file
- SSLCertificateKeyFile - this is the location of your private key
- SSLCertificateChainFile - this is the location of your chain certificate file
- Restart the Apache service (e.g. arunapache)
- restart-service arunapache
- From another machine, confirm you can browse to the IP address of the server hosting Apache on https port. You should see the 'It works' page along with the page showing the certificate being used.
If Apache fails to start after enabling SSL, check the error log at C:\Apache24\logs\error.log. Common issues include incorrect file paths, password-protected private keys, or mismatched certificate and key pairs.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| Apache service fails to start | Visual C++ Redistributable not installed | Download and install the Visual C++ Redistributable for the version matching your Apache build (VS17 = 2022, VS16 = 2019). |
| "Cannot load mod_ssl" error | OpenSSL DLLs missing or wrong version | Ensure libeay32.dll and ssleay32.dll (or libcrypto/libssl for newer versions) are in the Apache bin folder or system PATH. |
| "Certificate and private key do not match" | Wrong certificate or key file exported | Re-export the certificate and key from the PFX file. Verify they match using: openssl x509 -noout -modulus -in server.crt | openssl md5 and compare with the key. |
| Browser shows "Connection not secure" | Certificate chain incomplete or self-signed | Ensure SSLCertificateChainFile points to the intermediate CA certificates. Verify the full chain with openssl s_client -connect localhost:443. |
| Port 443 already in use | Another service using HTTPS port | Check what's using the port with netstat -ano | findstr :443. Stop the conflicting service or configure Apache to use a different port. |