installing SSL certs on apache ... what certs to use?

linux apache-2.2 web centos mod-ssl

Solution 1:

You can't just generate a random key for your certificate; you have to use the one that it was generated with. There is a public key in the certificate (usually RSA) which the client will use in the key exchange process; to complete the key exchange you will need the private key, which (among other things) verifies that the certificate is yours. Otherwise you could just use any certificate you find on the internet and impersonate people.

If you supply invalid certificate information, apache will fail.

The certificate chain you were given probably contains three certificates: one for the root CA (class-root.crt I suspect), an intermediate CA which is signed by that root CA (root-2int.cer), and your server certificate which is signed by the intermediate CA. Nearly all SSL certificates are arranged like this. The root certificate will be trusted by clients; your server has to provide its own certificate and the other certificates which link it in a chain to the root (eg. the root and intermediate certificates).

The chain file is what does this. To create a chain file, you should concatenate the intermediate and CA certificates into one file, eg.

cat /etc/ssl/crt/root-2int.cer /etc/ssl/crt/class-root.crt > /etc/ssl/crt/chain.crt

Then, specify chain.crt as your SSLCertificateChainFile. This will cause Apache to send these two certificates along with yours as evidence of validity.

You will also need to extract the certificate and key from your PFX file, which contains both:

openssl pkcs12 -nocerts -in wildcard.ssl.pfx -out wildcard.key
openssl pkcs12 -clcerts -nokeys -in wildcard.ssl.pfx -out wildcard.crt

Then, if the private key is encrypted (eg. you got a passphrase with it), if you want apache to be able to start without providing the password you should decrypt it (and protect it with filesystem permissions: mode 0400 and owned by root:root for instance). To do this (assuming RSA):

openssl rsa -in wildcard.key -out wildcard-decrypted.key

You can then use these two files:

SSLCertificateFile /etc/ssl/crt/wildcard.crt
SSLCertificateKeyFile /etc/ssl/crt/wildcard-decrypted.key

As long as the certificates all match up, that should work. If you want to check that your certificate corresponds to your key, use these two commands (output should be the same, and again assuming RSA):

openssl x509 -modulus -noout -in /etc/ssl/crt/wildcard.crt
openssl rsa -modulus -noout -in /etc/ssl/crt/wildcard-decrypted.key

Related

15 to 20 developers on VM
Setup Domain Controller and Active Directory on Amazon EC2 as Primary AD [closed]
set up single directory ftp access for customer on Ubuntu
How to permanently disable sleep/suspend?
use ffmpeg to transform mp4 to same high-quality avi file?
How can I track the cause of random reboots?
Rhythmbox still plays songs after exit
Many directories have a ".d" suffix/extension. What does it mean?
DEBIAN_FRONTEND environment variable
Is there software that can view .dwg files?
Ubuntu: "Booting in insecure mode" with SecureBoot enabled
How do I fill the current selection with color?