installing SSL certs on apache ... what certs to use?
Solution 1:
You can't just generate a random key for your certificate; you have to use the one that it was generated with. There is a public key in the certificate (usually RSA) which the client will use in the key exchange process; to complete the key exchange you will need the private key, which (among other things) verifies that the certificate is yours. Otherwise you could just use any certificate you find on the internet and impersonate people.
If you supply invalid certificate information, apache will fail.
The certificate chain you were given probably contains three certificates: one for the root CA (class-root.crt I suspect), an intermediate CA which is signed by that root CA (root-2int.cer), and your server certificate which is signed by the intermediate CA. Nearly all SSL certificates are arranged like this. The root certificate will be trusted by clients; your server has to provide its own certificate and the other certificates which link it in a chain to the root (eg. the root and intermediate certificates).
The chain file is what does this. To create a chain file, you should concatenate the intermediate and CA certificates into one file, eg.
cat /etc/ssl/crt/root-2int.cer /etc/ssl/crt/class-root.crt > /etc/ssl/crt/chain.crt
Then, specify chain.crt as your SSLCertificateChainFile
. This will cause Apache to send these two certificates along with yours as evidence of validity.
You will also need to extract the certificate and key from your PFX file, which contains both:
openssl pkcs12 -nocerts -in wildcard.ssl.pfx -out wildcard.key
openssl pkcs12 -clcerts -nokeys -in wildcard.ssl.pfx -out wildcard.crt
Then, if the private key is encrypted (eg. you got a passphrase with it), if you want apache to be able to start without providing the password you should decrypt it (and protect it with filesystem permissions: mode 0400 and owned by root:root for instance). To do this (assuming RSA):
openssl rsa -in wildcard.key -out wildcard-decrypted.key
You can then use these two files:
SSLCertificateFile /etc/ssl/crt/wildcard.crt
SSLCertificateKeyFile /etc/ssl/crt/wildcard-decrypted.key
As long as the certificates all match up, that should work. If you want to check that your certificate corresponds to your key, use these two commands (output should be the same, and again assuming RSA):
openssl x509 -modulus -noout -in /etc/ssl/crt/wildcard.crt
openssl rsa -modulus -noout -in /etc/ssl/crt/wildcard-decrypted.key