...
No Format |
---|
www.earth.com_server.pem.base64.crt |
earth.com_server.crt.
Warning |
---|
Provide a sub-page to explain the CA signing process as an example. |
...
You don't need it. Yes, it is noted in many tutorials on the Internet, but as explained in the Apache 2 documentation,
These are used to verify the client certificate on Client Authentication.
...
In other words, you only need CA certificates on Web Servers if you intent to have the Browsers authenticate and identify themselves.
Store Certificates
In Ubuntu, the default location for SSL certificates are,
...
Code Block | ||
---|---|---|
| ||
sudo cp www.earth.com.base64.pem.crt /etc/ssl/certs sudo chown root:root /etc/ssl/certs/www.earth.com.base64.pem.crt |
Note |
---|
The above chown root:root command ensure the signed public key is protected. Also, if you are using a user other than root to start Apache, then adjust the file ownership to that user. |
...
Code Block | ||
---|---|---|
| ||
sudo cp www.earth.com_server.key /etc/ssl/private/ sudo chmod 600 /etc/ssl/private/www.earth.com_server.base64.pem.key # The file should only be view-able by the owner sudo chown root:ssl-cert /etc/ssl/private/www.earth.com_server.base64.pem.key # Make the user starting Apache the owner, in this case it is root. |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.earch.com ServerAlias earch.com DocumentRoot /home/www.earth.com/www <Directory /> # This prevents use of .htaccess AllowOverride None </Directory> ErrorLog /var/log/apache2/ssl_www.earth.com.error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined # --------------------- # Start Enable SSL # ----------------- # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Load the keys SSLCertificateFile /etc/ssl/certs/www.earth.com_server.pem.crt SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key # Load the Certificate chain SSLCertificateChainFile /etc/ssl/certs/StartSSL_Sub_Class1_CA.pem # Loads all Certificate Authorities in the provided path SSLCACertificatePath # SSLCACertificatePath /etc/ssl/certs/ # Alternatively, load the specific Certificate Authority # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem # SSL Engine Options <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem) BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # ----------------- # End Enable SSL # --------------------- </VirtualHost> </IfModule> |
...