...
Code Block | ||
---|---|---|
| ||
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
chmod -R 700 ./private
cd private
openssl genrsa -out www.earth.com_server.pem.key 2048
|
The openssl command reads,
...
Code Block | ||
---|---|---|
| ||
openssl req -new -key www.earth.com_server.pem.key -out www.earth.com_server.pem.csr |
You will be prompted to enter information about the certificate. The values should reflect your organization.
...
Code Block | ||
---|---|---|
| ||
openssl req -in www.earth.com_server.pem.csr -noout -text |
Submit Public Key to CA
...
No Format |
---|
www.earth.com_server.signed_cert.pem.crt |
Warning |
---|
Q: I did no register the certificates, someone just sent me a bunch of files and I do not know what is what. A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files. |
...
You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions
Note |
---|
Chain Certificates also expire. Whenever, you update your SSL certificate, you will also want to check if a new chain certificate is available. |
In this case the chain certificate was found at StartCom How to Install Apache Server webpage,
...
Code Block |
---|
mv sub.class1.server.ca.pem sub.class1.server.ca.pem.crt |
After the extension change double click on the file in Windows to inspect the certificate.
Copy the Issued to: name as this will be used to rename properly name the file,
Code Block | ||
---|---|---|
| ||
mv sub.class1.server.ca.pem StartCom_Class_1_Primary_Intermediate_Server_CA.pem.crtcrt |
I am reconsidering keeping the certificate files with the Apache rather than the central Ubuntu location. For now, use this location,
Code Block |
---|
sudo mv StartCom_Class_1_Primary_Intermediate_Server_CA.crt /etc/ssl/certs/ |
Concatenating Chain Certficates
...
Code Block | ||
---|---|---|
| ||
sudo cp www.earth.com.pem.crt /etc/ssl/certs sudo chown root:root /etc/ssl/certs/www.earth.com.pem.crt |
Note |
---|
The above chown root:root command ensure the signed public key is protected. Also, if you are using a user other than root to start Apache, then adjust the file ownership to that user. |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin ServerAdmin webmaster@localhost ServerName ServerName www.earth.com ServerAlias ServerAlias earth.com DocumentRoot DocumentRoot /home/www.earth.com/www <Directory <Directory /> # # This prevents use of .htaccess AllowOverride None < AllowOverride None </Directory> ErrorLog ErrorLog /var/log/apache2/ssl_www.earth.com.error.log # # Possible values include: debug, info, notice, warn, error, crit, # # alert, emerg. LogLevel LogLevel warn CustomLog CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined # # --------------------- # # Start Enable SSL # # ----------------- # SSL Engine Switch: # # Enable/Disable SSL for this virtual host. SSLEngine SSLEngine on # # Load the keys signed key SSLCertificateFile SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.pem.crt # Load the private key SSLCertificateKeyFile SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key # # Load the Certificate chain SSLCertificateChainFile SSLCertificateChainFile /etc/ssl/certs/StartSSLStartCom_SubClass_Class1_1_Primary_Intermediate_Server_CA.pemcrt # # Loads all Certificate Authorities in the provided path # # SSLCACertificatePath /etc/ssl/certs/ # Alternatively, load the specific Certificate Authority # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem # # SSL Engine Options <FilesMatch <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions SSLOptions +StdEnvVars < </FilesMatch> <Directory <Directory /usr/lib/cgi-bin> SSLOptions SSLOptions +StdEnvVars < </Directory> # # SSL Protocol Adjustments BrowserMatch BrowserMatch "MSIE [2-6]" \ nokeepalive nokeepalive ssl-unclean-shutdown \ downgrade downgrade-1.0 force-response-1.0 # # MSIE 7 and newer should be able to use keepalive # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem) BrowserMatch BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # # ----------------- # # End Enable SSL # # --------------------- </VirtualHost> </IfModule> |
...