www.bonsaiframework.com
Page tree

Versions Compared

Old Version 159

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 160

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updates to chain certificate details.

...

Code Block
languagebash
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
chmod -R 700 ./private
cd private
openssl genrsa -out www.earth.com_server.pem.key 2048

The openssl command reads,

...

Code Block
languagebash
openssl req -new -key www.earth.com_server.pem.key -out www.earth.com_server.pem.csr

You will be prompted to enter information about the certificate. The values should reflect your organization.

...

Code Block
languagebash
openssl req -in www.earth.com_server.pem.csr -noout -text

Submit Public Key to CA

...

No Format
www.earth.com_server.signed_cert.pem.crt
Warning

Q: I did no register the certificates, someone just sent me a bunch of files and I do not know what is what.

A: Read the article, Certificate File Formats which explains the file types and also how to verify and validate certificate files.

...

You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions

Note

Chain Certificates also expire. Whenever, you update your SSL certificate, you will also want to check if a new chain certificate is available.

In this case the chain certificate was found at StartCom How to Install Apache Server webpage,

...

Code Block
mv sub.class1.server.ca.pem sub.class1.server.ca.pem.crt

After the extension change double click on the file in Windows to inspect the certificate.

Copy the Issued to: name as this will be used to rename properly name the file,

Code Block
languagebash
mv sub.class1.server.ca.pem StartCom_Class_1_Primary_Intermediate_Server_CA.pem.crtcrt

I am reconsidering keeping the certificate files with the Apache rather than the central Ubuntu location. For now, use this location,

Code Block
sudo mv StartCom_Class_1_Primary_Intermediate_Server_CA.crt /etc/ssl/certs/

Concatenating Chain Certficates

...

Code Block
languagebash
sudo cp www.earth.com.pem.crt /etc/ssl/certs
sudo chown root:root /etc/ssl/certs/www.earth.com.pem.crt
Note

The above chown root:root command ensure the signed public key is protected. Also, if you are using a user other than root to start Apache, then adjust the file ownership to that user.

...

Code Block
languagexml
linenumberstrue
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin   ServerAdmin webmaster@localhost

    ServerName   ServerName www.earth.com
    ServerAlias   ServerAlias earth.com

    DocumentRoot   DocumentRoot /home/www.earth.com/www
    <Directory   <Directory />
        #      # This prevents use of .htaccess
        AllowOverride None         <   AllowOverride None
    </Directory>

    ErrorLog   ErrorLog /var/log/apache2/ssl_www.earth.com.error.log

    #   # Possible values include: debug, info, notice, warn, error, crit,
    #   # alert, emerg.
    LogLevel   LogLevel warn

    CustomLog   CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined

    #   # ---------------------
    #   # Start Enable SSL
    #   # -----------------

       # SSL Engine Switch:
    #   # Enable/Disable SSL for this virtual host.
    SSLEngine   SSLEngine on

    #   # Load the keys signed key
    SSLCertificateFile      SSLCertificateFile cd /etc/ssl/certs/www.earth.com_server.signed_cert.pem.crt

    # Load the private key
    SSLCertificateKeyFile   SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key

    #   # Load the Certificate chain
    SSLCertificateChainFile   SSLCertificateChainFile /etc/ssl/certs/StartSSLStartCom_SubClass_Class1_1_Primary_Intermediate_Server_CA.pemcrt

    #   # Loads all Certificate Authorities in the provided path
    #   # SSLCACertificatePath /etc/ssl/certs/

    # Alternatively, load the specific Certificate Authority
    # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem

    #   # SSL Engine Options
    <FilesMatch   <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions      SSLOptions +StdEnvVars
    <   </FilesMatch>
    <Directory   <Directory /usr/lib/cgi-bin>
        SSLOptions      SSLOptions +StdEnvVars
    <   </Directory>

    #   # SSL Protocol Adjustments
    BrowserMatch   BrowserMatch "MSIE [2-6]" \
        nokeepalive      nokeepalive ssl-unclean-shutdown \
        downgrade       downgrade-1.0 force-response-1.0
    #   # MSIE 7 and newer should be able to use keepalive
    # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem)
    BrowserMatch   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    #   # -----------------
    #   # End Enable SSL
    #   # ---------------------

</VirtualHost>
</IfModule>

...