Reputation: 764
Which certificate chain file to include with self-signed certificate?
EDIT : It may have been preferable to ask this on Server Fault, but my reputation wouldn't let me post more than 2 links. :(
I want some pages that require passwords on my website to be secure, so I followed this to create a custom SSL certificate. I also followed this, because it explains how to generate self-signed multidomain certificates (the subjectAltName allows me to get a valid certificate for example.com and *.example.com, I didn't find another way to do this).
So I had to mix the commands to get what I wanted, and I think everything is ok with what I did (though I'll detail it later just in case).
Now I have to configure Apache to listen to queries on port 443 and provide SSL security on the according pages. So I found this.
When defining the VirtualHost listening on port 443, it says this :
<VirtualHost 127.0.0.1:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/something.crt
SSLCertificateKeyFile /etc/apache2/ssl/something.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
...
</VirtualHost>
I think I know what are the files I need to specify for the SSLCertificateFile and SSLCertificateKeyFile fields, but I can't seem to figure out what is the SSLCertificateChainFile. Everything I found by searching on Google and Stack Exchange communities didn't help me so far, so I am asking it clear here :
What file should I provide for SSLCertificateChainFile, and how do I create it if needed ?
Here are the files that I created by following the instructions of the different links, with the commands I used to create them.
- Certificate authority key (ca.key) :
openssl genrsa -des3 -out ca.key 1024 - Key certificate (ca.san.csr) :
openssl req -new -key ca.key -out ca.san.csr -config /etc/ssl/openssl.cnf
Here I specified the config file path because I had to change it a little bit to add thesubjectAltName. I could also check that everything went well withopenssl req -text -noout -in ca.san.csr. Everything is described here. - Creation and signature of the certificate (ca.san.crt) :
openssl x509 -req -days 3650 -in ca.san.csr -signkey ca.key -out ca.san.crt -extensions v3_req -extfile /etc/ssl/openssl.cnf
Again, the conf file is needed because thesubjectAltNamesare defined in it. - Server key (server.key) :
openssl genrsa -out server.key 1024 - Key certificate (server.san.csr) :
openssl req -new -key server.key -out server.san.csr -config /etc/ssl/openssl.cnf - Server certificate (server.san.crt) :
openssl x509 -days 3650 -CA ca.san.crt -CAkey ca.key -set_serial 01 -in server.san.csr -req -out server.san.crt
For the SSLCertificateFile, I thought I'd provide the server.san.crt file, this seems to be the most logical thing to me, as well as the server.key file for SSLCertificateKeyFile.
SSLCertificateChainFile seems to ask for a .crt file, so it may be the only other .crt file that I have, ca.san.crt, but I'm really not sure about this.
Does anybody have some hint ?
Thank you for your time reading this.
Solution
For this particular case, since I am using a custom certificate, SSLCertificateChainFile doesn't make much sense (see the marked answer below). Thus, you just have to specify the same certificate file for both directives, SSLCertificateFile and SSLCertificateChainFile.
There's just one thing you need to do with Apache before you can use SSL* directives. SSL is disabled by default on Apache so you need to enable it with sudo a2enmod ssl, or when restarting Apache you will get an error saying you may have mispelt something in your vHosts files.
Once you have done this and restarted the server you may connect on your vHosts with HTTPS. Your browser will tell you that the certificate is not valid because it is self-signed, but your connection will be secure.
Upvotes: 18
Views: 25114
Answers (2)
Reputation: 15778
If you are using a self-signed certificate, there are is no certificate authority or other certificates in certificate chain. Therefore just do not include SSLCertificateChainFile in <VirtualHost> section.
Upvotes: 2
Reputation: 13974
I want some pages that require passwords on my website to be secure
just a note. As a best practice, entire web site should be protected with SSL. Here is a blog post that explains why SSL on authentication pages is not sufficient: Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute (although it is related to ASP MVC, other platforms are affected too).
but I can't seem to figure out what is the SSLCertificateChainFile
I think, it is a PKCS#7 container that contains intermediate CA certificates. With self-signed certificates, there are no other certificates, therefore (sorry, I'm not a Apache expert) this file may be:
- Self-signed certificate itself (only public part)
- Can be deleted (this file doesn't make any sense with self-signed SSL certificates)
- Empty (less likely, Apache may complain about wrong file format).
I would go with step 1, pass the same certificate to SSLCertificateFile and SSLCertificateChainFile parameters.
Upvotes: 12
Related Questions
- Trust self-signed certificate CentOS 7
- Do I need to import SSL chain in order?
- How to create a trusted self signed SSL certificate
- self signed certificate in certificate chain atom
- Invalid CA certificate with self signed certificate chain
- Self-signed certificates and HTTPS Error
- Understanding SSL: Self-signed vs Certified
- Automatically using self signed SSL certificate
- SSL Certificate: how to setup CA to deal with certificate chain?
- How to create a self signed certificate using SelfSSL