CODEWITHSUNDEEP
apachesslapache2ssl-certificateprivate-key
Justinas Jakavonis
Justinas Jakavonis

Reputation: 8858

SSL on Apache HTTP Server

I have 2 crt files for Apache server:

And other bundle:

I have modified

/etc/apache2/sites-available/default-ssl.conf

And tried various combinations of above mentioned files but after Apache2 service restart SSL does not work, browser shows "Connection is not secure":

SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/1_Intermediate.crt
SSLCertificateKeyFile   /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateChainFile /etc/apache2/ssl/root.crt

How to make SSL on Apache server?

Upvotes: 1

Views: 2058

Answers (3)

Ankit Kumar Rajpoot
Ankit Kumar Rajpoot

Reputation: 5610

You can use the bundle file with SSLCertificateChainFile. 

SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt

OR

If you are using bundle so it will work without SSLCertificateChainFile file.

SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt

Upvotes: 0

BlackCat
BlackCat

Reputation: 521

1) Install Apache HTTP Server, mod_ssl

2) Configure httpd

Remember to disable SSLv2 and SSLv3, because they are vulnerable.

  # Toggle on the SSL/TLS Protocol Engine
  SSLEngine On
  # The signed certificate of the server
  SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
  # The private key of the server
  SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
  # The intermediate_certificate of the server
  SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem

  # Accept only strong encryption
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite           HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  SSLHonorCipherOrder     on

3) Check the permissions on the certificate files.

UPD: How to create a key and certificate signing request in one step:

openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).

You can also create a self-signed certificate.

Upvotes: 1

pedrofb
pedrofb

Reputation: 39321

It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----

You configuration should looks like this

SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile   /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt

The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.

So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)

If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Upvotes: 2

Related Questions