Archive - Install a X509 SSL certificate on Apache-SSL (Ben-SSL)
You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.
1- Retrieve your certificate(s) on your server
Go back where the private key has been generated, for example:cd /etc/httpd/conf or cd /etc/apache/conf or cd /etc/apache2/In the delivery email you'll find several links. Click on them and download the associated files:
(from your certificate's status page, click on "See the certificate" or "See the last certificate")
- A: your server certificate (.cer or .crt file)
- B: the certification chain (.txt file)
2- Set up Apache
To install a cert on Apache, you'll have to define 3 variables in the configuration file of your server:- SSLCertificateKeyFile path to the private-key.key file use for the initial generation of the CSR
- SSLCertificateFile path to the certificate.cer
- SSLCertificateChainFile (or SSLCACertificateFile) path to the chain.txt. file. This file contains the certificate(s) forming the certification chain of your certificate (it can be updated anytime, so after each renewal or reissuance, reinstall the latest certification chain).
Find the setup file of your Apache. It is often:/etc/httpd/conf/httpd.confand edit the following instructions to make them point at your files:# your server certificate (A) SSLCertificateFile /etc/httpd/conf/cert-0000000000-1234.cer # your private key (generated previously) SSLCertificateKeyFile /etc/httpd/conf/www.virtualhost.com.key # suitable Ciphers configuration # 128-bit mini SSLRequiredCiphers DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA # forbidden Ciphers configuration SSLBanCipher NULL-MD5 NULL-SHA # if you are using a version apache_1.3.29+ssl_1.53 or higher # add the SSLNoV2 line (advised for security) SSLNoV2If you have to install a certification chain file (B), add:SSLCACertificateFile /etc/httpd/conf/chain-0000000000-1234.txt
3- Restart Apache and run a test
Once setted up, restart the Apache server.service httpd restart or /etc/init.d/apache restartVerify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.
N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?
Meticulous adjustment of the encypherment level
Apache and SNI (TLS Server Name Indication)
It is used to install several SSL certificates on a single server using a unique IP address. Almost all browsers are compatible with SNI (consult the list).- Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
- In the SSL configuration, forbid the use of version 2 of SSL protocol:SSLProtocol all -SSLv2 -SSLv3
- For eachVirtualHost indicate the private key, the certificate and the certification chain to be used:
<NameVirtualHost *:443> <VirtualHost *:443> ServerName www.mywebsite.com DocumentRoot /var/www/www.mywebsite.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile path/certificate-xxxx.cer SSLCertificateKeyFile path/privatekey-xxxw.key SSLCertificateChainFile path/chain-xxx.txt </Virtual Host> <VirtualHost *:443> ServerName www.mywebsite.com DocumentRoot /var/www/mywebsite.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile path/certificate-yyyy.cer SSLCertificateKeyFile path/privatekey-yyyy.key SSLCertificateChainFile path/chain-yyyy.txt </Virtual Host> ...
External links about SNI
- Is it possible to install several SSL certificates on the same machine? TLS SNI?
- Is it possible to use virtual hosting based on host name to differentiate several virtual hosts?
http://httpd.apache.org/docs/current/ssl/ssl_faq.html#vhosts2 - Apache + SNI: having several SSL certificates on a singla IP address
-
Notice: "IBM HTTP Server" (IHS) servers do not handle SNI.
Troubleshoot: order a UCC certificate (Multi-SANs) or a Wildcard one.
External links
- Apache-SSL (ben-SSL): http://www.apache-ssl.org/
Similar Documentation:
- Install a certificate for Apache release 1 OVH (base RH 7.2)
- Apache under OS X
- ApacheSSL for NEXEN
- Install a certificate for Apache release 2 OVH (base gentoo)
- How to make sure your certificate matches the key?
Useful links
- All you need to know about 128-bit
- Generate a CSR for Apache
- How to make sure your certificate matches the private key?
- Convert a #PKCS12 (PFX) into a PEM (Mircosoft, Firewall, ... to Apache)
- Create a #PKCS12 (or PFX) from OpenSsl files (PEM : .cer, .p7b, .key)
- Move or copy an Apache certificate to a Tomcat
- Move or copy an Tomcat certificate to a Apache
- Move or copy a IIS certificate (5/6 and 7) to Apache
- Move or copy an Apache certificate to Microsoft IIS (5/6 and 7) / ISA
Check your certificate installation with Co-Pibot:
In your Certificate center, on your certificate status page you'll see a "check your certificate" button. Click it to make sure your certificate has correctly been installed.Last edited on 11/02/2018 11:05:26 --- [search]