Archive - Install a X509 SSL certificate on Apache-SSL (Ben-SSL)

You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

1- Retrieve your certificate(s) on your server

Go back where the private key has been generated, for example:

cd /etc/httpd/conf
or
cd /etc/apache/conf
or
cd /etc/apache2/

In the delivery email you'll find several links. Click on them and download the associated files:
(from your certificate's status page, click on "See the certificate" or "See the last certificate")

• A: your server certificate (.cer or .crt file)
• B: the certification chain (.txt file)

2- Set up Apache

To install a cert on Apache, you'll have to define 3 variables in the configuration file of your server:

• SSLCertificateKeyFile path to the private-key.key file use for the initial generation of the CSR
• SSLCertificateFile path to the certificate.cer
• SSLCertificateChainFile (or SSLCACertificateFile) path to the chain.txt. file. This file contains the certificate(s) forming the certification chain of your certificate (it can be updated anytime, so after each renewal or reissuance, reinstall the latest certification chain).

Find the setup file of your Apache. It is often:

/etc/httpd/conf/httpd.conf

and edit the following instructions to make them point at your files:

# your server certificate (A)
SSLCertificateFile    /etc/httpd/conf/cert-0000000000-1234.cer
# your private key (generated previously)
SSLCertificateKeyFile /etc/httpd/conf/www.virtualhost.com.key

# suitable Ciphers configuration
# 128-bit mini
SSLRequiredCiphers DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA
# forbidden Ciphers configuration
SSLBanCipher NULL-MD5 NULL-SHA

# if you are using a version apache_1.3.29+ssl_1.53 or higher
# add the SSLNoV2 line (advised for security)
SSLNoV2

If you have to install a certification chain file (B), add:

SSLCACertificateFile /etc/httpd/conf/chain-0000000000-1234.txt 

3- Restart Apache and run a test

Once setted up, restart the Apache server.

service httpd restart
or
/etc/init.d/apache restart

Verify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.

N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order. How to make sure your certificate matches the key?

Meticulous adjustment of the encypherment level

• Set up Apache to run only under 128-bit encryption
• Set up Apache for a 128-bit server certificate
  

Apache and SNI (TLS Server Name Indication)

It is used to install several SSL certificates on a single server using a unique IP address. Almost all browsers are compatible with SNI (consult the list).

• Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
• In the SSL configuration, forbid the use of version 2 of SSL protocol:SSLProtocol all -SSLv2 -SSLv3
• For eachVirtualHost indicate the private key, the certificate and the certification chain to be used:
  

    <NameVirtualHost *:443>
    
    <VirtualHost *:443>
    ServerName www.mywebsite.com
    DocumentRoot /var/www/www.mywebsite.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCertificateFile path/certificate-xxxx.cer
    SSLCertificateKeyFile path/privatekey-xxxw.key
    SSLCertificateChainFile path/chain-xxx.txt
    </Virtual Host>
    
    <VirtualHost *:443>
    ServerName www.mywebsite.com
    DocumentRoot /var/www/mywebsite.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCertificateFile path/certificate-yyyy.cer
    SSLCertificateKeyFile path/privatekey-yyyy.key
    SSLCertificateChainFile path/chain-yyyy.txt
    </Virtual Host>
    
  ...
  

External links about SNI

• Is it possible to install several SSL certificates on the same machine? TLS SNI?
• Is it possible to use virtual hosting based on host name to differentiate several virtual hosts?
  http://httpd.apache.org/docs/current/ssl/ssl_faq.html#vhosts2
• Apache + SNI: having several SSL certificates on a singla IP address
  
• Notice: "IBM HTTP Server" (IHS) servers do not handle SNI.
  Troubleshoot: order a UCC certificate (Multi-SANs) or a Wildcard one.

External links

• Apache-SSL (ben-SSL): http://www.apache-ssl.org/

Similar Documentation:

• Install a certificate for Apache release 1 OVH (base RH 7.2)
• Apache under OS X
• ApacheSSL for NEXEN
• Install a certificate for Apache release 2 OVH (base gentoo)
• How to make sure your certificate matches the key?

Useful links

• All you need to know about 128-bit
• Generate a CSR for Apache
• How to make sure your certificate matches the private key?


• Convert a #PKCS12 (PFX) into a PEM (Mircosoft, Firewall, ... to Apache)
• Create a #PKCS12 (or PFX) from OpenSsl files (PEM : .cer, .p7b, .key)
  
  
• Move or copy an Apache certificate to a Tomcat
• Move or copy an Tomcat certificate to a Apache
• Move or copy a IIS certificate (5/6 and 7) to Apache
• Move or copy an Apache certificate to Microsoft IIS (5/6 and 7) / ISA

Check your certificate installation with Co-Pibot:

In your Certificate center, on your certificate status page you'll see a "check your certificate" button. Click it to make sure your certificate has correctly been installed.