Sunday, October 15, 2017

SSL certificate paths in a virtual host



I've recently purchased a wildcard SSL certificate for my domain, generated the CSR, and everything has been sent through OK.




My question is quite straightforward, but following this - http://www.globalsign.com/support/install/install_apache.php, I can't make any sense of what to match to what.



Basically - I have 5 files:




- gs_intermediate_ca.crt
- gs_root.pem
- mydomain.com.crt
- intermediate.pem

- *.mydomain.com.key


The Values:




SSLCACertificateFile = ?
SSLCertificateChainFile = ?
SSLCertificateFile = mydomain.com.crt
SSLCertificateKeyFile = ?



I'm new to this, any help would be greatly appreciated! Thanks



Edit >>
Using the Answers below! Cheers,



I'm now receiving the following errors:





[error] Init: Unable to read server certificate from file /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error


My vHost now looks like so:




SSLCertificateFile /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt
SSLCertificateKeyFile /etc/apache2/domain.ssl/domain.ssl.key/domain.com.key

SSLCertificateChainFile /etc/apache2/domain.ssl/ca.crt
SSLCACertificateFile /etc/apache2/domain.ssl/gs_intermediate_ca.crt


Any idea where these errors can be coming from - is there a check I can run on the .crt file?



Kind regards


Answer



That doc is definitely confusing. My guess:




SSLCACertificateFile = /path/to/gs_intermediate_ca.crt
SSLCertificateChainFile = /path/to/chain_file
SSLCertificateFile = /path/to/mydomain.com.crt
SSLCertificateKeyFile = /path/to/mydomain.com.wildcard.key


You should put all files outside the DocumentRoot and protect them with ownership/permissions. (I usually store certs in /etc/apache2/ssl and set ownership to root:root, permissions to 400.)



EDIT: You should download a combined chain ("bundle") file here:
http://www.globalsign.com/support/intermediate-root-install.php




Scroll to GlobalSign Root Bundle Certificates.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...