Menu
EDIT : It may have been preferable to ask this on Server Fault, but my reputation wouldn't let me post more than 2 links. :(
I want some pages that require passwords on my website to be secure, so I followed this to create a custom SSL certificate. I also followed this, because it explains how to generate self-signed multidomain certificates (the subjectAltName allows me to get a valid certificate for example.com and *.example.com, I didn't find another way to do this).
So I had to mix the commands to get what I wanted, and I think everything is ok with what I did (though I'll detail it later just in case).
Now I have to configure Apache to listen to queries on port 443 and provide SSL security on the according pages. So I found this.
When defining the VirtualHost listening on port 443, it says this :
<VirtualHost 127.0.0.1:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/something.crt
SSLCertificateKeyFile /etc/apache2/ssl/something.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
...
</VirtualHost>
I think I know what are the files I need to specify for the SSLCertificateFile and SSLCertificateKeyFile fields, but I can't seem to figure out what is the SSLCertificateChainFile. Everything I found by searching on Google and Stack Exchange communities didn't help me so far, so I am asking it clear here :
What file should I provide for SSLCertificateChainFile, and how do I create it if needed ?
Here are the files that I created by following the instructions of the different links, with the commands I used to create them.
openssl genrsa -des3 -out ca.key 1024 openssl req -new -key ca.key -out ca.san.csr -config /etc/ssl/openssl.cnfsubjectAltName. I could also check that everything went well with openssl req -text -noout -in ca.san.csr. Everything is described here. openssl x509 -req -days 3650 -in ca.san.csr -signkey ca.key -out ca.san.crt -extensions v3_req -extfile /etc/ssl/openssl.cnfsubjectAltNames are defined in it.openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.san.csr -config /etc/ssl/openssl.cnf
openssl x509 -days 3650 -CA ca.san.crt -CAkey ca.key -set_serial 01 -in server.san.csr -req -out server.san.crt For the SSLCertificateFile, I thought I'd provide the server.san.crt file, this seems to be the most logical thing to me, as well as the server.key file for SSLCertificateKeyFile.SSLCertificateChainFile seems to ask for a .crt file, so it may be the only other .crt file that I have, ca.san.crt, but I'm really not sure about this.
Does anybody have some hint ?
Thank you for your time reading this.
Solution
For this particular case, since I am using a custom certificate, SSLCertificateChainFile doesn't make much sense (see the marked answer below). Thus, you just have to specify the same certificate file for both directives, SSLCertificateFile and SSLCertificateChainFile.
There's just one thing you need to do with Apache before you can use SSL* directives. SSL is disabled by default on Apache so you need to enable it with sudo a2enmod ssl, or when restarting Apache you will get an error saying you may have mispelt something in your vHosts files.
Once you have done this and restarted the server you may connect on your vHosts with HTTPS. Your browser will tell you that the certificate is not valid because it is self-signed, but your connection will be secure.
946
For local communication, self-signed certificates and a private trust store are usually sufficient for securing communication. Indeed, several nodes can share the same certificate, as long as we ensure that our trust configuration is not tampered with.
The SSL certificate chain order consists of root certificates, intermediate certificates, and the end-user certificate.
A popular workaround is to disable SSL Verification using git config --global http. sslVerify false but that creates large security risks. SSL is a good thing & we should use it, even in cases where your company makes it difficult.
In a situation where you are using a self-signed cert you will need to install the certificate into the Trusted Root Certification Authorities store.
I want some pages that require passwords on my website to be secure
just a note. As a best practice, entire web site should be protected with SSL. Here is a blog post that explains why SSL on authentication pages is not sufficient: Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute (although it is related to ASP MVC, other platforms are affected too).
but I can't seem to figure out what is the SSLCertificateChainFile
I think, it is a PKCS#7 container that contains intermediate CA certificates. With self-signed certificates, there are no other certificates, therefore (sorry, I'm not a Apache expert) this file may be:
I would go with step 1, pass the same certificate to SSLCertificateFile and SSLCertificateChainFile parameters.
152
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
