How to configure Apache to use these files for SSL? - ssl

I know this looks like a old question, but my situation is that I have different file names in respect to what I expected and to what I see in the actual Apache2 configuration, so I need a more precise answer, if possible.
I got these files from my SSL cert provider
DigiCert_Global_Root_G2.crt
mydomain.it.crt
mydomain.it.csr
mydomain.it.key
mydomain.it.pfx
RapidSSL_TLS_RSA_CA_G1.crt
Actually my apache is configured as
SSLCertificateKeyFile /etc/apache2/ssl-conf/mydomain.it.key
SSLCertificateFile /etc/apache2/ssl-conf/mydomain.it.cer
SSLCertificateChainFile /etc/apache2/ssl-conf/intermediate.cer
I don't know which file associate to each item
Well, keyfile is, obviously, the .key.
But which is the right .crt for CertificateFile and which for CertificateChainFile?
EDIT
I read https://www.ssl247.it/support/install/apache and I think I must user mydomain.it.crt as SSLCertificateFile
Last doubt is: what is intermediate.cer equivalent in my situation?

SSLCertificateKeyFile /etc/apache2/ssl-conf/mydomain.it.key
SSLCertificateFile /etc/apache2/ssl-conf/mydomain.it.crt
SSLCertificateChainFile /etc/apache2/ssl-conf/intermediate.crt
Where intermediate.crt is created by concatenating the content of DigiCert_Global_Root_G2.crt and RapidSSL_TLS_RSA_CA_G1.crt
Also, please remember that extensions do not matter, they are just for conveninence of human user/administrator. Only the content matters.

Related

Browser not asking for client certificate when CA is set in Apache

UPDATED :
I updated my CA to match the CA that my client certificate was issued from and my browser now prompts me to choose a certificate (and the correct certificate is listed) but the error "ERR_BAD_SSL_CLIENT_AUTH_CERT" persists.
OLD MESSAGE :
I need to make a certificate authentication with Apache.
My problem is that no certificate list pops up when the CA is set in Apache. However, not setting it brings the popup and allows me to select a certificate... but of course the authentication doesn't work and brings the following error :
ERR_BAD_SSL_CLIENT_AUTH_CERT
The configuration I have is the following :
ssl.conf :
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/httpd/ca.cer
SSLCARevocationFile /etc/httpd/crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
vhost :
Include ssl.conf
SSLCertificateFile /etc/httpd/sub.domain.crt
SSLCertificateKeyFile /etc/httpd/sub.domain.key
The CA is also installed on my computer along with my client certificate, ready to be used.
There's nothing in the logs, just a line mentionning a closed SSL connection.
Been searching for a while and I can't find what could be causing this.
Alright so first the SSLVerifyDepth parameter wasn't properly set. I was able to find this by checking Apache's ssl_error_log file.
And second, the log file was saying that the CRL was not reacheable. Even if set what I thought was the correct CRL... but I actualy forgot the CRL of the CA that is above the clients CA !
Thanks again for helping me with checking the CA, case closed !

INSTALL AND CONFIGURE SSL ON APACHE 2.4.1 (freebsd)

It's been days since I did not get to the top of the thing.
I already have certificates.
I would like to know where to place them, and what files to edit / create to run the site in https.
Thanks to everyone
On FreeBSD, look at SSLCertificateChainFile in file /usr/local/etc/apache24/extra/httpd-ssl.conf
Uncomment the two lines:
SSLCertificateFile "/usr/local/etc/apache24/server.crt"
SSLCertificateKeyFile "/usr/local/etc/apache24/server.key"
Put the certificate and the private key in the corresponding files.

SSL certificate not trusted in all web browsers. Intermediate not working?

My site https://uberdice.com works fine for me with no SSL related errors or warnings.
However a few of my users have informed me they are getting SSL related warnings. I believe I have installed everything correctly. Below you can see the apache2.conf file:
<VirtualHost *:443>
DocumentRoot /var/www/
ServerName uberdice.com
SSLEngine on
SSLCertificateFile /path/uberdice.com.crt
SSLCertificateKeyFile /path/uberdice.com.key
SSLCertificateChainFile /path/intermediate.crt
</VirtualHost>
All files are in the same directory. I have also tried using the SSLCACertificateFile directive.
Yet when I run a check on: https://www.sslshopper.com/ssl-checker.html#hostname=https://uberdice.com it would appear to fail to connect to a root certificate. Presumably from a faulty intermediate certificate.
I am using RapidSSL and this bundle code for the intermediate certificate https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26464.
Does anyone have any ideas what is going wrong?
Thanks.
Your are sending the wrong intermediate certificates and it only works in your browser because you either have cached the right certificates from visits to other sites using the same chain or because the browser is actively downloading the missing certificates (Chrome on desktop might do, Firefox not).
Have a look at the trust path information in the analysis from SSLLabs and you will see:
Chain issues Incomplete, Extra certs
That's the problem you need to resolve, i.e. remove the wrong chain certificate and add the right one. For more information look at the "Certification Path" information in the analysis. In short: instead of "RapidSSL CA" you need "RapidSSL SHA256 CA - G3".

Untrusted certificate - Apache & StartSSL

Trying to setup SSL on Apache (on AWS Linux). Firefox gives me these details in it's nastygram:
The certificate is not trusted because it is self-signed.
The certificate is only valid for ip-###-##-#-##
I'm currently working under the assumption that this is a problem with the ChainFile or CA cert - quite possibly because I dont have the correct info in httpd.conf. Can you comment on the code below or let me know where else to look for the error?
httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName https://###-##-#-##
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/ec2-user/StartSSLcert.pem
SSLCertificateKeyFile /home/ec2-user/StartSSLkey.pem
SSLCertificateChainFile /home/ec2-user/sub.class1.server.sha1.ca.pem
SSLCACertificateFile /home/ec2-user/ca.pem
</VirtualHost>
This page has been my primary reference: http://www.startssl.com/?app=21 However, it includes many lines of code not in other examples I've found online with no description of what they do.
I've been guess-and-checking between the example above and a simpler example like: http://www.sslshopper.com/apache-server-ssl-installation-instructions.html
Everything I try is either untrusted by Firefox or I get errors when restarting apache. Ideas?
by default, the ssl settings in:
/etc/httpd/conf.d/ssl.conf
override the corresponding block in:
/etc/httpd/conf/httpd.conf
When using AWS you need to edit ssl.conf
"The certificate is only valid for ip-###-##-#-##"
credit due here:
Cannot setup SSL keys on my apache server in AWS EC2
If your server have more than one IP address, replace the * with IP address inside""
See: http://httpd.apache.org/docs/2.4/mod/core.html#virtualhost
Whats more, make sure you create your private key, CSR correctly.
See:https://library.linode.com/security/ssl-certificates/commercial#sph_create-a-certificate-signing-request

Where do I put the subject alternative names for my ssl using apache

I purchased an SSL certificate and I have some subject alternative names for it but I'm not sure where to put them in the config file. Each site is hosted on the same server and they all correspond to one another. They are all basically the same site just for different uses/marketing reasons
SUBJECT ALTERNATIVE NAMES: www.example2.com, www.otherexample.com, www.helpwithSANs.com
VirtualHost IP:portServerName www.example.com
SSLEngine on
SSLCertificateFile /path_to_cert
SSLCertificateKeyFile /path_to_key
SSLCertificateChainFile /path_to_whateverthisis
So my question is where or how do I use the SUBJECT ALTERNATIVE NAMES so the cert will work on all the sites.