Multiple SSL Cert Bundles? - apache

My company is wanting to utilize two different types of SSL certificates for our website: one that is using RSA, and one that is ECDSA. The reason is because external services that utilize our site are using code that is very old, so we need to have both for compatibility.
EDIT: We're using Apache 2.4, and both certificates are from the same authority. As such, the Root CAs below are the same, but the intermediates are different because of the RSA/ECDSA difference.
Our Apache config would be as follows:
### RSA cert
SSLCertificateFile /etc/ssl/certs/website_com_rsa.crt
SSLCertificateKeyFile /etc/ssl/private/website_com_rsa.key
### ECDSA cert for compatibility
SSLCertificateFile /etc/ssl/certs/website_com_ecdsa.crt
SSLCertificateKeyFile /etc/ssl/private/website_com_ecdsa.key
### RSA/ECDSA cert bundle
SSLCertificateChainFile /etc/ssl/certs/website_com.ca-bundle
The part I'm not sure about is the CA bundle. My questions are:
Can I use two different SSLCertificateChainFile directives, one for each type (RSA and ECDSA)?
If I can't, then how to combine CA bundles from two different certificate bundles into one file? Say I had two CA bundles files that have the order like so:
RSA Bundle
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
ECDSA Bundle
-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
In what order should they be combined?

From the Apache 2.4 docs for SSLCertificateChainFile, it looks like you would provide the separate chains in the files configured with SSLCertificateFile, i.e. combining the server certificate with its corresponding certificate chain, in the same file.
For example, your /etc/ssl/certs/website_com_rsa.crt might contain multiple certificate, from the server cert up through the root:
-----BEGIN CERTIFICATE-----
...
<website-com-rsa>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
And similarly for your /etc/ssl/certs/website_com_ecdsa.crt file. This would mean not using SSLCertificateChainFile.
Hope this helps!

Related

how does an SSL certificate chain bundle arranged?

I have 4 certificate files like this:
1.certum_certificate.crt
2.certum_certificate.pem
3.Intermediate_CA2.cer
4.Intermediate_CA.cer
5.Root_CA.cer
I put these files content by this order in a bundle file and i figured out that my SSL chain is incomplete.
how should i arrange them in bundle file?
Just concatenate the three parts into a single file like this (fullchain.pem) :
-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgISA/UUyBjJ71fucZuvpiLsdfsfsdfsdfd
...
hoFWWJt3/SeBKn+ci03RRvZsdfdsfsdfw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinsdfsfsdfsdfdsfsdfsd
....
nLRbwHqsdqD7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBsdfSDFSDFVSDVzfsdffvqdsfgsT664ScbvsfGDGSDV
...
Dfvp7OOGAN6dEOM4+SDFSDZET+DFGDFQSD45Bddfghqsqf6Bsff
-----END CERTIFICATE-----
The order must be backwards. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it :
Original issuer —> Intermediate issuer 1 —> Final Root issuer which is a root certificate authority and can be trusted.
It's possible to have several intermediates : ...—> Intermediate issuer 1 —> Intermediate issuer 2 —>...

Splitting out pem key into CA, Cert and Key

I have been supplied with a signed certificate in .pem format and wanted to know if there was a way to split it into 3 separate files for CA, Cert and Key? I need to ingest this into Vault using IAC and a series of scripts and the method/code we are using requires 3 separate files. Any help would be greatly appreciated.
The format of the key is as follows. I can establish that the first block is the private key but not sure how to establish the other blocks? is there a way using OpenSSL I can determine this?
-----BEGIN RSA PRIVATE KEY-----
----- END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Thanks.

apache 2 ssl configuration

I received the following three sections from RapidSSL
Web Server CERTIFICATE
-----------------
-----BEGIN CERTIFICATE-----
BLABLABLA 1
-----END CERTIFICATE-----
INTERMEDIATE CA:
---------------------------------------
-----BEGIN CERTIFICATE-----
BLABLABLA 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
BLABLABLA 3
-----END CERTIFICATE-----
how i can create the 3 files for configure apache like:
SSLCertificateFile /etc/httpd/conf/ssl.crt/your_leaf_certificate.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/your_domain_name.key
SSLCACertificatePath /etc/httpd/conf/ssl.chain/your_intermediate_chain.crt
im expecting to find this
-----BEGIN RSA PRIVATE KEY-----
but can't find it :(
The problem that you have is that you will have to download from CertCentral the certificate bundle. You will have to login into digicert.com, and get your certificates. Click Certificates > Click orders > select order > download cert.
After you download the certificate, you can use this tool called Utility Tool For Windows Tool
After that, you can import your cert into that tool, and you will be able to export it to be able to get a pem file with your key as an individual file.
If you purchased this certificate through a third-party vendor, I will recommend you to get a new CSR and send it to them to make sure they can reissue your certificate.

Apache SSL "Unable get local issuer certificate" on Debian

I'm using RapidSSL with apache2 (2.2.22-13+deb7u6). I got three files from rapidssl - public.crt, private.key and rapid_intermediate.crt.
My public.crt looks like
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIDBthaMA0GCSqSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA5MTAwMDU0NTJaFw0xNjA5MTExNTM1NTNaMIGTMRMw
EQYDVQQLEwpHVDM5ODg2NjMwMTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZLm1lbG9tYXAuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvDo9jDb+k/dHqp7FW7dW
V9+W6a1Ut3OKC3wCulac+WG2roxZukuA42LQ4fAY/BDtBkk2UQ5IyFpFzmCiXjBu
...
-----END CERTIFICATE-----
My private.key looks like
-----BEGIN RSA PRIVATE KEY-----
MdddddIBAAKCAQEAvDo9jDb+k/dHqp7FW7dddddddddPvuSy2aEJcHbt2kb6UI
ddddddd7dWVQ84DlVPvuSy2aEJcHbt2kb6UIdddddddddAKCAQEAvDMIIEowIB
...
-----END RSA PRIVATE KEY-----
My RapidSSL intermediate looks like
-----BEGIN CERTIFICATE-----
MIIEZZZZZZZgAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYSSSSSSS1HZW9UcnVzdCBJbmMuMRswGQYDVQQSSSSSZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
...
-----END CERTIFICATE-----
In my apache config,
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/crt/public.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/private.key
SSLCertificateChainFile /etc/apache2/ssl/crt/rapid_intermediate.crt
However, I'm still getting the following errors.
unable to get local issuer certificate
certificate not trusted
unable to verify the first certificate
Please let me know what I did wrong.
Thank you.
Check the chain order, sometimes the chain is unsorted or need an additional certificate in chain, if you server is public you can use sslchecker.com to check

SSL Intermediate SHA2

I've installed a SSL certificate on my Website, but the intermediate.crt isn't working.
Any SSL Checker (e.g. GeoTrust Checker) told me, that an intermediate key is missing.
On the website a SSL certificate was already in use, only the switch from SHA1 to SHA2 is new.
I use this structure:
-----BEGIN CERTIFICATE-----
(Secondary Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Primary Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----
Who has an idea to solve this problem?
I solve it.
It was the wrong reference to the intermediate