发表新帖
发表新帖

SSL on Apache HTTP Server

前端 未结
关注
3 1147
眼角桃花
眼角桃花 2021-01-29 00:35

I have 2 crt files for Apache server:

  • 1_root_bundle.crt
  • 2_my_domain_name.com.crt

And other bundle:

  • 1_Intermediate.crt
    • <
相关标签:
3条回答
  • 闹比i
    2021-01-29 00:48

    It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----

    You configuration should looks like this

    SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile   /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt

    The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.

    So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)

    If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile

    SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

    0 讨论(0)
  • 天涯浪人
    2021-01-29 00:52

    You can use the bundle file with SSLCertificateChainFile. 

    SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt

    OR

    If you are using bundle so it will work without SSLCertificateChainFile file.

    SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
    0 讨论(0)
  • 野趣味
    2021-01-29 01:08

    1) Install Apache HTTP Server, mod_ssl

    2) Configure httpd

    Remember to disable SSLv2 and SSLv3, because they are vulnerable.

      # Toggle on the SSL/TLS Protocol Engine
  SSLEngine On
  # The signed certificate of the server
  SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
  # The private key of the server
  SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
  # The intermediate_certificate of the server
  SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem

  # Accept only strong encryption
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite           HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  SSLHonorCipherOrder     on

    3) Check the permissions on the certificate files.

    UPD: How to create a key and certificate signing request in one step:

    openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

    Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).

    You can also create a self-signed certificate.

    0 讨论(0)
 看不清?
提交回复
热议问题