SSL on Apache HTTP Server

问题

I have 2 crt files for Apache server:

1_root_bundle.crt
2_my_domain_name.com.crt

And other bundle:

1_Intermediate.crt
2_my_domain_name.com.crt
root.crt

I have modified

/etc/apache2/sites-available/default-ssl.conf

And tried various combinations of above mentioned files but after Apache2 service restart SSL does not work, browser shows "Connection is not secure":

SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/1_Intermediate.crt
SSLCertificateKeyFile   /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateChainFile /etc/apache2/ssl/root.crt

How to make SSL on Apache server?

回答1:

It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----

You configuration should looks like this

SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile   /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt

The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.

So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)

If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

回答2:

1) Install Apache HTTP Server, mod_ssl

2) Configure httpd

Remember to disable SSLv2 and SSLv3, because they are vulnerable.

  # Toggle on the SSL/TLS Protocol Engine
  SSLEngine On
  # The signed certificate of the server
  SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
  # The private key of the server
  SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
  # The intermediate_certificate of the server
  SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem

  # Accept only strong encryption
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite           HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  SSLHonorCipherOrder     on

3) Check the permissions on the certificate files.

UPD: How to create a key and certificate signing request in one step:

openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).

You can also create a self-signed certificate.

回答3:

You can use the bundle file with SSLCertificateChainFile.

SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt

If you are using bundle so it will work without SSLCertificateChainFile file.

SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt

来源：https://stackoverflow.com/questions/37939806/ssl-on-apache-http-server

标签

apache

ssl

apache2

ssl-certificate

private-key