installing ssl cert for apache2

Moriah · Posted: Sat Oct 12, 2024 7:57 pm Post subject: installing ssl cert for apache2

I only do this infrequently, so I forget how from year to year.

I have a set of SSL certificate files from netsol:

szatox · Advocate Joined: 27 Aug 2013 Posts: 3384

Root CA belongs in the visitor's browser's trust store, so there's nothing for you to do with this one.
Apache likes having chain in a separate file, but you can just concatenate domain's cert with intermediaries and deploy the resulting bundle as server.crt I'm not quite sure what is apache's preferred order, but bottom-up works well on my haproxy (starting with the leaf, followed by intermediary; you have 2 intermediaries, so the lower rank which signed your domain would most likely go second, and the higher rank which signed the other intermediary goes third)

You can inspect cert files as well as the old bundle by pasting it section by section into command:
openssl x509 -noout -text
_________________
Make Computing Fun Again

Moriah · Posted: Mon Oct 14, 2024 2:34 pm Post subject:

I used the technique above to view the currently installed expired cert, and also the new cert. The old cert used a 256 bit encryption, while the new cert used a 3** bit encryption. I installed the new cert and attempted to restart apache, but it would not start with the new cert. So I replaced the old cert and apache started up fine.

I am running an rather old version of apache, which is embarrassing, but I do not want to update the apache server until I move the equipment from our old location to our new location, which I hope will be within a month or so. I will have to take all the machines offline to do the move, and I plan to perform full updates, kernel included, to all of them as long as they are offline anyway.

I suspect the reason the new cert would not work is because the old version of apache I am running does not support the stronger encryption used in the new cert.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

Moriah · Posted: Tue Oct 22, 2024 2:10 pm Post subject:

I am running apache 2.2.31 and the current version is apache 2.4.62

The old cert uses 256 bit SHA for the signature, whereas the new cert uses 384 bit SHA for the signature.

Both certs use a 2048 bit key for the diffie-helman public key.

Why would the server not work with the new cert?

Do I need a new private key? I thought that the private key was submitted as part of the CSR...
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

sMueggli · Guru Joined: 03 Sep 2022 Posts: 456

Yes, you need the private key. Otherwise the webserver would not be able to decrypt incoming messages encrypted with the public key of the webserver.

And without the private key the webserver is not able to sign outgoing messages.

If you have the public and private key pair in place and it still fails then please check the logs. One reason for failing is that the private key is password protected.

szatox · Advocate Joined: 27 Aug 2013 Posts: 3384

Hash algorithm doesn't matter as long as it's supported and allowed.
Private key is not a part of CSR, that would have defeated the purpose of issuing a CSR in the first place; it is used to _sign_ a CSR, and the privkey file contains the public key as well, which is a part of CSR and the final certificate, but I think signing the CSR with it's related privkey is more of a policy thing than a technical thing. I don't think the privkey is actually used anywhere in the cert signing process, so signing a CSR only prevents you from mistakenly ordering a certificate you can't use.

This said, depending on the way you generated the new csr your key may or may not have changed. You should have saved the privkey you used to sign your CSR somewhere, as it is complementary to the final certificate.
_________________
Make Computing Fun Again