| View previous topic :: View next topic |
| Author |
Message |
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2378
Location: Kentucky
|
 Posted: Sat Oct 12, 2024 7:57 pm Post subject: installing ssl cert for apache2 |
 |
|
I only do this infrequently, so I forget how from year to year.
I have a set of SSL certificate files from netsol:
| Code: |
-rw-r--r-- 1 rj users 2487 Oct 12 14:39 ELILABS.COM.crt
-rw-r--r-- 1 rj users 1516 Oct 12 14:39 SSL_BASIC_CertificateAuthorityRoot.crt
-rw-r--r-- 1 rj users 1967 Oct 12 14:39 SSL_BASIC_IntermediateCA_2.crt
-rw-r--r-- 1 rj users 2272 Oct 12 14:39 SSL_BASIC_IntermediateCA_3.crt
|
I have the following files on my server:
| Code: |
/ssh:root@eli:/etc/apache2/ssl:
drwxr-xr-x 2 root root 52 Jul 24 2023 .
drwxr-xr-x 6 root root 152 Sep 26 2020 ..
-rw-r--r-- 1 root root 0 Aug 9 2006 .keep
-r-------- 1 root root 2414 Jul 24 2023 server.crt
-rw------- 1 root root 1704 Jul 16 2023 server.key
|
which files go where?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3371
|
| Posted: Sat Oct 12, 2024 8:18 pm Post subject: |
|
|
Root CA belongs in the visitor's browser's trust store, so there's nothing for you to do with this one.
Apache likes having chain in a separate file, but you can just concatenate domain's cert with intermediaries and deploy the resulting bundle as server.crt I'm not quite sure what is apache's preferred order, but bottom-up works well on my haproxy (starting with the leaf, followed by intermediary; you have 2 intermediaries, so the lower rank which signed your domain would most likely go second, and the higher rank which signed the other intermediary goes third)
You can inspect cert files as well as the old bundle by pasting it section by section into command:
openssl x509 -noout -text
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2378
Location: Kentucky
|
| Posted: Mon Oct 14, 2024 2:34 pm Post subject: |
|
|
I used the technique above to view the currently installed expired cert, and also the new cert. The old cert used a 256 bit encryption, while the new cert used a 3** bit encryption. I installed the new cert and attempted to restart apache, but it would not start with the new cert. So I replaced the old cert and apache started up fine.
I am running an rather old version of apache, which is embarrassing, but I do not want to update the apache server until I move the equipment from our old location to our new location, which I hope will be within a month or so. I will have to take all the machines offline to do the move, and I plan to perform full updates, kernel included, to all of them as long as they are offline anyway.
I suspect the reason the new cert would not work is because the old version of apache I am running does not support the stronger encryption used in the new cert.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
