-1

I have questions about ssl certificate. Right now i'm trying to implement it by using VeriSign. If i'm not mistaken,we need to implemented in the web browser and web server respectively. But i'm not so sure about that.

Can anyone clarify me what step do i need to do and how i can do that in my apache webs server? Any help would be greatly appreciate.Thanks.

newbie.my
  • 101
  • 4

2 Answers2

2

Normally if it's a real certificate you needn't to include it in your web browser since the root certificate should be present there.

Keep your private key secret!

First you will need to generate a Certificate Signing Request (CSR). First of all generate a key (Verisign demands a paswordless CSR):

openssl rsa -in server.key -out server.key.insecure

Then generate the CSR:

openssl req -new -key server.key -out server.csr

Now hand it over to Verisign.

Put Verisign's root certificate in /etc/ssl/certs.

Download the intermediate certificate here and put it in the same folder as the root certificate. .

Now add a vhost for your https, your IP is 1.2.3.4 and your site is located in /var/www:

<VirtualHost 1.2.3.4:443>
        ServerName example.com
        ServerAlias www.example.com
        ServerAdmin youremail@example.com
        DocumentRoot /var/www/ 

        SSLEngine on
        SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/certs/rootcert.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
        SSLCertificateChainFile /etc/ssl/certs/intermediatecert.crt

        <Location />
                Options +Includes
        </Location>
</VirtualHost>

Enable SSL with a2enmod ssl restart apache2 en you should be allset.

Refer to documentation at:

Lucas Kauffman
  • 16,880
  • 9
  • 58
  • 93
  • 1
    Lucas, I think most of this is excellent advice, but I do have an issue with "first of all the certificate you get from Verisign is your private key, do not give it to ANYONE or make it available anywhere". The second part's true, the private key should indeed be kept secret, but the first part isn't; the certificate you get from verisign isn't your private key, it's your certificate, and your web server should be making it available to anyone and everyone who asks. I suspect you know this perfectly well, and it's just an issue of clarity of expression, but I thought I'd mention it. – MadHatter Mar 28 '12 at 10:03
1

Well, Verisign has installation instructions for Apache2 here:

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR193

You need to install it on the web server. The CA certificates used to validate web server certificates are already installed on the web browser when they ship from the publisher, at least with the main Certificate Authorities, like Verisign.

The case where you would need to install something on the browser is if you created your own Certificate Authority to sign the web server's certificates. In that case, obviously the browser publisher won't know about your CA's signing certificate.

cjc
  • 24,916
  • 3
  • 51
  • 70