installing SSL certs on apache ... what certs to use?

Question

Im an intermediate Linux user and got assigned the task to make Apache run https connections. Currently running centOS 6 and my problem is following:

installed mod_ssl and tried to set up paths correctly but not sure if i used the right files. I have class2-root.crt and root-2-int.cer also i was given a wildcard.ssl.pfx. i have realized that there is a variable that has to point to ".key" file which i don't have. So generated that using:

openssl req -new -keyout server.key -out server.csr

there are plenty of sources showing how to do this online and tried many times but no luck. I just need someone who would help according to my case to tell me what files i only need to touch and configure. Also if the key has to be from the same source as the certs i have? and what certs i need from what i was given?

what i did exactly is this in httpd.conf:

<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName MyServer_Ip_Adress
SSLEngine on
SSLCertificateFile /etc/ssl/crt/class-root.crt
SSLCertificateKeyFile /etc/ssl/crt/server.key
SSLCertificateChainFile /etc/ssl/crt/root-2int.cer
</VirtualHost>

after this couldn't stop Apache nor restart it. Stopping will always fail.

Answer 1

You can't just generate a random key for your certificate; you have to use the one that it was generated with. There is a public key in the certificate (usually RSA) which the client will use in the key exchange process; to complete the key exchange you will need the private key, which (among other things) verifies that the certificate is yours. Otherwise you could just use any certificate you find on the internet and impersonate people.

If you supply invalid certificate information, apache will fail.

The certificate chain you were given probably contains three certificates: one for the root CA (class-root.crt I suspect), an intermediate CA which is signed by that root CA (root-2int.cer), and your server certificate which is signed by the intermediate CA. Nearly all SSL certificates are arranged like this. The root certificate will be trusted by clients; your server has to provide its own certificate and the other certificates which link it in a chain to the root (eg. the root and intermediate certificates).

The chain file is what does this. To create a chain file, you should concatenate the intermediate and CA certificates into one file, eg.

cat /etc/ssl/crt/root-2int.cer /etc/ssl/crt/class-root.crt > /etc/ssl/crt/chain.crt

Then, specify chain.crt as your SSLCertificateChainFile. This will cause Apache to send these two certificates along with yours as evidence of validity.

You will also need to extract the certificate and key from your PFX file, which contains both:

openssl pkcs12 -nocerts -in wildcard.ssl.pfx -out wildcard.key
openssl pkcs12 -clcerts -nokeys -in wildcard.ssl.pfx -out wildcard.crt

Then, if the private key is encrypted (eg. you got a passphrase with it), if you want apache to be able to start without providing the password you should decrypt it (and protect it with filesystem permissions: mode 0400 and owned by root:root for instance). To do this (assuming RSA):

openssl rsa -in wildcard.key -out wildcard-decrypted.key

You can then use these two files:

SSLCertificateFile /etc/ssl/crt/wildcard.crt
SSLCertificateKeyFile /etc/ssl/crt/wildcard-decrypted.key

As long as the certificates all match up, that should work. If you want to check that your certificate corresponds to your key, use these two commands (output should be the same, and again assuming RSA):

openssl x509 -modulus -noout -in /etc/ssl/crt/wildcard.crt
openssl rsa -modulus -noout -in /etc/ssl/crt/wildcard-decrypted.key