0

I am setting up a Certificate Authority for an intranet. There is a root certificate which will be installed on all the network machines, an intermediate certificate signed by the root, and a http server certificate signed by the intermediate.

I need to bundle the http and intermediate certificates in order for them to be validated by the root

#> cat intermediate.crt server.crt > both.crt
#> openssl verify -CAfile root.crt both.crt
OK

However, I can't use both.crt and server.private.key for the internal website because when apache starts:

Certificate and private key mysite.com:443:0 from /www/both.crt and /www/server.private.key do not match

This is because intermediate.crt is the first entry in both.crt. If I switch the order of server.crt and intermediate.crt then apache launches but both.crt won't validate against root.crt.

The requirement is that root.crt is installed permanently, but server.crt and intermediate.crt are subject to change and need to be served ad hoc by apache. How do I construct a certificate bundle which apache accepts?

spraff
  • 549
  • 4
  • 8
  • 18

1 Answers1

0

Put the server certificate as the argument to the SSLCertificateFile directive and a file containing all subordinate CAs, excluding Root CA, as an argument to SSLCertificateChainFile. Finally, the private key for your server certificate as the argument to SSLCertificateKeyFile:

  SSLCertificateFile /etc/pki/tls/certs/server.pem
  SSLCertificateChainFile /etc/pki/tls/certs/bundle.pem
  SSLCertificateKeyFile /etc/pki/tls/private/server.key
garethTheRed
  • 4,539
  • 14
  • 22
  • Also note that one should *not* `cat intermediate.crt server.crt > both.crt` but instead validate `server.crt` *only* against the chain. – spraff Oct 25 '16 at 13:21
  • [this advice](https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html#create-the-certificate-chain-file) is to include the root in the chain, contrary to what you said. Does it really matter? – spraff Oct 25 '16 at 13:23
  • There is no need to include the Root in the chain as it _must_ be installed on the relying party for it to trust the chain. Or, to look at it another way, if the Root CA cert isn't installed on the relying party, then adding it to the bundle won't help - it still won't trust the chain. – garethTheRed Oct 25 '16 at 17:08