Hello,
There is a freshly installed (from Ubuntu 16.04 package) apache server running in a large institution that needs to have port 443 traffic enabled. I am helping a friend of mine configure this server and, at the same time, writing a document for reproducing the installation procedure that will be published online. The server has it's own subdomain and the system administrator generated encryption keys to be used for this server. The administrator is talented, but seems to be inexperienced in open-source solutions, so outside help is needed. As a courtesy to my friend, whom I'm helping set this up, I've anonymized the TLD from the filename, but the files are as follows:
_.example.com.p12
Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-primary.txt
SSL Certificate - .example.com.txt
I personally do not have easy access to these files, but I can request actions to be performed on them. I had not previously been acquainted with P12 files until now. I found a website that seems to be able to help me export data from the P12 file into a data format that apache can readily use:
http://wiki.i.gov.ph/iwiki/bin/view/PNPKI/How+to+install+ SSL+certificate+in+apache+ ubuntu+server
After reading through this website, I proposed these steps:
sudo openssl pkcs12 -in /vault/_.example.com.p12 -nocerts -out /vault/private.pem
sudo openssl rsa -in private.pem -out /vault/key.pem
sudo openssl pkcs12 -in /vault/_.example.com.p12 -clcerts -nokeys -out /vault/cert.pem
sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -out /vault/CAchain.pem
And then modify ./sites-available/site-443.conf with the lines:
SSLCertificateFile /vault/cert.pem
SSLCertificateKeyFile /vault/keys.pem
SSLCertificateChainFile /vault/CAchain.pem
SSLCACertificateFile /vault/Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root- primary.txt
We tried some of the openssl commands in that document, but we don't have the password. The file named "SSL Certificate - .example.com.txt" is unused, and that does concern me that I'm either neglecting a critical file or needlessly duplicating it. Before asking the administrator for a password, we have questioned whether we are making this needlessly difficult and were curious if there is a solution where these files can be used directly by apache.
As you can guess, I'm no expert at encryption. Getting keys, for the purpose of self-education is very expensive. The extent of my experience is limited to creating self-signed certificates back in the good old days before the web-browser people decided that was to be forbidden practice, and more recently, letsencrypt.org, which operates in a magical smoke and mirrors method. I would like to know if this would be the best practice for my friend encrypting his server's traffic. I am very grateful for any feedback.
Thank you very much!
Rich
------------------------------------------------------------ ---------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|