Saturday, April 2, 2011

adding VeriSign cert to apache

We need three files, private key, certificate and CA
SSLCertificateFile       /path/to/this/public.crt
SSLCertificateKeyFile    /path/to/this/private.key
SSLCertificateChainFile  /path/to/intermediate.crt
  1. Generate Private Key:

    openssl genrsa –des3 –out private.key 2048

    Remove the password of the private key:

    openssl rsa -in private.key -out private.key.new

    mv private.key.new private.key


    For all SSL certificates, the CSR key bit length must be 2048.
  2. Generate the CSR:

    openssl req –new –key private.key –out request.csr
    (* to generate self signed key:
    #
    openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt
    )

    Verify the CSR
  3. Log into VeriSign Trust Center and upload the CSR.
  4. Wait about two days, when ready, download certificate public.crt
  5. Download VeriSign Secure Site Primary and Secondary Intermediate CA bundle. From VeriSign Intermediate CA Certificates
    support page, "For Apache Web servers or similar, you only need to install the Intermediate CA Bundle according to your Certificate type.
  • Verifying that a Private Key Matches a Certificate
    openssl x509 -noout -text -in server.crt
    openssl rsa -noout -text -in server.key
    
    The `modulus' and the `public exponent' portions in the key and the Certificate must match. Or
    openssl x509 -noout -modulus -in public.crt | openssl md5
    openssl rsa -noout -modulus -in private.key | openssl md5
    openssl req -noout -modulus -in server.csr | openssl md5
    



  • Without the proper issuer chain/intermediate certificate, user will get "SSL Certificate Not Trusted Error" in the browser. Here's more detail on the subject and SSL Checker tool.

Links: Certificate Signing Request (CSR) Generation Instructions - Apache SSL

No comments:

Post a Comment