Environment
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 1
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 1
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Situation
The following is meant to be a basic guide to configuring Apache to use a 3rd party certificate:
Resolution
Items you will need:
1. 3rd party certificate.
2. Private Key that was generated with the certificate signing request (CSR). (see additional information section below for basic overview on generating the CSR using OpenSSL)
3. Trusted root certificates that are in the signing chain of the certificate (without these Apache will not trust the certificate).
Configuring:
1. Copy required items to the /etc/ssl/servercerts directory*
2. Open the following file in a text editor: /etc/apache2/vhosts.d/vhost-ssl.conf (If the vhost-ssl.conf does not exist (typically on SLES installs) then copy the vhost-ssl.template and name it vhost-ssl.conf).
3. We now need to specify in this conf file the paths to the required items:
A. Server certificate. look for the following section:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/ssl/servercerts/servercert.pem
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
Copy the existing line for SSLCertificateFile and paste it above the existing lines. Plug in your 3rd party cert name. Remark out the existing line that you copied:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/ssl/servercerts/3rdpartycert.crt $(or .pem)$
#SSLCertificateFile /etc/ssl/servercerts/servercert.pem
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
B. Server Private Key. Look for the following section:
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
Do the same thing as the step above, plugging in your private key:
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/ssl/servercerts/privatekeyfromcsr.key $(or .pem)$
#SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
C. Server Certificate Chain or Certiciate Authority:
There are different ways you can go about providing the data for these sections. Only one section is required as each section is a way to provide the certificate chain files for Apache to validate the certificate you are telling it to use.
If the vendor provided you with a chain file, plug it in here:
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
SSLCertificateChainFile /etc/ssl/servercerts/chainfile.crt
If the vendor provided you with a bundle certificate, plug it in here:
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
SSLCACertificateFile /etc/ssl/servercerts/ca-bundle.crt
If no CA or Intermediate certifiactes were provided by the vendor either individually or in a bundle/chain file, an easy way to see what you need is to copy your 3rd party certificate to a workstation and change the file extension to .cer. Open it with FireFox and look at the Certification path tab. This will show you all the certificates in the signing chain for that certificate. All certificates in the chain are required for Apache trust the certificate. (You can do the same thing on a bundle certificate provided by the vendor to make sure it contains the certs you need.) If all you have is the server certificate, you can use FireFox to export the certificates in the chain individually. Select one of the certificates in the path and click the "View Certificate" button. In the new pop-up window, go to the Details tab and click the "Copy to File..." button. Go through the Wizard, choose DER encoded binary X.509(.CER). Name the certificate anything you want. After the save is complete, change the file extenstion from .cer to .crt. Go through those steps for any other certificates in the chain. Once you have all certificates from the chain, copy them to the server /etc/ssl/servercerts directory. Plug each one into the CA section:
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
SSLCACertificateFile /etc/ssl/servercerts/root-ca.crt
SSLCACertificateFile /etc/ssl/servercerts/intermediate-ca.crt
When done, save the changes to the conf file and restart apache at the terminal (rcapche2 restart).
If Apache fails to start, you either missed a cert in the chain, or the private key does not match the server certificate etc. Look in the /var/log/apache2/error_log for clues, or contact support for additional assistance.
* this path is by no means a requirement, the files can be located anywhere on the server. I personally use this directory as it is the default directory where the self signed server certificate is created.
1. 3rd party certificate.
2. Private Key that was generated with the certificate signing request (CSR). (see additional information section below for basic overview on generating the CSR using OpenSSL)
3. Trusted root certificates that are in the signing chain of the certificate (without these Apache will not trust the certificate).
Configuring:
1. Copy required items to the /etc/ssl/servercerts directory*
2. Open the following file in a text editor: /etc/apache2/vhosts.d/vhost-ssl.conf (If the vhost-ssl.conf does not exist (typically on SLES installs) then copy the vhost-ssl.template and name it vhost-ssl.conf).
3. We now need to specify in this conf file the paths to the required items:
A. Server certificate. look for the following section:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/ssl/servercerts/servercert.pem
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
Copy the existing line for SSLCertificateFile and paste it above the existing lines. Plug in your 3rd party cert name. Remark out the existing line that you copied:
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/ssl/servercerts/3rdpartycert.crt $(or .pem)$
#SSLCertificateFile /etc/ssl/servercerts/servercert.pem
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
B. Server Private Key. Look for the following section:
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
Do the same thing as the step above, plugging in your private key:
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/ssl/servercerts/privatekeyfromcsr.key $(or .pem)$
#SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
C. Server Certificate Chain or Certiciate Authority:
There are different ways you can go about providing the data for these sections. Only one section is required as each section is a way to provide the certificate chain files for Apache to validate the certificate you are telling it to use.
If the vendor provided you with a chain file, plug it in here:
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
SSLCertificateChainFile /etc/ssl/servercerts/chainfile.crt
If the vendor provided you with a bundle certificate, plug it in here:
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
SSLCACertificateFile /etc/ssl/servercerts/ca-bundle.crt
If no CA or Intermediate certifiactes were provided by the vendor either individually or in a bundle/chain file, an easy way to see what you need is to copy your 3rd party certificate to a workstation and change the file extension to .cer. Open it with FireFox and look at the Certification path tab. This will show you all the certificates in the signing chain for that certificate. All certificates in the chain are required for Apache trust the certificate. (You can do the same thing on a bundle certificate provided by the vendor to make sure it contains the certs you need.) If all you have is the server certificate, you can use FireFox to export the certificates in the chain individually. Select one of the certificates in the path and click the "View Certificate" button. In the new pop-up window, go to the Details tab and click the "Copy to File..." button. Go through the Wizard, choose DER encoded binary X.509(.CER). Name the certificate anything you want. After the save is complete, change the file extenstion from .cer to .crt. Go through those steps for any other certificates in the chain. Once you have all certificates from the chain, copy them to the server /etc/ssl/servercerts directory. Plug each one into the CA section:
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
SSLCACertificateFile /etc/ssl/servercerts/root-ca.crt
SSLCACertificateFile /etc/ssl/servercerts/intermediate-ca.crt
When done, save the changes to the conf file and restart apache at the terminal (rcapche2 restart).
If Apache fails to start, you either missed a cert in the chain, or the private key does not match the server certificate etc. Look in the /var/log/apache2/error_log for clues, or contact support for additional assistance.
* this path is by no means a requirement, the files can be located anywhere on the server. I personally use this directory as it is the default directory where the self signed server certificate is created.
Additional Information
The following are basic instructions on how to manually generate a Certificat Signing Request (CSR) using OpenSSL. This is by no means a complete guide, so for additional information on OpenSSL please refer to the man pages or the OpenSSL website: http://www.openssl.org/docs/HOWTO/
Creating the private key (RSA key):
1. Go to /etc/ssl/servercerts directory*
2. Use the following command to generate the key: openssl genrsa -out <desiredkeyname>.key 2048
Creating the Certificate Signing Request (CSR):
1. Still at the /etc/ssl/servercerts directory use the following command to generate the CSR:
openssl req -new -key <keynamefromstep1>.key -out <desiredname>.csr
2. During the CSR creation process you will be asked to provide the following attributes: Please be aware that the following characters can not be accepted: < > ~ ! # $ % ^ / \ ( ) ? , &
Country: The two-letter ISO abbreviation for your country.
State or Province: The state or province where your organization is legally located. Can not be abbreviated.
Locality Name: The city where your organization is legally located.
Organization Name: The exact legal name of your organization. Do not abbreviate your organization name.
Organization Unit: Section of the organization.
Common Name: The fully qualified domain name for your web server. This must be an exact match.
Email Address: The webserver administrators email address.
After entering these attributes, it will ask you to enter 'extra' attributes. In this case it is a challenge password and an optional company name. There is no need to enter anything in these feilds, just hit enter on each.
you can verify the contents of the CSR after it is created by using the following command:
openssl req -noout -text -in <namefromstep1>.csr
Send the CSR to the certificate signing authority. They will then sign your CSR and issue you a server certificate, as well as provide you with the certificates that are contained in the certificate signing chain.
* this path is by no means a requirement, the files can be located anywhere on the server. I personally use this directory as it is the default directory where the self signed server certificate is created.
Creating the private key (RSA key):
1. Go to /etc/ssl/servercerts directory*
2. Use the following command to generate the key: openssl genrsa -out <desiredkeyname>.key 2048
Creating the Certificate Signing Request (CSR):
1. Still at the /etc/ssl/servercerts directory use the following command to generate the CSR:
openssl req -new -key <keynamefromstep1>.key -out <desiredname>.csr
2. During the CSR creation process you will be asked to provide the following attributes: Please be aware that the following characters can not be accepted: < > ~ ! # $ % ^ / \ ( ) ? , &
Country: The two-letter ISO abbreviation for your country.
State or Province: The state or province where your organization is legally located. Can not be abbreviated.
Locality Name: The city where your organization is legally located.
Organization Name: The exact legal name of your organization. Do not abbreviate your organization name.
Organization Unit: Section of the organization.
Common Name: The fully qualified domain name for your web server. This must be an exact match.
Email Address: The webserver administrators email address.
After entering these attributes, it will ask you to enter 'extra' attributes. In this case it is a challenge password and an optional company name. There is no need to enter anything in these feilds, just hit enter on each.
you can verify the contents of the CSR after it is created by using the following command:
openssl req -noout -text -in <namefromstep1>.csr
Send the CSR to the certificate signing authority. They will then sign your CSR and issue you a server certificate, as well as provide you with the certificates that are contained in the certificate signing chain.
* this path is by no means a requirement, the files can be located anywhere on the server. I personally use this directory as it is the default directory where the self signed server certificate is created.
See TID 7014029 to configure eDirectory certificates with Apache2 on SLES OES