Top Nav

Archive | SSL

Trustwave Certificate Chain

Had to install an SSL certificate from Trustwave today. The cert was emailed to the customer in a zip file. that contained several formats. For plesk the “.cer” file is the one that we needed. Also for the CA certificate there was a “chain.cer” file. Unfortunately Plesk (Apache) was not happy and complained that the private key did not sign the certificate. This indicates a problem with intermediate certificates. Using the commands given here:

http://blogs.reliablepenguin.com/2005/02/23/view_contents_of_ssl_certificate

I looked at the certificate and found that it was signed by:

C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca@trustwave.com

The certificate in the chain file was for:

C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca@trustwave.com

and it was signed by:

C=US, O=SecureTrust Corporation, CN=SecureTrust CA

but there was not certificate for this signer.

I found the TrustWave roots here:

https://ssl.trustwave.com/support/support-root-download.php

Turns out this file, named “STCA” was what we needed:

https://ssl.trustwave.com/support/certificates/stca.crt

So I appended this cert to the chain.cer file and installed on the web server. Now it’s working correctly.

0

Install SSL Certificate – Apache / CentOS / RHEL

For this example we’ll install an SSL certificate for acme.com. The certificate authority is Network Solutions. The procedure may be different for other certificate authorities especially in how intermediate certificates are setup.

  1. Install mod_ssl if needed
  2. Copy SSL certificate to the server – The certificate should be named after the domain name and placed in the /etc/pki/tls/certs folder. For our example the cert will be:
  3. Copy the intermediate CA bundle to the server – The bundle should be placed in /etc/pki/tls/certs/ and named after the certificate authority. For example, GoDaddy would be “gd_bundle.crt” and Network Solutions would be “ns_bundle.crt”. Sometimes the certificate authority will provide the bundle file. Other times they will just provide a set of separate root and intermediate CA certificates. In this situation, you’ll need to create the bundle file yourself.

    The bundle is a text file with a series of certificates. The first certificate must be the root, followed by each intermediate certificate in the order that they were used to sign. So the certificates should form a chain starting at the root and leading to the intermediate that directly signs the domains SSL certificate.

    You can determine what certificate signed another certificate with a command like this:

    which returns something like:

    So for the case of our acme.com certificate from Network Solutions we received the following files:

    Using the above openssl command we can see the signer of each file is:

    Look closely and you’ll see that acme.com.crt is signed by NetworkSolutions_CA.crt which is signed by UTNAddTrustServer_CA.crt which is signed by AddTrustExternalCARoot.crt.

    Now we can build the bundle file like this:

  4. Remove default Apache virtual host – By default mod_ssl sets up a virtual host that we do not need. Edit /etc/httpd/conf.d/ssl.conf and remove the virtual host definition from “<VirtualHost _default_:443>” to “</VirtualHost>”.
  5. Add Apache configuration – The exact layout of your Apache configuration will depend on the how your server has been setup. If you’re following the Reliable Penguin best practices then you can add the following block to /etc/httpd/conf.d/vhosts.conf:

  6. Restart Apache

  7. Test with web browser – Point your browser to https://acme.com and verify that the site loads with no warnings or errors.

Troubleshooting

  • On restarting Apache if you get a message like this “[warn] _default_ VirtualHost overlap on port 443, the first has precedence” then you’ve not removed the default virtual host created by mod_ssl.
  • You may need to adjust the iptables configuration to allow traffic to TCP port 443.
1