Here’s a great article on best practices for SSL deployments:
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
Here’s a great article on best practices for SSL deployments:
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
Had to install an SSL certificate from Trustwave today. The cert was emailed to the customer in a zip file. that contained several formats. For plesk the “.cer” file is the one that we needed. Also for the CA certificate there was a “chain.cer” file. Unfortunately Plesk (Apache) was not happy and complained that the private key did not sign the certificate. This indicates a problem with intermediate certificates. Using the commands given here:
http://blogs.reliablepenguin.com/2005/02/23/view_contents_of_ssl_certificate
I looked at the certificate and found that it was signed by:
C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca@trustwave.com
The certificate in the chain file was for:
C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca@trustwave.com
and it was signed by:
C=US, O=SecureTrust Corporation, CN=SecureTrust CA
but there was not certificate for this signer.
I found the TrustWave roots here:
https://ssl.trustwave.com/support/support-root-download.php
Turns out this file, named “STCA” was what we needed:
https://ssl.trustwave.com/support/certificates/stca.crt
So I appended this cert to the chain.cer file and installed on the web server. Now it’s working correctly.
For this example we’ll install an SSL certificate for acme.com. The certificate authority is Network Solutions. The procedure may be different for other certificate authorities especially in how intermediate certificates are setup.
1 |
yum install mod_ssl |
1 |
/etc/pki/tls/certs/acme.com.crt |
The bundle is a text file with a series of certificates. The first certificate must be the root, followed by each intermediate certificate in the order that they were used to sign. So the certificates should form a chain starting at the root and leading to the intermediate that directly signs the domains SSL certificate.
You can determine what certificate signed another certificate with a command like this:
1 |
openssl x509 -noout -text -in acme.com.crt | grep "Issuer:" |
which returns something like:
1 |
CA Issuers - URI:http://www.netsolssl.com/NetworkSolutions_CA.crt |
So for the case of our acme.com certificate from Network Solutions we received the following files:
1 2 3 4 |
acme.com.crt AddTrustExternalCARoot.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt |
Using the above openssl command we can see the signer of each file is:
1 2 3 4 5 6 7 |
acme.com.crt - Issuer: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority AddTrustExternalCARoot.crt - Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root NetworkSolutions_CA.crt - Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware UTNAddTrustServer_CA.crt - Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root |
Look closely and you’ll see that acme.com.crt is signed by NetworkSolutions_CA.crt which is signed by UTNAddTrustServer_CA.crt which is signed by AddTrustExternalCARoot.crt.
Now we can build the bundle file like this:
1 2 3 |
cat AddTrustExternalCARoot.crt >> ns_bundle.crt cat UTNAddTrustServer_CA.crt >> ns_bundle.crt cat NetworkSolutions_CA.crt >> ns_bundle.crt |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<VirtualHost *:443> DocumentRoot /var/www/vhosts/acme.com/httpdocs ServerName acme.com ServerAlias www.acme.com ErrorLog logs/acme.com-ssl-error_log CustomLog logs/acme.com-ssl-access_log common <Directory /var/www/vhosts/acme.com/httpdocs> AllowOverride All </Directory> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT SSLCertificateFile /etc/pki/tls/certs/acme.com.crt SSLCertificateKeyFile /etc/pki/tls/private/acme.com.key SSLCACertificateFile /etc/pki/tls/certs/ns_bundle.crt </VirtualHost> |
1 |
/sbin/service httpd restart |
Troubleshooting