8

Recently I've upgraded Apache from 2.2 to 2.4 and I cannot figure out how to deprecate a SSLCertificateChainFile directive.

The error:

me@jessie:~$ sudo apache2ctl configtest 
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/https.conf:103) is deprecated, SSLCertificateFile should be used instead
Syntax OK

My current settings:

SSLCertificateFile    /etc/apache2/cert/ssl.crt
SSLCertificateKeyFile /etc/apache2/cert/ssl.key
SSLCertificateChainFile /etc/apache2/cert/sub.class1.server.sha2.ca.pem
SSLCACertificateFile /etc/apache2/cert/ca.pem

The certificate is signed by StartCOM. Manual says, now the whole chain should be in one file, specified by the SSLCertificateFile directive, but I do not know what keys and in which order I should concatenate to this file.

Neurotransmitter
  • 468
  • 1
  • 6
  • 17

2 Answers2

9

Given that you're using this in your apache config:

SSLCertificateFile    /etc/apache2/cert/ssl.crt
SSLCertificateKeyFile /etc/apache2/cert/ssl.key

The /etc/apache2/cert/ssl.crt file should contain

  1. certificate of e.g. yourdomain.com
  2. certificate of first intermediate CA, signed by root CA (e.g.StartCom Class 1 Primary Intermediate Server CA)
  3. certificate of second intermediate CA, signed by first intermediate CA (if there is a second intermediate CA in your certificate chain)

You need to put all intermediate CA's certificates in the crt file. Depending on the certificate chain of your certificate there will be varying number of CAs invovled.

You don't even need to add the root CA, as it has to be in the trust store of any clients, otherwise clients will get an error page, also, if you add it to your chain, it will just be additional overhead for establishing SSL connections, as it has to be transferred for every new SSL session. Actually most clients will also have intermediate CA certificates installed, but some might not, e.g. mobile phones don't have many intermediate CA certificates, so I would definitely add those.

The /etc/apache2/cert/ssl.key file will stay the same, which is, it will contain the key for the certificate of yourdomain.com

fholzer
  • 529
  • 1
  • 3
  • 9
  • Okay, if I understood you correctly, I should create a file with the following in the order: 1) ssl.crt; 2) sub.class1.server.sha2.ca.pem; 3) *what?* Please explain what certificates should be added in the third (and possible further) places. – Neurotransmitter May 06 '15 at 09:23
  • That depends on the actual chain, i mean the number of CAs involved in signing your certificate. The chain may only consist of 2 CAs. e.g. Root CA and one intermediate CA. But it may consist of Root CA and more than one intermediate CA. Your ssl.crt file should contain all intermediate CA certificates, from top to bottom. For this reason, it absolutely depends on you specific case how your ssl.crt should look like. – fholzer May 06 '15 at 09:38
  • How one could know which CAs are involved in signing of a certificate? – Neurotransmitter May 06 '15 at 09:58
  • 2
    Building the chain is not trivial for a novice, i guess. I usually run `openssl x509 -subject -issuer -noout -in certificate.of.yourdomain.crt` to see the issuer. I then download the issuing certificate from the website of my CA, in your case: http://www.startssl.com/certs/. Then run the command on that certificate. Repeat until issue equals subject, which means the certificate is self-signed, and is the root CA certificate. add all those files except root CA cert to the ssl.crt and your done. – fholzer May 06 '15 at 11:55
  • Thanks for support, I've followed the chain and generated a combined certificate. But for some reason [Qualys SSL test](https://www.ssllabs.com/ssltest/) indicates, that clients which connect to my host, have to _extra download_ StartCom Class 1 Primary Intermediate Server CA, which I've definitely included in the combined certificate ([screenshot](http://i.imgur.com/Ofl3cul.png)). That's weird. – Neurotransmitter May 07 '15 at 14:25
1

Okay, finally figured it out lately and decided to post details in the answer form.

Now StartSSL places certificate in the zip-archive when you retrieve it and there is plenty of included archives there, one of particular interest is ApacheServer.zip, an Apache >2.4-compatible form. The files in Apache folder are:

1_root_bundle.crt
2_myhost.tld.crt

You have to brew SSLCertificateFile from both of these certificates, but in this order:

cat 2_myhost.tld.crt 1_root_bundle.crt > myhost.tld_combined.crt

So in the site conf it will be just:

    SSLCertificateFile    /etc/apache2/cert/myhost.tld_combined.crt
    SSLCertificateKeyFile /etc/apache2/cert/myhost.tld.key

And all will be good, even the Qualys SSL Test.

This works for StartCom StartSSL, as well as for WoSign certificates. Format is the same.

Neurotransmitter
  • 468
  • 1
  • 6
  • 17