0

I have SSL certificate files:

  • Root2023.crt
  • t1.crt
  • t1.pem
  • t1.pk8

on my apache How can I determine which of these files should be used for SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile or etc,

000-default.conf:

<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/ssl/t1.crt SSLCertificateKeyFile /etc/ssl/t1.pem SSLCertificateKeyFile /etc/ssl/t1.pk8 SSLCertificateChainFile /etc/ssl/Root2023.crt ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>

I try this config but not work

UPDATE:

openssl x509 -in t1.pem -text -noout openssl x509 -in t1.crt -text -noout has similar output like this: Certificate: Data: Version: 3 (0x2) Serial Number: 508... (0x468dc...8) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = rcii Validity Not Before: Feb 14 07:34:00 2023 GMT Not After : Feb 14 07:34:00 2026 GMT Subject: C = IR, ST = TEH, L = TEH, CN = 172..... Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c4:..... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: IP Address:172..... Netscape Comment: xca certificate Signature Algorithm: sha256WithRSAEncryption Signature Value: 34:bd:9

t1.pk8 has pass phrase

openssl rsa -in t1.pk8 -text -noout

output:

Private-Key: (4096 bit, 2 primes) modulus: 00:c4:58:f7:e8:bf:ad:f1:f9:aa:33:e7:3c:b3:48: publicExponent: 65537 (0x10001) privateExponent: 65:a0:6b:08:84:15:c3:55:e7:3b:a0:27:31:e0:74: prime1: 00:f2:e1:d3:4e:3f:2e:b3:69:60:cd:8c:8c:78:91: prime2: 00:ce:f3:bd:36:44:6e:bd:ae:65:43:62:59:8a:ec: af:03 exponent1: 00:e1:cd:10:a5:ae:17:bc:b4:3b:4a:dd:5f:ba:b7: 63:0d:e2:0b:18:93:35:8b:3c:df:4b:7e:d5:63:84: 75 exponent2: 1f:b9:21:21:f6:6f:7b:48:06:61:c3:eb:b1:ed:fc: 7d coefficient: 37:ff:02:03:bf:37:c0:7f:6f:f8:a6:b1:51:9b:b3: fd:cf:fd:49:e3:c5:fb:6d:47:79:a0:0e:2d:99:50: eb
Improve this question
7
  • 1
    try viewing what is inside these files first, with for example "openssl x509 -text -in <<yourfile>" it will display the certificate details (if it's a CA, what is the subjet etc.) Commented Sep 3, 2023 at 8:31
  • 1
    Also, try viewing them with cat or a text editor - that may give you a clue, Commented Sep 3, 2023 at 9:12
  • 1
    We cannot determine the contents of those files based on the file name. At least grep "---" to remove the actual contents and add here what is left. Commented Sep 3, 2023 at 11:57
  • I update question with content of cert files and @olivierg but I cant identify type yet Commented Sep 3, 2023 at 13:12
  • @garethTheRed cat command show hashed content I want to know apache configurations Commented Sep 3, 2023 at 13:13

1 Answer 1

Reset to default
3

The mod_ssl documentation of each parameter tells what is expected, which more or less answers your question.

Private key

SSLCertificateKeyFile Directive

Description: Server PEM-encoded private key file

This directive points to the PEM-encoded private key file for the server, or the key ID through a configured cryptographic token. If the contained private key is encrypted, the pass phrase dialog is forced at startup time.

The t1.pk8 contains the information required here, but you might want to remove the password so that it won't be prompted every time you restart the Apache:

openssl rsa -in /etc/ssl/t1.pk8 -out /etc/ssl/t1.key

The resulting file should start with -----BEGIN PRIVATE KEY----.

As the key file is not protected with a password anymore, you should protect it with file system permissions:

chown root:root /etc/ssl/t1.key chmod 600 /etc/ssl/t1.key

Certificate chain

SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

That should be self-explanatory. Remove this directive from your configuration altogether.

SSLCertificateFile Directive

Description: Server PEM-encoded X.509 certificate data file or token identifier

This directive points to a file with certificate data in PEM format, or the certificate identifier through a configured cryptographic token. If using a PEM file, at minimum, the file must include an end-entity (leaf) certificate. - -

The files may also include intermediate CA certificates, sorted from leaf to root.

If your t1.crt is directy signed by the Root2023.crt and the Root2023.crt is present on the CA store on the clients, you could use t1.crt as is.

If you nees any intermediate certificates, you should create a combined file having them all from leaf to root. If the Root2023.crt happens to be a file containing the intermediate certificate(s) and both are already in PEM format, you could combine them with:

cat /etc/ssl/t1.crt /etc/ssl/Root2023.crt > /etc/ssl/fullchain.pem

The resulting file should be structured like this:

-----BEGIN CERTIFICATE----- Base 64 encoded contents of the leaf certificate. -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base 64 encoded contents of an intermediate certificate. -----END CERTIFICATE-----

Followed by the required amount of intermediates (and optionally the CA certificate).

Configuration

Now, if these instructions were suitable for your needs & you followed these instructions, your configuration would look like this:

 SSLEngine on SSLCertificateFile /etc/ssl/fullchain.pem SSLCertificateKeyFile /etc/ssl/t1.key
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.