Apache 2.4 – Install CA Not Trusted Certificate

apache-2.4certificate-authorityssl-certificate

I am trying to install a chain certificate from Entrust on a red hat server 7.5 that uses apache 2.4.6. Following some articles I found, I did the following:
Edited /etc/httpd/conf.d/ssl.conf file in order to include

Server Certificate
SSLCertificateFile /path/to/file

Server Private Key
SSLCertificateKeyFile /path/to/file

Certificate Authority(CA)
SSLCACertificateFile /path/to/file

Although site works with https and browser understands the certificate as valid,
How can I know if the certificate installed successfully? Browser indicates that part of the site is not trusted because of images. Should I do something else with .cer and .pem files from Entrust? How can I understand if the chain certificate is installed as intended?

Best Answer

There are two ways to verify the certificates.

Go to SSL Labs and run their SSL Server Test. Wait a bit and check the results.
Use openssl command line as follows.

Replace HOSTNAME with your actual host name. This assumes you have a valid root certificate chain configured into openssl as well.

openssl s_client -connect HOSTNAME:443

Then look for the chain in the output, something like this:

Certificate chain
 0 s:/CN=HOSTNAME
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

and at the very bottom:

Verify return code: 0 (ok)

Verify the intermediate chain

As the error seems to indicate, there is something off about your intermediate certificate chain. You should check where you got your certificate from and that you got the correct intermediate bundle.

You should verify the "hash" and "issuer's hash" of every certificate in the chain with the openssl x509 -noout -hash and openssl x509 -noout -issuer_hash commands. Try this to get the issuer hash of your certificate:

cat /path/to/cert/mysite.com.cert | openssl x509 -noout -issuer_hash

Then try to find a certificate with this hash in the sf_bundle.crt file that you specified as SSLCertificateChainFile. You may have to extract the certificates (or just copy paste them to the command):

cat first_cert_from_sf_bundle.crt | openssl x509 -noout -hash

Check all of them. If none have this hash, then something is wrong right there. Keep doing these checks until you find a certificate which has the same -hash and -issuer_hash. This is your root certificate.

If something is missing, you can check the other intermediate files here https://certs.starfieldtech.com/anonymous/repository.seam. Download these and compare their -hash against the -issuer_hash where you got stuck.

If everything is okay, then ....

Clean up the intermediate chain

I have seen this also help when you get odd validation errors. Make sure that your intermediate chain lists only the required certificates and in the correct order (it is easier if it is in PEM format). In other words, if your chain is Your cert -> cert A -> cert B -> Starfield Root cert. Try appending these in this order (you can skip the first and last) so your intermediate chain looks something like this:

-----BEGIN CERTIFICATE-----
cert A
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cert B
-----END CERTIFICATE-----

I personally like to keep all these certificates (personal certificate, followed by intermediate ones, followed by the root certificate) in the same file. Then I just specify this file as both the SSLCertificateFile and SSLCertificateChainFile.

Best Answer

Related Solutions

apache-2.2 ssl-certificate – Apache Using Old Expired Certificate Despite New One Installed

Ssl – Starfield Wildcard SSL Certificate Not Trusted in All Browsers

Verify the intermediate chain

Clean up the intermediate chain

Related Topic