Ssl – Apache doesn’t accept the key for a certificate when that certificate is bundled with its issuer

apache-2.4opensslpkisslssl-certificate

I am setting up a Certificate Authority for an intranet. There is a root certificate which will be installed on all the network machines, an intermediate certificate signed by the root, and a http server certificate signed by the intermediate.

I need to bundle the http and intermediate certificates in order for them to be validated by the root

#> cat intermediate.crt server.crt > both.crt
#> openssl verify -CAfile root.crt both.crt
OK

However, I can't use both.crt and server.private.key for the internal website because when apache starts:

Certificate and private key mysite.com:443:0 from /www/both.crt and /www/server.private.key do not match

This is because intermediate.crt is the first entry in both.crt. If I switch the order of server.crt and intermediate.crt then apache launches but both.crt won't validate against root.crt.

The requirement is that root.crt is installed permanently, but server.crt and intermediate.crt are subject to change and need to be served ad hoc by apache. How do I construct a certificate bundle which apache accepts?

Best Answer

Put the server certificate as the argument to the SSLCertificateFile directive and a file containing all subordinate CAs, excluding Root CA, as an argument to SSLCertificateChainFile. Finally, the private key for your server certificate as the argument to SSLCertificateKeyFile:

  SSLCertificateFile /etc/pki/tls/certs/server.pem
  SSLCertificateChainFile /etc/pki/tls/certs/bundle.pem
  SSLCertificateKeyFile /etc/pki/tls/private/server.key

Related Solutions

Ssl – How to install multiple Intermediate CA Certificate files on Apache

No, you don't need to share the root. Your visitors that have it trusted already (likely from the company who provided their OS) will already have it.
Yes, using your command should be correct, assuming they're all PEM encoded.
Per the University of Wisconsin here, order does matter, but only if you provide the root.

How to issue multiple certificates for the same Common Name

Do you need dupes? Traditionally browsers and clients required that the CommonName field of the Subject name match the hostname; modern ones prefer that an entry in the SubjectAlternativeName (SAN) extension do so. You can set other fields to differ e.g.

O=Floo Manufacturing, OU=floo server 2016, CN=www.floo.example.com
O=Floo Manufacturing, OU=floo server 2017, CN=www.floo.example.com

and the Subject DNs are unique even though CommonName by itself is not. Or with modern clients you could put www.floo.example.com in SAN and use unique Subjects with no CommonName at all. But getting openssl to do per-cert SAN is a bit inconvenient; see e.g. https://security.stackexchange.com/questions/113484/followup-to-one-liner-to-create-cert-request-with-san

To allow dupes: the official way

In your config file (which is $CAROOT/intermediate/openssl.cnf) go to the 'section' (delimited by lines of the form [somename] with optional whitespace) for your CA. Since you didn't use -name on the commandline the section name is the value of default_ca in the [ca] section or the default section (at the top before the first [somename] line); looking near your link it's probably [CA_default]. Add a line

 unique_subject=no

with spacing and following # comment optional. Or if you already have a line for this item change and/or uncomment it, but looking near your link you probably don't.

See man page ca(1ssl) on your system or the web under CONFIGURATION FILE OPTIONS.

To allow dupes: the unofficial way

Empty (truncate) the configured database file which is conventionally index.txt and looking near your link they apparently use that. Or edit that file and delete the line(s) for the subject(s) you want to re-use -- but in this situation it looks like you have only one or a few and you want to re-use it or all of them, so emptying the file is simpler.

Best Answer

Related Solutions

Ssl – How to install multiple Intermediate CA Certificate files on Apache

How to issue multiple certificates for the same Common Name

Related Topic