Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/OpenSSLcertsForApache.md

Created October 23, 2018 15:35
Show Gist options
  • Save plembo/4e1ddba5a489ef548fb8b3554bf7e07f to your computer and use it in GitHub Desktop.
Save plembo/4e1ddba5a489ef548fb8b3554bf7e07f to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL certs for Apache
Raw
OpenSSLcertsForApache.md

OpenSSL certs for Apache

Make new openssl-server.cnf under /etc/pki/tls to include Subject Alternative Names:

openssl-server.cnf

HOME = .
RANDFILE = $ENV::HOME/.rnd

####################################################################
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only

####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Carolina

localityName = Locality Name (eg, city)
localityName_default = Raleigh

organizationName = Organization Name (eg, company)
organizationName_default = Lembo Heavy Industries, Inc.

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = portal.casalembo.com

emailAddress = Email Address
emailAddress_default = [email protected]

####################################################################
[ server_req_extensions ]

subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names

####################################################################
[ alternate_names ]

DNS.1 = portal.casalembo.com

Create private key:

openssl genrsa -out private/portal.casalembo.com.key 2048

Create certificate request:

openssl req -new -key private/portal.casalembo.com.key -out portal.casalembo.com.csr -config ./openssl-server.cnf

Install certificates:

Bundle from Digicert comes with x509 server cert and link to intermediate certs. You need both, so download intermediate to a file called digicert-chain.crt.

My convention is to name cert for Apache vhost, like portal.casalembo.com.crt.

Certs go in /etc/pki/tls/certs.

Add vhost to /etc/httpd/conf.d/ssl.conf with paths to server and intermediate certs.

SSLCertificateKeyFile /etc/pki/tls/private/portal.casalembo.com.key
SSLCertificateFile /etc/pki/tls/certs/portal.casalembo.com.crt
SSLCertificateChainFile /etc/pki/tls/certs/digicert-chain.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

That last (ca-bundle.crt) should be up-to-date if "yum update ca-certificate" has been run recently.

There's an article on rebuilding (and updating) the whole CA Trust library on RHEL here:

https://access.redhat.com/solutions/1549003

A lot of people do this manually by going to a particular url () and then copying the file into /etc/pki/tls/certs, which is a nice minimalist approach that will survive until someone does the next yum update for ca-certificates).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment