带有几个crt文件的Apache conf
[英]Apache conf with several crt files
问题描述
I bought Comodo PositiveSSL and got 4 crt files: 
我购买了Comodo PositiveSSL并获得了4个crt文件:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.crt
And I have this config: 我有这个配置:
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com
SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key
ServerAdmin webmaster@localhost
DocumentRoot /var/www/domain.com/html
<Directory /var/www/domain.com/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
How do I use these 3 files: 如何使用这3个文件:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
https connection works fines, but it seems that browsers don't see my signature. https连接工作正常,但似乎浏览器看不到我的签名。 I think the problem is to add all 4 files to apache config, but I don't know how to do it. 我认为问题是将所有4个文件添加到apache配置中,但是我不知道该怎么做。
1 个解决方案
解决方案1
2 已采纳 2014-09-09 19:33:06
These files are the certificate chain. 这些文件是证书链。 There's a root domain certificate, there are intermediate certificates, and there's your own certificate. 有一个根域证书,有中间证书,还有您自己的证书。
Your own certificate is already referenced with the SSLCertificateFile . SSLCertificateFile已引用您自己的证书。 The root certificate is usually installed in the user's browser (that's what you pay for … the fact that they paid the browser vendor to include their root certificate). 根证书通常安装在用户的浏览器中(这就是您所支付的费用……他们向浏览器供应商付款以包含其根证书这一事实)。
But your certificate is not directly derived from the root certificate, but there are these intermediate certificates . 但是您的证书不是直接从根证书衍生而来,但是有这些中间证书 。
Because you do not have a certificate that is directly derived from one of the root certificates in the browser, you must deliver the entire certificate chain to the user. 因为您没有直接从浏览器中的根证书之一派生的证书,所以必须将整个证书链交付给用户。 (Yes, the root cert, too, to have a complete chain.) (是的,根证书也要具有完整的链。)
It is usually done by putting all of the three files into one cert file (let's say intermediate.comodo.crt) and referencing them in the Apache config, too. 通常,这是通过将所有三个文件放入一个cert文件(例如,intermediate.comodo.crt)并在Apache配置中引用它们来完成的。 It would look like this: 它看起来像这样:
…
SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateChainFile /var/www/domain.com/intermediate.comodo.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key
…
The certificates in this file must be in the right order … root on top, and then down the chain (IIRC, but you may need to try different orders). 此文件中的证书必须以正确的顺序...根在最上,然后在链中向下(IIRC,但您可能需要尝试不同的顺序)。
If your server is public, use the SSLlabs service to test your setup: https://www.ssllabs.com/ssltest/ (Note, when testing multiple times with different configurations, you must clear their cache after each change. Otherwise you'll instantly get the results from their last test of your server.) 如果您的服务器是公共服务器,请使用SSLlabs服务来测试您的设置: https ://www.ssllabs.com/ssltest/(请注意,使用不同的配置多次测试时,您必须在每次更改后清除其缓存。否则,会立即从他们对服务器的最后一次测试中获得结果。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.