stackoom
  简体   繁体   中英

Apache conf with several crt files

 原文  2014-09-09 18:41:17       apache/ ssl

Question

I bought Comodo PositiveSSL and got 4 crt files: 

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.crt

And I have this config: 

<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com

SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key

ServerAdmin webmaster@localhost
DocumentRoot /var/www/domain.com/html

<Directory /var/www/domain.com/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

How do I use these 3 files: 

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

https connection works fines, but it seems that browsers don't see my signature. I think the problem is to add all 4 files to apache config, but I don't know how to do it.

1 answers

solution1
 2 ACCPTED  2014-09-09 19:33:06

These files are the certificate chain. There's a root domain certificate, there are intermediate certificates, and there's your own certificate.

Your own certificate is already referenced with the SSLCertificateFile . The root certificate is usually installed in the user's browser (that's what you pay for … the fact that they paid the browser vendor to include their root certificate).

But your certificate is not directly derived from the root certificate, but there are these intermediate certificates .

Because you do not have a certificate that is directly derived from one of the root certificates in the browser, you must deliver the entire certificate chain to the user. (Yes, the root cert, too, to have a complete chain.)

It is usually done by putting all of the three files into one cert file (let's say intermediate.comodo.crt) and referencing them in the Apache config, too. It would look like this: 

…
SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateChainFile /var/www/domain.com/intermediate.comodo.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key
…

The certificates in this file must be in the right order … root on top, and then down the chain (IIRC, but you may need to try different orders).

If your server is public, use the SSLlabs service to test your setup: https://www.ssllabs.com/ssltest/ (Note, when testing multiple times with different configurations, you must clear their cache after each change. Otherwise you'll instantly get the results from their last test of your server.)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Apache .conf files "Require all" utility? apache passenger multiple conf files in vhosts dirctory What is wrong with my Apache2 .conf files Apache - two vhost conf files for same ServerName? Pointing a domain to apache server without virtual hosts or custom conf files CSP defined in apache conf not working when serving php files Ignoring .htaccess files and rules in one subdirectory via Apache .conf file How to set HTTP Header only for existing files using in Apache conf Apache RewriteRule for missing folders and files using httpd.conf NOT .htaccess mod_rewrite works in .htaccess files but not in apache2.conf
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM