I. If you're making your own numbers:
You just need a
certificate and a
private key. These can be encoded in one
PEM file. It's easy to make your own PEM file with your own self-signed cert on a vanilla RedHat apache:
cd /etc/httpd/conf/
make host.domain.tld.pem
mv host.domain.tld.pem ssl.crt/
Just be sure to edit ssl.conf to reference the new cert. You can replace:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
With just:
SSLCertificateFile /etc/httpd/conf/ssl.crt/host.domain.tld.pem
and then restart apache.
II. If you're buying numbers:
You'll probably be
asked to:
- Generate a .key
- Generate a .csr
- Give the CSR to the company and get back a .crt
Then have your httpd.conf reference the above respectively with the mod_ssl
directives:
- SSLCertificateKeyFile /usr/local/ssl/private/verisign.key
- N/A
- SSLCertificateFile /usr/local/ssl/certs/cert.crt
Once you have your cert you can look it over and see relevant things like how long it will be valid for with:
openssl x509 -noout -text -in cert.crt
Note that you might also run into
intermediate certificates. Which Apache can
reference with either of the following directives:
SSLCertificateChainFile /usr/local/ssl/certs/intermediate.crt
SSLCACertificateFile /usr/local/ssl/certs/intermediate.crt
depending on your version of Apache.
No comments:
Post a Comment