ssl - Which certificate chain file to include with self-signed certificate? -

-

edit : may have been preferable ask on server fault, reputation wouldn't let me post more 2 links. :(

i want pages require passwords on website secure, followed this create custom ssl certificate. followed this, because explains how generate self-signed multidomain certificates (the subjectaltname allows me valid certificate example.com , *.example.com, didn't find way this).
had mix commands wanted, , think ok did (though i'll detail later in case).
have configure apache listen queries on port 443 , provide ssl security on according pages. found this.

when defining virtualhost listening on port 443, says : 

<virtualhost 127.0.0.1:443>   sslengine on     sslcertificatefile /etc/apache2/ssl/something.crt     sslcertificatekeyfile /etc/apache2/ssl/something.key     sslcertificatechainfile /etc/apache2/ssl/gd_bundle.crt     ... </virtualhost>

i think know files need specify sslcertificatefile , sslcertificatekeyfile fields, can't seem figure out sslcertificatechainfile. found searching on google , stack exchange communities didn't me far, asking clear here :

what file should provide sslcertificatechainfile, , how create if needed ?

here files created following instructions of different links, commands used create them.

  • certificate authority key (ca.key) : openssl genrsa -des3 -out ca.key 1024
  • key certificate (ca.san.csr) : openssl req -new -key ca.key -out ca.san.csr -config /etc/ssl/openssl.cnf
    here specified config file path because had change little bit add subjectaltname. check went openssl req -text -noout -in ca.san.csr. described here.
  • creation , signature of certificate (ca.san.crt) : openssl x509 -req -days 3650 -in ca.san.csr -signkey ca.key -out ca.san.crt -extensions v3_req -extfile /etc/ssl/openssl.cnf
    again, conf file needed because subjectaltnames defined in it.
  • server key (server.key) : openssl genrsa -out server.key 1024
  • key certificate (server.san.csr) : openssl req -new -key server.key -out server.san.csr -config /etc/ssl/openssl.cnf
  • server certificate (server.san.crt) : openssl x509 -days 3650 -ca ca.san.crt -cakey ca.key -set_serial 01 -in server.san.csr -req -out server.san.crt

for sslcertificatefile, thought i'd provide server.san.crt file, seems logical thing me, server.key file sslcertificatekeyfile.
sslcertificatechainfile seems ask .crt file, may other .crt file have, ca.san.crt, i'm not sure this.

does have hint ?
thank time reading this.

solution
particular case, since using custom certificate, sslcertificatechainfile doesn't make sense (see marked answer below). thus, have specify same certificate file both directives, sslcertificatefile , sslcertificatechainfile.
there's 1 thing need apache before can use ssl* directives. ssl disabled default on apache need enable sudo a2enmod ssl, or when restarting apache error saying may have mispelt in vhosts files.
once have done , restarted server may connect on vhosts https. browser tell certificate not valid because self-signed, connection secure.

i want pages require passwords on website secure

just note. best practice, entire web site should protected ssl. here blog post explains why ssl on authentication pages not sufficient: securing asp.net mvc 4 app , new allowanonymous attribute (although related asp mvc, other platforms affected too).

but can't seem figure out sslcertificatechainfile

i think, pkcs#7 container contains intermediate ca certificates. self-signed certificates, there no other certificates, therefore (sorry, i'm not apache expert) file may be:

  1. self-signed certificate (only public part)
  2. can deleted (this file doesn't make sense self-signed ssl certificates)
  3. empty (less likely, apache may complain wrong file format).

i go step 1, pass same certificate sslcertificatefile , sslcertificatechainfile parameters.


Comments

Post a Comment

Popular posts from this blog

c++ - QTextObjectInterface with Qml TextEdit (QQuickTextEdit) -

-
i registred handler simple qtextobjectinterface , draws 10x10 red rectangle. when used qtextedit in normal qwidget app, worked. when used qquicktextedit (textedit qml component) in qt quick app, doesn't worked (nothing drawed, rectangle in textedit reserved, because when change cursor position, notice there something, empty space, nothing drawed. qtextobjectinterface intrinsicsize method called (that explains why see there empty space 10x10), drawobject method isn't. i did research , found problem here: qquicktextedit.cpp qt 5.3.0 sources (line 1821) qsgnode *qquicktextedit::updatepaintnode(qsgnode *oldnode, updatepaintnodedata *updatepaintnodedata) { . . . if (textframe->firstposition() > textframe->lastposition() && textframe->frameformat().position() != qtextframeformat::inflow) { updatenodetransform(node, d->document->documentlayout()->frameboundingrect(textframe).topleft()); c...
Read more

javascript - angular ng-required radio button not toggling required off in firefox 33, OK in chrome -

-
i trying toggle required attribute on radio button using angular show html5 popup. i cannot following code function correctly in firefox 33. function correctly in chrome. required property being toggled via checkbox value, in firefox, when set false radio button still acts required , shows html5 required popup. see plnkr below example doesn't work me in ff 33. <!doctype html> <html> <head> <script data-require="angular.js@*" data-semver="1.3.1" src="//code.angularjs.org/1.3.1/angular.js"></script> <link href="style.css" rel="stylesheet" /> <script src="script.js"></script> </head> <body ng-app="myapp"> <script> angular.module('myapp',[]) .controller('mycontroller',['$scope',function($scope) { $scope.foorequired=true; $scope.submitform = function() { $scope.submitmessage = ...
Read more

xcode - Swift Playground - Files are not readable -

-
Image
files not readable in swift playground . how make files readable? same code runs on xcode terminal app, fails on swift playground. demo code below. import foundation println("hello, world!") var fname:string = "/users/holyfield/desktop/com.apple.iconcomposer.plist" var fm:nsfilemanager = nsfilemanager.defaultmanager() if(fm.fileexistsatpath(fname)){ println("file exists") if(fm.isreadablefileatpath(fname)){ println("file readable") var fd:nsdata? = nsdata(contentsoffile: fname) println(fd?.length) let pl = nsdictionary(contentsoffile: fname) println(pl?.count) println(pl?.allkeys) }else{ println("file not readable") } } else{ println("file not exists") } sample images: i have thank nate cook first quick response , solid answer. just case share answer post, title misleading. see nate's answer here: https://stackoverf...
Read more