MRW
http://piratenpartei.ch

Piratenpartei Zürich
PC 85-112704-0

Der Politnetz Auftritt von Marc Wäckerlin Im Politnetz unterstützen

Install SwissSign SSL Server Certificate in Apache

Install Apache (Ubuntu)

Install and enable Apache and SSL module on your computer, i.e. on Ubuntu:

  • sudo apt-get install apache2

If SSL is not yet enabled, (i.e. file /etc/apache2/mods-enabled/ssl.load does not exist or is not a link to /etc/apache2/mods-available/ssl.load), enable the ssl module:

  • sudo a2enmod ssl

Enable the default SSL configuration, this links the existing file /etc/apache2/sites-available/default-ssl to /etc/apache2/sites-enabled/default-ssl (if on your system, the example configuration has another name, just use that instead of default-ssl):

  • sudo a2ensite default-ssl

Configure Apache

Edit the configuration file, e.g. /etc/apache2/sites-enabled/default-ssl:

Change the following lines (use your certificate filename instead of filename):

Old Value
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
New Value
SSLCertificateFile /etc/ssl/certs/filename.pem
SSLCertificateKeyFile /etc/ssl/private/filename.key
SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

Install Certificate and Key

If you download you certificate from http://SwissSign.com, it is a *.p12-file (in PKCS#12 format). For Installation in Apache you need to split it into a key and certificate file.

In this tutorial, the filename of the downloaded certificate is filename.p12.

Get the plain keyfile (without password encryption) and the certificate from the PKCS#12 file:

  • openssl pkcs12 -in filename.p12 -out filename.key -nodes -nocerts
  • openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -clcerts
  • openssl pkcs12 -in filename.p12 -out server-ca.crt -nodes -nokeys -cacerts

Move the files into the Apache configuration:

  • sudo mv filename.pem /etc/ssl/certs/
  • sudo mv filename.key /etc/ssl/private/
  • sudo mkdir /etc/apache2/ssl.crt/
  • sudo mv server-ca.crt /etc/apache2/ssl.crt/

Reload Apache - Done!

Reload the apache configuration and you're already done:

  • sudo service apache2 reload

Remember: OpenSSL Certificate Conversions

Extract Client Certificate File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -clcerts
Extract CA Certificate File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -cacerts
Extract Key File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.key -nodes -nocerts
Extract Password Encrypted Key File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nocerts
Change PKCS#12 Password:
openssl pkcs12 -in old-filename.p12 -nodes > x && openssl pkcs12 -export -in x -out new-filename.p12; rm x
Generate PKCS#12 File from Key and Certificate Files:
openssl pkcs12 -export -in filename.pem -inkey filename.key -out filename.p12
Download certificate with Certificate Encoding PEM, deselect PKCS#7 Format and select Include Certificate Chain.