Ask a Question

Installation Instructions for Multiple Types of Certificate Algorithms using Apache

Solution

This document provides instructions for installing multiple types of certificates algorithms (for example, RSA or ECC based certificates) in parallel. Apache Web Server 2.4.x allows this type of configuration. The later versions of the Apache Web Server 2.2.x releases do allow for configuration of RSA certificates, but ECC support needs to be patched in. If you are not able to follow this steps, Symantec recommends that you contact the server vendor or an organization that supports Apache.

To install multiple types of certificate key algorithms on Apache Server perform the following steps:

Step 1: Download the updated Symantec Intermediate CA certificate
 
  1. Go to: Symantec Intermediate CA Certificates page.
  2. Select the appropriate CA certificate for your SSL product.
    NOTE: If you are not sure which certificate you have purchased, follow the steps from the following links.
  3. Copy the Intermediate CA into a text file and name it intermediate.crt
  4. This file can be placed in the same directory as the SSL Certificate. For example: /usr/local/ssl/crt


Step 2: Install the SSL certificate

  1. The Symantec certificate will be sent by email. The certificate is included as a download link, also an attachment (Cert.cer), as well as embedded in the body of the email.

    The text file should look like:

    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----

     
  2. Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces,
    extra line breaks or additional characters have been inadvertently added.

    NOTE:
  3. To follow the naming convention for Apache, rename the certificate filename with the .crt extension. For example: public.crt
  4. Copy the Certificate into the directory that you will be using to hold the certificates. In For example: /usr/local/ssl/crt/.
     

Step 3: Configure Apache web server for multiple certificate installation

  1. To use the key pair, you need to update the the configuration file. For example, httpd-ssl.conf.
  2. Locate the following directives in the configuration files. Verify that you have the following 3 directives in this virtual host. Add them if they are not present: 

    SSLCertificateFile /usr/local/ssl/crt/public.crt  

    SSLCertificateKeyFile /usr/local/ssl/private/private.key 

    SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt


    To configure multiple types of certificates, you need to update the values of the following 3 directives the httpd-ssl.conf configuration file to point to the relevant values.

    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate. If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase. Note that a kill -HUP will prompt again.
    #   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
    #   require an ECC certificate which can also be configured in
    #   parallel.
    SSLCertificateFile "/usr/local/ssl/crt/public-rsa.crt"
    SSLCertificateFile "usr/local/ssl/crt/public-ecc.crt"
    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file. 
    #   ECC keys, when in use, can also be configured in parallel
    SSLCertificateKeyFile "/usr/local/ssl/private/private-rsa.key"
    SSLCertificateKeyFile "/usr/local/ssl/private/private-ecc.key"
    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convenience.
    SSLCertificateChainFile "usr/local/ssl/crt/intermediate.crt"

    NOTE: The SSLCertificateChainFile would have the Intermediate CA certificate for Symantec Managed PKI for SSL certificates signature
    algorithms (e.g. RSA & ECC). The first directive tells Apache how to find the certificate file, the second one where the private
    key is located, and the third line the location of the Intermediate CA certificates. If you are using a different location and certificate file
    names than the example above (which most likely you are), change the path and filename to reflect your server.
     
  3. Save your httpd-ssl.conf file and restart Apache. To do this, you probably can use the apachectl script.
    For details on stopping and restarting Apache HTTP Server, see the article here.

    apachectl -k stop

    apachectl -k start

     
  4. You should now be set to use your Symantec certificates with your Apache-SSL Server.
  5. Verify your installation with the Symantec CryptoReport


Apache-SSL

          For more information, see the Apache Support website