How to install a SWITCHpki QuoVadis certificate in the Apache HTTP server
For the Apache HTTP server and mod_ssl,
the SSLCertificateFile
, SSLCertificateKeyFile
and SSLCertificateChainFile
directives are used to configure
the server's certificate. There are two possible options, which apply
to both Apache HTTP server 2.2.x and 2.4.x:
Server certificate and intermediate CA in the same file
Requires Apache HTTP server versions 2.4.8 and later
The SSLCertificateFile
and SSLCertificateChainFile
can refer to the same file name provided that this file includes both
the server and the intermediate CA certificate (concatenated,
in PEM format). In this case, the configuration looks like this:
SSLCertificateKeyFile myserver.key SSLCertificateFile myserver.crt.pem SSLCertificateChainFile myserver.crt.pem # SSLCertificateChainFile is needed for the Apache HTTP server up to 2.4.7
A properly formatted file for use with this option can be retrieved from the SWITCHpki download page, where it is listed as Server certificate with chain in PEM format.
The advantage of this option is its future proofness: with the Apache HTTP server 2.4.8 and later, the SSLCertificateChainFile directive is obsolete (it is deprecated in favor of a more versatile form of the SSLCertificateFile directive, which can include intermediate CA certificates as well, making it possible to use a single configuration directive and file).
Enabling OCSP Stapling
Apache supports OCSP Stapling since version 2.4. Enabling OCSP Stapling is highly recommended. (Also see this IAB Statement on OCSP Stapling.)
The following instructions describe how to enable OCSP Stapling in Apache. For detailed information on the various statements and for specific configuration needs, please consult the Apache SSL Documentation.
DISCLAIMER: SWITCH provides these configurations on best effort. Please carefully check whether this configuration suits your needs.
Red Hat Enterprise Linux 7, CentOS 7, and Fedora 20
You need to add the following configuration to the file /etc/httpd/conf.d/ssl.conf:
# OCSP Stapling SSLUseStapling on SSLStaplingCache shmcb:/run/httpd/ssl_stapling(32768) # Prevent browsers from blocking access if an OCSP query is temporarily not possible. SSLStaplingReturnResponderErrors off SSLStaplingErrorCacheTimeout 60 SSLStaplingFakeTryLater off
You need to add these statements before the following existing lines:
## ## SSL Virtual Host Context ## <VirtualHost _default_:443>
Ubuntu (14.04LTS), Debian (8 "jessie")
You need to add the following configuration to the file /etc/apache2/mods-available/ssl.conf:
# OCSP Stapling SSLUseStapling on SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(32768) # Prevent browsers from blocking access if an OCSP query is temporarily not possible. SSLStaplingReturnResponderErrors off SSLStaplingErrorCacheTimeout 60 SSLStaplingFakeTryLater off
You need to add these statements before the following existing line:
</IfModule>