What is a chain certificate

what is a chain certificate

What is an SSL certificate chain file?

EDIT : It may have been preferable to ask this on Server Fault, but my reputation wouldn't let me post more than 2 links. (

I want some pages that require passwords on my website to be secure, so I followed this to create a custom SSL certificate. I also followed this. because it explains how to generate self-signed multidomain certificates (the subjectAltName allows me to get a valid certificate for example.com and *.example.com, I didn't find another way to do this).

So I had to mix the commands to get what I wanted, and I think everything is ok with what I did (though I'll detail it later just in case).

Now I have to configure Apache to listen to queries on port 443 and provide SSL security on the according pages. So I found this.

When defining the VirtualHost listening on port 443, it says this.

I think I know what are the files I need to specify for the SSLCertificateFile and SSLCertificateKeyFile fields, but I can't seem to figure out what is the SSLCertificateChainFile. Everything I found by searching on Google and Stack Exchange communities didn't help me so far, so I am asking it clear here.

What file should I provide for SSLCertificateChainFile. and how do I create it if needed.

Here are the files that I created by following the instructions of the different links, with the commands I used to create them.

  • Certificate authority key (ca.key). openssl genrsa -des3 -out ca.key 1024
  • Key certificate (ca.san.csr). openssl req -new -key ca.key -out ca.san.csr -config /etc/ssl/openssl.cnf
Here I specified the config file path because I had to change it a little bit to add the subjectAltName. I could

also check that everything went well with openssl req -text -noout -in ca.san.csr. Everything is described here .

  • Creation and signature of the certificate (ca.san.crt). openssl x509 -req -days 3650 -in ca.san.csr -signkey ca.key -out ca.san.crt -extensions v3_req -extfile /etc/ssl/openssl.cnf Again, the conf file is needed because the subjectAltNames are defined in it.
  • Server key (server.key). openssl genrsa -out server.key 1024
  • Key certificate (server.san.csr). openssl req -new -key server.key -out server.san.csr -config /etc/ssl/openssl.cnf
  • Server certificate (server.san.crt). openssl x509 -days 3650 -CA ca.san.crt -CAkey ca.key -set_serial 01 -in server.san.csr -req -out server.san.crt
  • For the SSLCertificateFile. I thought I'd provide the server.san.crt file, this seems to be the most logical thing to me, as well as the server.key file for SSLCertificateKeyFile .

    SSLCertificateChainFile seems to ask for a .crt file, so it may be the only other .crt file that I have, ca.san.crt. but I'm really not sure about this.

    Does anybody have some hint ?

    Thank you for your time reading this.

    For this particular case, since I am using a custom certificate, SSLCertificateChainFile doesn't make much sense (see the marked answer below). Thus, you just have to specify the same certificate file for both directives, SSLCertificateFile and SSLCertificateChainFile .

    There's just one thing you need to do with Apache before you can use SSL* directives. SSL is disabled by default on Apache so you need to enable it with sudo a2enmod ssl. or when restarting Apache you will get an error saying you may have mispelt something in your vHosts files.

    Once you have done this and restarted the server you may connect on your vHosts with HTTPS. Your browser will tell you that the certificate is not valid because it is self-signed, but your connection will be secure.

    Source: stackoverflow.com

    Category: Insurance

    Similar articles: