我使用的是 Apache 2.4.12,所以 SSLCertificateChainFile 现在已过时,任何中间证书都应该包含在服务器证书文件中.但是,我无法弄清楚如何执行此操作——除了仅 指定文件中的站点证书之外的任何证书组合都会导致无效密钥错误.如何在我使用 SSLCertificateFile?
解决方案摘自 Apache 2.4 Module mod_ssl 文档:
SSLCertificateFile 指令
这些文件还可能包括中间 CA 证书,从叶到根排序.这在 2.4.8 及更高版本中受支持,并且已过时 SSLCertificateChainFile.
这意味着 SSLCertificateFile 指令现在(2.4.8 之后)接受具有完整证书链(从叶子到根)的文件.如果您的服务器证书在 domain.crt 中,而 CA 链文件在 domain-ca.crt 中,则需要将这两个文件从叶子连接到root,即以您的服务器证书开头,如
cat domain.crt domain-ca.crt >包.crt并在您网站的 conf 文件中使用该文件:
SSLCertificateFile/path/to/bundle.crt(例如,使用Ubuntu默认路径,这些文件将存储在/etc/apache2/ssl/.)
I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?
解决方案Taken from the Apache 2.4 Module mod_ssl documentation:
SSLCertificateFile Directive
The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.
What this means is that the SSLCertificateFile directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt and the CA chain file in domain-ca.crt, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in
cat domain.crt domain-ca.crt > bundle.crtand use that file inside your site's conf file:
SSLCertificateFile /path/to/bundle.crt(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/.)
更多推荐
SSLCertificateChainFile 已过时
发布评论