SUSE Support

Here When You Need Us

Using Apache SSL default certificates or third party certificates on SLES

This document (7004384) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
 

Situation

To get SSL sites working using the default certificates or third party certificates.

Resolution

Enable SSL

YaST | Network Services | HTTP Server | Server Modules | Enable SSL module

Copy the vhost-ssl.template to vhost-ssl.conf (to create a new .conf file)
Under /etc/apache2/vhosts.d/

cp vhost-ssl.template vhost-ssl.conf

Default certs:

Create the default certificates by doing the following, if they do not already exist.

Use YaST  - Go to Security and Users | Common Server Certificate and select Finish, that’s all.

(It will create the default certificates and put them at the location /etc/ssl/servercerts/ servercert.pem and serverkey.pem)

Test SSL using default certificates
In vhost-ssl.conf file reference the default server certificates.
Edit the vhost-ssl.conf file and change it to reference the default server certificates including the path.

# Server Certificate:
SSLCertificateFile /etc/ssl/servercerts/servercert.pem
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

rcapache2 restart

For third party certs:
- See above part that entails enabling SSL.

- To use a Third Party certificate with Apache2 on SLES 10 or SLES 11, at a minimum, a server certificate and a server certificate private key files are needed. In addition to that, an intermediate certificate and/or a certificate bundle may be needed and used if they are provided by the Third Party vendor.

 

The Third Party server certificate needs to be in PEM format to work with Apache2 and is usually already in that format.
If it is needed, convert the Third Party certificate to PEM format, using the following openssl command. 

Change Directories to the linux directory wherever the Third Party certs are placed, for this example: /etc/ssl/servercerts

openssl x509 -in servercertificate.crt -out mycert.pem -outform PEM

 

The private key certificate file may need to be extracted, if the Third Party Certificate has been already imported to eDirectory.  Extract and get the private key certificate file, by doing the following:

 

Export the Personal Information Exchange File using iManager.

1. In iManager, go to xxxxxx Certificate Access | Server Certificates
2. Select the Third Party Certificate, check box and click Validate. It should come back as Valid.
3. Select the Third Party Certificate by checking the box again.
4. Select Export and select the Third Party Certificate name in the ‘certificates’ drop down list of the certificates to export.
5. Select "Export private key" and "Include all certificates in the certification path if available."
6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password may be used in a future step.
7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on the server. The default file name is cert.pfx

8. On the server run the following openssl command to extract the private key certificate file.

 

openssl pkcs12 -in cert.pfx -nocerts -out mykey.key

 

The server certificate can be extracted from the cert.pfx file as needed using the following command:

 

openssl pkcs12 -in cert.pfx -nokeys -out mycert.crt


Decrypt the private key if needed, using the openssl command. Type in the passphrase to complete the command (optional - to keep from having to enter the passphrase every time apache reloads)

openssl rsa -in Privatekey.key -out mykey.key

Edit the vhost-ssl.conf file and change it to reference or point to the server certificate and private key certificate including the correct path.
Sometimes reference an intermediate certificate and/or bundle certificate, if one is provided from the Third Party vendor.
Using /etc/apache2/vhosts.d/vhost-ssl.conf

# Server Certificate:
SSLCertificateFile /etc/ssl/servercerts/mycert.pem    (or mycert.crt)
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/servercerts/mykey.key

...and sometimes point to the intermediate certificate, if there is one...

 

# Server Certificate Chain:

SSLCertificateChainFile /etc/ssl/servercerts/intermediate.crt

 

...and sometimes point to the bundle, if there is one...

# Certificate Authority (CA):
SSLCACertificateFile /etc/ssl/servercerts/ca-bundle.crt

rcapache2 restart

Additional Information

Enable SSL port (port 443) on the firewall. By default this port is close for the external traffic. Go to YaST -> Security and Users -> Firewall. Click on Allowed Services and chose HTTPS Server from the drop down menu and click Add. HTTPS Server will be added to the list of allowed services for the firewall. Click Next and Accept.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7004384
  • Creation Date: 04-Sep-2009
  • Modified Date:10-Mar-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.