httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: [users@httpd] How to enable 443 on apache2 using provided key files
Date Sun, 05 Feb 2017 17:41:08 GMT
It turns out the approach I described did in fact work.  The password was requested from the
administrator and the site behaved well.

The only deviation I had to make was that the SSLCACertificateFile parameter interpreted a
space in the filename as delimiting a second invalid parameter.  The file was renamed to eliminate
all whitespace and the SSLCACertificateFile parameter was adjusted to the new filename.  Server
appears to be running fine.


On 2/2/2017 at 6:31 PM, wrote:
>On 2/2/2017 at 1:27 PM, "Erik Dobák" <> wrote:
>>well i am still unsure abut the full encryption. i don't like 
>>that. if
>>there is a problem the overheads grow to analyze the situation. 
>>what about
>>just signing the messages? i mean if you have messages for all 
>>do you
>>want to hide them?
>Because the site has a user authentication portal.  The owner of 
>the server does not want user passwords being sent in plaintext.  
>Some portions of the site is not open to the public.  There is 
>computational overhead, but they have invested in hardware 
>sufficient for managing that.  The problem I am faced is a 
>software/compatibility/standards issue.
>I wholeheartedly believe in the open internet model though and my 
>own personal sites are available on our favorite port 80, as well 
>as port 443 (via for the paranoid who think the 
>gov't can't see it.
>>On 2 February 2017 at 17:54, <> wrote:
>>> Hello,
>>> There is a freshly installed (from Ubuntu 16.04 package) apache 
>>> running in a large institution that needs to have port 443 
>>> enabled.  I am helping a friend of mine configure this server 
>>and, at the
>>> same time, writing a document for reproducing the installation 
>>> that will be published online.  The server has it's own 
>>subdomain and the
>>> system administrator generated encryption keys to be used for 
>>this server.
>>> The administrator is talented, but seems to be inexperienced in 
>>> solutions, so outside help is needed.  As a courtesy to my 
>>friend, whom I'm
>>> helping set this up, I've anonymized the TLD from the filename, 
>>but the
>>> files are as follows:
>>> Intermediate-GeoTrust-True BusinessID-RSA-SHA2-SHA1Root-
>>> SSL Certificate -
>>> I personally do not have easy access to these files, but I can 
>>> actions to be performed on them.  I had not previously been 
>>acquainted with
>>> P12 files until now.  I found a website that seems to be able 
>>help me
>>> export data from the P12 file into a data format that apache 
>>> use:
>>> SSL+certificate+in+apache+ubuntu+server
>>> After reading through this website, I proposed these steps:
>>> sudo openssl pkcs12 -in /vault/ -nocerts -out
>>> /vault/private.pem
>>> sudo openssl rsa -in private.pem -out /vault/key.pem
>>> sudo openssl pkcs12 -in /vault/ -clcerts -
>>nokeys -out
>>> /vault/cert.pem
>>> sudo openssl pkcs12 -in /vault/_.example.p12 -nokeys -cacerts -
>>> /vault/CAchain.pem
>>> And then modify ./sites-available/site-443.conf with the lines:
>>> SSLCertificateFile /vault/cert.pem
>>> SSLCertificateKeyFile /vault/keys.pem
>>> SSLCertificateChainFile /vault/CAchain.pem
>>> SSLCACertificateFile /vault/Intermediate-GeoTrust-True
>>> BusinessID-RSA-SHA2-SHA1Root-primary.txt
>>> We tried some of the openssl commands in that document, but we 
>>don't have
>>> the password.  The file named "SSL Certificate - 
>>" is
>>> unused, and that does concern me that I'm either neglecting a 
>>critical file
>>> or needlessly duplicating it.  Before asking the administrator 
>>for a
>>> password, we have questioned whether we are making this 
>>> difficult and were curious if there is a solution where these 
>>files can be
>>> used directly by apache.
>>> As you can guess, I'm no expert at encryption.  Getting keys, 
>>for the
>>> purpose of self-education is very expensive.  The extent of my 
>>> is limited to creating self-signed certificates back in the 
>>old days
>>> before the web-browser people decided that was to be forbidden 
>>> and more recently,, which operates in a magical 
>>smoke and
>>> mirrors method.  I would like to know if this would be the best 
>>> for my friend encrypting his server's traffic.  I am very 
>>grateful for any
>>> feedback.
>>> Thank you very much!
>>> Rich
>>> ----------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message