I have a client who has a large web presence that’s uniformly IIS and windows hosts. They have a wildcard SSL cert that covers all servers and subdomains under their main domain.
In an effort to configure a standalone LAMP server under that wildcard had it’s own small challenge.
To enable a wildcard SSL cert on a server (at least in this example) you’ll need:
- The private key from the server that generated the Certificate Request (.csr)
- The CA-Bundle or chain from the certificate authority
- The Wildcard SSL certificate.
In this case, the client was running windows servers so the whole lot was wrapped in a PKCS12 archive.
From Wikipedia:
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509certificate or to bundle all the members of a chain of trust.
A PKCS #12 file may be encrypted and signed. The internal storage containers, called “SafeBags”, may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer’s choice.
PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.
The filename extension for PKCS #12 files is “.p12” or “.pfx”.
These files can be created, parsed and read out with the OpenSSL pkcs12 command.
OK, so I have the PFX file provided by the client with the keys inside. Here’s the process for extracting and configuring apache to accept them.
In this instance I’m running a bitnami wordpress stack on Amazon EC2 so the paths in config files reflect that and may need altered for your particular installation.
Step 1: Copy the pfx file to the machine to be secured.
In this case I just used SFTP to put the file in place in my apache config folder. (/opt/bitnami/apache2/conf)
Step 2: Extract the certificate (.crt)
SSH to your server:
ssh -i ~/path/to/sshkey.pem bitnami@SUB.DOMAIN.com
Navigate to Apache configuration folder:
cd /opt/bitnami/apache2/conf
Next we’ll use the openssl pkcs12 command to extract the cert file.
openssl pkcs12 -in STAR_DOMAIN_com.pfx -clcerts -nokeys -out STAR_DOMAIN_encrypted.crt
Obviously you’ll update your file names according to your application here.
It will ask for the container passphrase.
Step 3: Export the keyfile.
openssl pkcs12 -in STAR_DOMAIN_com.pfx -nocerts -out STAR_DOMAIN_encrypted.key
Enter the container passphrase, and create one for your new key.
Step 4: Translate the keyfile to PEM encoding
openssl rsa -in STAR_DOMAIN_encrypted.key -outform PEM -out STAR_DOMAIN_encrypted_pem.key
Supply the passphrase you created for the key.
Step 5: Export the Certificate Authority chain bundle.
openssl pkcs12 -in STAR_DOMAIN_com.pfx -cacerts -nokeys -out STAR_DOMAIN_cabundle.pem
You should now have the required keys and certificates: STAR_DOMAIN_encrypted.crt, STAR_DOMAIN_encrypted_pem.key, STAR_DOMAIN_cabundle.pem
STEP 6: Configure apache SSL.
Back up your original httpd.conf file:
sudo cp httpd.conf httpd.conf.bak
or in this case, bitnami.conf is the file we’re editing:
sudo cp ./bitnami/bitnami.conf ./bitnami/bitnami.conf.bak
Edit your httpd.conf (in this case bitnami.conf)
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
NOTE: If you want to force this site to be SSL all the time, which I’m doing in this case. Look for the <VirtualHost _default_:80> section to force the redirect.
Paste the following block under the DocumentRoot line:
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
Here’s what the full <VirtualHost _default_:80> section looks like on my server:
DocumentRoot "/opt/bitnami/apache2/htdocs" RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] <Directory "/opt/bitnami/apache2/htdocs"> Options FollowSymLinks MultiViews AddLanguage en en AddLanguage es es AddLanguage pt-BR pt-br AddLanguage zh zh AddLanguage ko ko AddLanguage he he AddLanguage de de AddLanguage ro ro AddLanguage ru ru LanguagePriority en ForceLanguagePriority Prefer Fallback AllowOverride All Order allow,deny Allow from all = 2.3 > Require all granted # Error Documents ErrorDocument 503 /503.html # Bitnami applications installed with a prefix URL (default) Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
Next we’ll locate the <VirtualHost _default_:443> configuration section.
You should see something of this sort by default:
DocumentRoot "/opt/bitnami/apache2/htdocs" SSLEngine on SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt" SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
We need to specify the proper certificate, key and bundle locations here. I’ve commented out the defaults and added the required sections above.
The section you need to add looks like this:
SSLCertificateFile "/opt/bitnami/apache2/conf/STAR_DOMAIN_com_encrypted.crt" SSLCertificateKeyFile "/opt/bitnami/apache2/conf/STAR_DOMAIN_com_pem.key" SSLCACertificateFile "/opt/bitnami/apache2/conf/STAR_DOMAIN_com_cabundle.pem"
After it’s added you’ll have this:
DocumentRoot "/opt/bitnami/apache2/htdocs" SSLEngine on SSLCertificateFile "/opt/bitnami/apache2/conf/STAR_DOMAIN_com_encrypted.crt" SSLCertificateKeyFile "/opt/bitnami/apache2/conf/STAR_DOMAIN_com_pem.key" SSLCACertificateFile "/opt/bitnami/apache2/conf/STAR_DOMAIN_com_cabundle.pem" #SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt" #SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
Next, save your configuration and exit.
Restart apache to reflect your changes.
sudo /opt/bitnami/ctlscript.sh restart apache
Visit your site to verify it’s forcing SSL and your certs are in place.