I'm familiar with acquiring and installing a cert for apache, but I'm hoping to gain a deeper understanding. In particular, I'm fuzzy on the web of trust, the intermediate cert, and the behavior of browsers in respect to validating a cert.
I created a private key,
example.com.key, and used it to create a
CSR, which I submitted to digicert where I obtained a ZIP file with the cert,
example.com.crt, and another file,
IntermediateCA.crt. I altered my default-ssl apache config to refer to these files like so:
Code:
// the cert we bought
SSLCertificateFile /etc/ssl/xxx-cert/example.com.crt
// our private key
SSLCertificateKeyFile /etc/ssl/xxx-private/example.com.key
// cert chain for the cert we bought
SSLCertificateChainFile /etc/ssl/xxx-cert/IntermediateCA.crt
And I restarted apache and things were mostly good, but when I used the recommended
cert checker tool from Symantec (now owned by Digicert?), it looked mostly fine but had one complaint/warning:
Code:
Root installed on the server. For best practices, remove the self-signed root from the server.
This warning might make perfect sense to more experienced folks, but it seems vague and unspecific to me and doesn't seem to communicate the problem very precisely using orthodox terms. I searched around and did not find any obvious solutions.
I suspected it might be related to the
SSLCertificateChainFile setting and after some trial and error, I downloaded
DigiCertSHA2ExtendedValidationServerCA.pem from
this page (which is pretty confusing) and then I altered my apache default-ssl config like so:
Code:
SSLCertificateChainFile /etc/ssl/xxx-cert/DigiCertSHA2ExtendedValidationServerCA.pem
This has remedied that one warning above, but I have no idea:
1) why this fixed the problem
2) what is the difference between the two files
3) why Digicert would have given me the IntermediateCA.crt file they did when it would cause that error on their very own ssl cert checker tool.
4) what browser behaviors what underlying cert validation process might have found to cause the complaint.
If anyone could help clear up the role of the SSLCertificateChainFile a bit -- or refer me to an explainer on the ssl validation process, I'd be most grateful.