Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 03-15-2018, 06:24 PM   #1
Senior Member
Registered: Dec 2004
Posts: 1,056

Rep: Reputation: 78
the art of installing ssl cert for apache on ubuntu

I'm familiar with acquiring and installing a cert for apache, but I'm hoping to gain a deeper understanding. In particular, I'm fuzzy on the web of trust, the intermediate cert, and the behavior of browsers in respect to validating a cert.

I created a private key,, and used it to create a CSR, which I submitted to digicert where I obtained a ZIP file with the cert,, and another file, IntermediateCA.crt. I altered my default-ssl apache config to refer to these files like so:
// the cert we bought
SSLCertificateFile      /etc/ssl/xxx-cert/
// our private key
SSLCertificateKeyFile   /etc/ssl/xxx-private/
// cert chain for the cert we bought
SSLCertificateChainFile /etc/ssl/xxx-cert/IntermediateCA.crt
And I restarted apache and things were mostly good, but when I used the recommended cert checker tool from Symantec (now owned by Digicert?), it looked mostly fine but had one complaint/warning:
Root installed on the server. For best practices, remove the self-signed root from the server.
This warning might make perfect sense to more experienced folks, but it seems vague and unspecific to me and doesn't seem to communicate the problem very precisely using orthodox terms. I searched around and did not find any obvious solutions.

I suspected it might be related to the SSLCertificateChainFile setting and after some trial and error, I downloaded DigiCertSHA2ExtendedValidationServerCA.pem from this page (which is pretty confusing) and then I altered my apache default-ssl config like so:
SSLCertificateChainFile /etc/ssl/xxx-cert/DigiCertSHA2ExtendedValidationServerCA.pem
This has remedied that one warning above, but I have no idea:
1) why this fixed the problem
2) what is the difference between the two files
3) why Digicert would have given me the IntermediateCA.crt file they did when it would cause that error on their very own ssl cert checker tool.
4) what browser behaviors what underlying cert validation process might have found to cause the complaint.

If anyone could help clear up the role of the SSLCertificateChainFile a bit -- or refer me to an explainer on the ssl validation process, I'd be most grateful.

Last edited by sneakyimp; 03-15-2018 at 06:27 PM.
Old 03-16-2018, 06:46 PM   #2
Senior Member
Registered: Dec 2004
Posts: 1,056

Original Poster
Rep: Reputation: 78
I also checked my installation using Qualys/SSL Labs' test and , while it gets an "A" rating, I see a few warnings:

Under the heading Certificate #1: RSA 2048 bits (SHA256withRSA) in its subsection Server Key and Certificate #1 It has "DNS CAA" highlighted in orange with a value of "No" and a link here. I understand that I need to create a DNS record but I'm having a bit of trouble understanding the exact values to put in this record and the implications of these values. In particular, I expect to install a wildcard cert at some point to support language subdomains. I'm not sure if I should use the issuewild property or whatever. I found a helper tool but would appreciate some advice. Given that I probably want to issue a wildcard certificate via Digicert, that tool returns this for me:
Code:	CAA	0 issue ""
0 issuewild ""
0 issuewild ""
I find the mixed case stuff a bit puzzling. I also wonder:
1) why 3 entries?
2) does case matter?
3) what is the impact of the issuewild property tag?
4) what does the value of zero do?
Old 03-17-2018, 01:24 PM   #3
Senior Member
Registered: Dec 2004
Posts: 1,056

Original Poster
Rep: Reputation: 78
More issues I've noticed. In the ssl labs report, it looks like Java 8u161 client choked on the cert:
Java 8u161 - Client aborts on SNI unrecognized_name warning
RSA 2048 (SHA256)   |  TLS 1.2  |  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  |  ECDH secp256r1
And down at the bottom of the SSL labs report, in the Protocol Details section, a warning Incorrect SNI alerts is highlighted.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache 2.4 Microsoft Root CA SSL Cert Errors: SSLCACertificateFile gdizzle Linux - Newbie 1 10-24-2014 02:39 AM
SSL Cert and Apache ajburch Linux - Server 1 05-13-2014 04:15 PM
[SOLVED] Help installing SSL Cert into my Owncloud Install xmrkite Linux - Server 9 01-30-2013 12:20 PM
trying to install SSL cert on apache 2.0 sneakyimp Linux - Security 6 07-23-2006 06:39 PM
installing ssl cert kwickcut Mandriva 4 09-25-2005 02:27 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:38 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration