Entrust Certificate Services Support Knowledge Base

Audience: Administrator
Last Modified: 2009-08-18 17:15:40.0

TN 6555 - How to configure an Entrust SSL Certificate on Apache for Windows?

Question:

How do I configure an Entrust SSL Certificate on Apache for Windows?

Answer:

The following procedures have been performed on a Windows XP Professional with Apache Web Server with OpenSSL, mod_SSL compiled.

The following article assumes that the Apache Web server and openSSL are properly installed and configured. Due to the variety of versions for all three components, providing specific information for each is beyond the scope of this article.

The examples provided in this article use the following versions of software:

Apache_1.3.34-Mod_SSL_2.8.25-Openssl_0.9.8a-Win32.zip

Step-by-step information on installing, compiling and configuring those components are beyond the scope of this article. 

Entrust always recommends using the latest Distro package for improved security.

Overview of Configuration Process:

1 - Generate private key

2 - Create Certificate Signing Request (CSR)

3 - Verify your keypair

4 - Install a cross certificate

5 - Install a Web server certificate

6 - Back up your certificate

7 - Start/Stop Apache

1 - Generating your private key

Your private key is generated by you and should be backed up for disaster recovery purposes.  The private key should remain secured on your server and secured on backup media.

This data is generated from the OpenSSL application.

To generate your Private Key :

At a cmd prompt in your apache/bin directory where OpenSSL.exe is stored, type the following:

openssl> genrsa -des3 -out server.key 1024

This command generates a 1024 bit RSA private key and stores it in the file "server.key" . You may instead choose to generate a 2048 key.  Bit lengths higher than 2048 are not supported.

Enter a passphrase when prompted. Remember the passphrase you choose. If you forget this passphrase you cannot use your Entrust SSL Certificate. If you write down this passphrase, be sure to store it in a secure location.

Back up the file that contains your private key. Be sure that the backup is stored in a secure location. Someone with access to your private key could decrypt the SSL-protected data sent and received by your Web server.

When viewing your encrypted private key, it should look similar to the example below:

Example:

-----Begin RSA Private Key-----
Proc-Type: 4,ENCRYPTED
DEK-Info:
DES-EDE3-CBC,A9A0681E5C7F7615KJ98dKJn1PZ
sdfksdjflkajdfa9d8fas98df7as8dfs98dfu9a8
KLJDFDJF8sdf89sfKLJDFLKJDdslkfj879878798
dkjfskldjfsjdfwiejfwoighwighwihgiowjreof
lsdkfjsdifouweiofuwiogww987889789w798fff
KLJDFOEI8748KJDFKJDIOFUE3245IODUGOIJ0948
lsdjfsdjfoiwuefiowjoijwoijwoiufwiewuruie
cnvmsnvwj29857KDJFKLDJFKLNCJ02IODJOIJEoi
-----End RSA Private Key-----

 

2 - Generating the Certificate Signing Request (CSR)

To generate the Certificate Signing Request (CSR):

Do not use any of the following characters in your Certificate Signing Request (CSR): > < ! @ # $ % ^ * ( ) ~ ? / \.

In a cmd window, begin the CSR creation by entering the following command:

openssl> req -config openssl.cnf -new -key server.key -out newcsr.csr

The openssl.cnf file should be in the same directory or specify the full path.

The rest of the CSR creation is interactive. You must supply your company information as accurately as possible to ensure successful submission of your CSR.

Enter PEM pass phrase:
Enter the passphrase assigned to servername.pem as performed in the previous step.

Country Name (2 letter code) [AU]:
Enter the corresponding ISO3166 country code for the country.

State or Province Name (full name) [Some-State]:
Enter the corresponding state or province, without abbreviations.

Locality Name (eg, city) [ ]:
Supply the city or locality name.

Organization Name (eg, company) [Entrust Inc.]:
Supply the name of your company or organization. This information must be the officially registered name of your company or organization.

This organization must own the domain name that appears in Common Name (CN) of your Web site.

Organizational Unit Name (eg, section) [ ]:
If relevant, supply the name of your division or department.

Common Name (eg, your web server's hostname) [ ]:
Supply the Common Name (CN) of your Web site in the field provided. This name must be identical to the fully qualified domain name of the Web site for which you are requesting a certificate.

If the Web site name does not match the common name in the certificate, some browsers will refuse to establish a secure connection with your site.
Do not specify the protocol (http://), any port numbers or pathnames in the Common Name (CN).
Do not use wildcards such as * or ?.

Email Address [ ] :
Supply your email address.

Enter the following 'extra' attributes to be sent with your certificate request:
 
A challenge password []:

DO NOT USE.

An optional company name []:

DO NOT USE.

The newcsr.csr file now contain the CSR cipher text that is needed during the enrollment process with Entrust Certificate Services. The file is saved to your current directory. Open the file in a plain text editor to view the CSR.

Creation of the Certificate Signing Request (CSR) is now complete.

3 - Verifying the key pair contents 

Below are examples of how to check and make sure your CSR matches and certificate matches your private key. As well, ensure that your private key is the correct one.

Verify the CSR's contents by viewing it with this command:
#openssl req -noout -text -in "newcsr.csr"

Verifiy the Entrust SSL Certificate (signed public key) with this command:
#openssl x509 -noout -text -in /ssl.crt/server.crt (ssl.crt is the full directory)

Verify the private key with this command:
#openssl rsa -noout -text -in /ssl.key/server.key (ssl.key is the full directory)

To make sure you are using the right private key with the right web server certificate (public key) The "modulus" and the "public exponent" portions in the private key and the Web server certificate must match.

4 - Installing a cross or chain certificate

If your certificate will expire after December 31, 2010,  you must add a chain certificate called the Entrust L1B Chain Certificate. The Entrust L1B Chain Certificate is required to complete the trust path back to our trusted root. If your certificate will not expire after the December 31, 2010, you may skip this process and go straight to the SSL certificate installation instructions.

To install the Entrust L1B Chain Certificate:

1. Open a Web browser and go to the URL that appears in the confirmation email you received from Entrust. Your certificates are displayed.
2. The Entrust SSL Certificate is in the section named Entrust SSL Certificate and the chain certificate is in the section named Entrust L1B Chain Certificate. The certificates look something like this:

3. Copy the Entrust L1B Chain Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.

   Paste the certificate into a text editor, and ensure that the entire text is flushed to the left with no leading or trailing white space.

   If there are any extra spaces the server will not recognize the format of the file and you will not be able to install the certificate.

   Save the file as /usr/local/apache/conf/ssl.crt/ca.crt

   You have just installed the Entrust chain.

5 - Installing the Entrust SSL certificate

Open a Web browser and go to the URL that appears in the confirmation email you received from Entrust. Your certificates are displayed. The Entrust SSL certificate is in the section named Entrust SSL Certificate.

Your certificate looks something like this: (Do not use the code below)

-----BEGIN CERTIFICATE-----
MIIC4zCCAkygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBFMQs
wCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW
9uMRwwGgYDVQQDExNHVEUgQ3liZXJUcnVzdCBSb290MB4XD
AxMDgyMTIwMDIwOVoXDTA2MDEwMTIzNTkwMFowgcMxCzAJB
gNVBAYTAlVTMRQwEgYDVQQKEwtFbnRydXN0Lm5ldDE7MDkG
1UECxMyd3d3LmVudHJ1c3QubmV0L0NQUyBpbmNvcnAuIGJ5
HJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAx
Tk5IEVudHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVu
J1c3QubmV0IlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvb
BdXRob3JpdHkwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAo
M0ogzRUGnzD683kTH/rzFgyajoshBo7Z/nkzbxCmS7R/UE
jR03FJxmBJgxUcg2ILdkfmhKfvLNx04AZP0dme4w1KNK5Ct
pzWUHmBelrTN/fCStgpkiZk0eSYbDoAivU0m2X47eMQ//24
coN6COWuBsRYZYblUtuZDAgEDo2YwZDAPBgNVHRMECDAGAQ
EDMA4GAUdDwEB/wQEAwIBBjBBBgNVHR8EOjA4MDagNKAyh
HRwOi8vY2RwLmJhbHRpbW9yZS5jb20vY2dpLWJpbi9DUkwv
Um9vdC5jZ2kwDQYJKoZIhvcNAQEFBQADgYEAgbZwffFU+Fj
SoUFyRAAysIauOknVaLteQPQJxBGLMhGdfejVBTWLb1UTF
NCiqm8Co+dYikuVB+0/1habRkb+k4vFe6tn5IvQMnfhZbSJ
5IlGVDWQYlfC0/R1wjfv+U6rzTJbJ7WXX0Ka5jKLKuckXNv
OA4=
-----END CERTIFICATE-----

Copy the Entrust SSL Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.

Paste the certificate into a simple text editor, and ensure that the entire text is flushed to the left with no leading or trailing white space.
If there are any extra spaces or missing dashes the server will not recognize the format of the file and you will not be able to install the certificate.

Save the file as /path/to/your/apacheconf/ssl.crt/servername.crt
You have just installed your Entrust SSL Certificate.

It is strongly recommended that the httpd.conf or SSL.conf file (Apache 2.0) is backed up before attempting modifications.

In the section of /path/to/your/apacheconf/httpd.conf or ssl.conf (Apache 2.0) ensure that the following entries are correct:

Enable / Disable SSL for this host
SSLEngine on

Certificate Paths:
SSLCertificateFile /path/to/your/apacheconf/ssl.crt/server.crt
SSLCertificateKeyFile /path/to/your/apacheconf/ssl.key/server.key

6 - Backing up the private key

For disaster recovery purposes, it is highly recommended that you back up the private key for your Web server.

It is recommended that the entire /path/to/your/apacheconf/conf directory be backed up regularly in compliance with your organization's policies.

At an absolute minimum, storing the following files in a secure location allows a restore of the original private key and server certificate in the event of a disaster.

Private Key: /path/to/your/apacheconf/ssl.key/server.key
(Remember to store password separately)

Server Certificate: /path/to/your/apacheconf/ssl.crt/server.crt

In the event of a disaster, reinstall all components and restore those files to their respective locations. Modify the newly re-installed httpd.conf to reflect the location of those certificates and the server should come back up as expected.

7 - Stopping and Starting Apache

On most Apache systems, the commands are to be entered at a cmd prompt in your /apache/bin direcotry.

apachectl start  (to start apache)
apachectl stop   (to stop apache)

If apache was added as a service in Windows you can also stop and start apache through your computer management services.

Please note: Some apache versions on Windows do not support SSLPassPhraseDialog parameter. You may remove the passphrase from the private key.

Affected Products:

• Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Cert Admin Advantage Server Certificate 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Cert Admin Advantage Server Certificate 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable