How to install intermediate CA SSL certificate in Apache
Solution ID: | SO6178 | |
Version: | 2.0 | |
Published: | December 13, 2007 | |
Updated: | April 09, 2008 |
How to install intermediate CA SSL certificate in Apache
The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL Certificate. If the proper Intermediate CA is not installed on the server, your customers will see browser errors and may choose not to proceed further and close their browser.
In order to install it:
1) Go to: https://www.verisign.com/support/verisign-intermediate-ca/index.html
And select the CA certificate for your product.
Note: When downloading the Intermediate Certificate Authority (CA)
certificate, ensure that you select the appropriate one for your SSL
certificate: Secure Site with EV Certificates (Secure Server) or Secure Site
Pro with EV Certificates (Global).
If you are not sure which certificate you have purchased, follow these
steps:
a) Go to https://securitycenter.verisign.com/celp/enroll/outsideSearch?application_locale=VRSN_US&originator=VeriSign:CELP
b) Type your Common Name or Order Number and click Search.
c) Click the certificate name for your certificate.
2) Using a plain text editor such as Notepad, save the updated Intermediate
CA certificate as intermediate.crt to the SSL directory.
(for example: /etc/apache2/ssl.crt/ intermediate.crt )
You should then have a text file that looks like:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
Make sure you have 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added.
3) Open the httpd.conf file with notepad/vi:
4) Add the line:
SSLCACertificateFile /etc/apache2/ssl.crt/ intermediate.crt
Make sure the Virtual host looks like:
<VirtualHost xx.yy.zz.ww>
ServerAdmin webmaster@Your_domain_name.com
ServerName www.Your_domain_name.com
...
SSLCertificateFile /Path to the file.../Your_certificate_file.crt
SSLCertificateKeyFile /Path to the file.../your_private_key_file.key
SSLCACertificateFile /Path to the file.../intermediate.crt
</VirtualHost>
Note: Depending on the version of Apache, the directive may be SSLCertificateChainFile
5) Stop and start the apache daemon.
Note: What the Intermediate CA does:
The Intermediate CA supplies the necessary chaining to a
trusted root in an SSL connection. In the example of a Secure
Site Pro ID (Global ID), the CA (Certification Authority), in
this case VeriSign Class 3 International CA is not implicitly
trusted by the browsers that verify the signature VeriSign
supplies for a Global ID.
Since the "Root CA" is not in the browser, the intermediate
CA must be installed on the server acting as a chain link
between the browser root and server certificate. The intermediate
CA is chained to RSA Secure server CA, which the browser already
trusts".
The Intermediate CA does not control encryption step-up.
This function is controlled by the server software. The
Intermediate CA solely acts as a link for trust.