Wednesday, July 28, 2010

Intermediate CA Bundles!

Thwate changes the way certificates work.

In the past browsers and client machines would have root certificate authority files that verified the ssl certificates used. Now, with the new certificates (after June 27th, 2010), you have to install a intermediate certificate authority on the server for the new certificates to behave.

So, When I added the new cert.crt from Thwate to the Server Admin interface, it complained that it was unassigned. I found this site which explains what changed recently and how to fix it. I’m sure it works great for a *nix webserver that doesn’t use Virtual Hosts, unlike OS X server.

How do we fix this? Actually, its stupid simple after you mess with it for four hours. After you add the new cert.cer from Thwate through the Server Admin interface, open the site configuration and the security tab. Choose the new ssl certificate, save, apply, restart. Next, you will need to edit the Virtual Host for the site that has ssl enabled.

I started with this certificate but it was not working for me. Something with the three difference CAs. I ended up using this certificate bundle which worked.

From this page copy the new intermediate cert bundle and paste it into a plain text file. Save that file in /etc/certificates/ named intermediate.crt.

Open the and navigate to the /etc/apache2/sites folder. Open the conf file for the site with ssl enabled, look for the one with 443 in the name, with your favorite text editor. Comment out the SSLCertificateChainFile line and create a new SSLCertificateChainFile file to point to your new intermediate file. Should look like this:

SSLCertificateChainFile = "/etc/certificates/intermediate.crt"

Save the changes and restart the Web Server. I use the terminal in this case:

Stop the web server:

sudo serveradmin web stop

Start the web server:

sudo serveradmin web start

Check your site and you should be good to go! The new certificate should appear without warnings. It should also appear without warning in the Server Admin certificates tab.

No comments: