View Single Post
  #4  
Old 13th May 2009, 08:31
danuel danuel is offline
Junior Member
 
Join Date: May 2009
Posts: 5
Thanks: 1
Thanked 1 Time in 1 Post
Lightbulb SSLCACertificatePath

See http://www.howtoforge.com/forums/sho...t=14569&page=3

Since /etc/apache2/vhosts/Vhosts_ispconfig.conf is dynamically generated by ISPC from info in db, it is suggested to add SSLCACertificateFile and SSLCertificateChainFile directives in /etc/apache2/apache2.conf or httpd.conf . This is not an ideal solution since it's not in the Virtual host directives because different vhosts may need different CA certificates.

After reading http://httpd.apache.org/docs/2.0/mod...ertificatepath, best solution may be to use SSLCACertificatePath directive instead of either/both SSLCACertificateFile and SSLCertificateChainFile. We can add the following to /etc/apache2/apache2.conf file (last line after include Vhosts is ok)
Code:
Include /etc/apache2/vhosts/Vhosts_ispconfig.conf
SSLCACertificatePath /var/www/ssl_ca
In /var/www/ssl_ca we'll keep all the CA certificates from any/all trusted Certificate Authorities (client/site certificates under their respective directories handled by ISPConfig db). Make sure you only use "pem" encoded certificates.

From startssl.com, you only need following:
Code:
ca.pem
sub.class1.server.ca.pem
sub.class2.server.ca.pem
sub.class3.server.ca.pem
sub.class4.server.ca.pem
Unlike mentioned above, you don't need ca-bundle, which includes a lot of other unneeded certs and file size is over 90Kb. All the files above add up to less than 20Kb.

Every time you add/remove files to /var/www/ssl_ca, please remember to run:
Code:
c_rehash /var/www/ssl_ca

Hopefully, future ISPC releases can include a automatically run script to dynamically obtain (wget) the CA certs (all available online) from major/all browser trusted certificate authorities to keep the folder current -- this folder can be anywhere ISPConfig maintains dynamically maintained files (like Vhosts config files). All that will be needed then is just the site server key (private) and site server crt (public) manages by ISPConfig web interface.

Last edited by danuel; 13th May 2009 at 08:43.
Reply With Quote