Marc Wäckerlin
Für eine libertäre Gesellschaft

Install SwissSign SSL Server Certificate in Apache

Februar 1, 2012

Views: 696

Install Apache (Ubuntu)

Install and enable Apache and SSL module on your computer, i.e. on Ubuntu:

  • sudo apt-get install apache2

If SSL is not yet enabled, (i.e. file /etc/apache2/mods-enabled/ssl.load does not exist or is not a link to /etc/apache2/mods-available/ssl.load), enable the ssl module:

  • sudo a2enmod ssl

Enable the default SSL configuration, this links the existing file /etc/apache2/sites-available/default-ssl to /etc/apache2/sites-enabled/default-ssl (if on your system, the example configuration has another name, just use that instead of default-ssl):

  • sudo a2ensite default-ssl

Configure Apache

Edit the configuration file, e.g. /etc/apache2/sites-enabled/default-ssl:

Change the following lines (use your certificate filename instead of filename):

Old Value
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
New Value
SSLCertificateFile /etc/ssl/certs/filename.pem
SSLCertificateKeyFile /etc/ssl/private/filename.key
SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

Install Certificate and Key

If you download you certificate from http://SwissSign.com, it is a *.p12-file (in PKCS#12 format). For Installation in Apache you need to split it into a key and certificate file.

In this tutorial, the filename of the downloaded certificate is filename.p12.

Get the plain keyfile (without password encryption) and the certificate from the PKCS#12 file:

  • openssl pkcs12 -in filename.p12 -out filename.key -nodes -nocerts
  • openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -clcerts
  • openssl pkcs12 -in filename.p12 -out server-ca.crt -nodes -nokeys -cacerts

Move the files into the Apache configuration:

  • sudo mv filename.pem /etc/ssl/certs/
  • sudo mv filename.key /etc/ssl/private/
  • sudo mkdir /etc/apache2/ssl.crt/
  • sudo mv server-ca.crt /etc/apache2/ssl.crt/

Reload Apache – Done!

Reload the apache configuration and you’re already done:

  • sudo service apache2 reload

Remember: OpenSSL Certificate Conversions

Extract Client Certificate File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -clcerts
Extract CA Certificate File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nodes -nokeys -cacerts
Extract Key File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.key -nodes -nocerts
Extract Password Encrypted Key File from PKCS#12 File:
openssl pkcs12 -in filename.p12 -out filename.pem -nocerts
Change PKCS#12 Password:
openssl pkcs12 -in old-filename.p12 -nodes > x && openssl pkcs12 -export -in x -out new-filename.p12; rm x
Generate PKCS#12 File from Key and Certificate Files:
openssl pkcs12 -export -in filename.pem -inkey filename.key -out filename.p12
Download certificate with Certificate Encoding PEM, deselect PKCS#7 Format and select Include Certificate Chain.

comments title