====== Configuring Apache to use your Gandi SSL Certificate ======
===== Installing Apache 2 =====
First of all, you need to install the application on the server.
aptitude install apache2
Then, you need to activate the ssl module (we will reload Apache later):
a2enmod ssl
Next, make sure that Apache listens on the HTTPS port.
In the file /etc/apache2/ports.conf, add:
Listen 443
NameVirtualHost YOUR_IP_ADDRESS:443
...if it is not already present.
===== Obtaining the intermediary certificates =====
So that your certificate can be recognized as having been issued by an approved certification authority, you need to recover the intermediary certificates issued by Gandi:
[[en:ssl:intermediate|Retrieving the Gandi intermediate certificate]]
===== Activate a domain under Apache SSL =====
Install your keys/certificates and any necessary intermediary certificates (to form a string) in, for example: /etc/ssl
cp cert-domain.tld.crt /etc/ssl/certs/domain.tld.crt
cp myserver.key /etc/ssl/private/domain.tld.key
cp GandiXXXSSLCA.pem /etc/ssl/certs/GandiXXXSSLCA.pem
Don't forget to replace every occurence of **domain.tld** with your own domain. The exact filename **GandiXXXSSLCA.pem** can vary depending on which type of certificate you got from Gandi.
To add a domain name to your secure Apache, create a dedicated website:
vi /etc/apache2/sites-available/000-domain.tld-ssl
If you're getting a "site does not exist" error later on, you will need to add a ".conf" suffix to the file name. In this example: /etc/apache2/sites-available/000-domain.tld-ssl.conf
...and add the virtualhost of your domain in the following manner:
ServerName www.domain.tld
ServerAlias domain.tld
DocumentRoot /var/www/www.domain.tld/
CustomLog /var/log/apache2/secure_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.tld.crt
SSLCertificateKeyFile /etc/ssl/private/domain.tld.key
SSLCertificateChainFile /etc/ssl/certs/GandiXXXSSLCA.pem
SSLVerifyClient None
Then activate the SSL website by reloading Apache:
a2ensite 000-domain.tld-ssl
/etc/init.d/apache2 reload
If your server has a firewall, do not forget to open the HTTPS port 443.
===== For Apache versions >= 2.4.8 =====
With 2.4.8, Apache has deprecated the ''SSLCertificateChainFile directive'', and you may receive the error
The SSLCertificateChainFile directive is deprecated, SSLCertificateFile should be used instead.
The new method is as follows:
* Take the intermediate certificate you downloaded from Gandi (e.g. ''GandiStandardSSLCA.pem''), and open it in a text editor.
* Copy the contents, including the -- BEGIN -- and -- END -- lines.
* Locate and open for editing the file containing your server certificate, e.g. ''mydomain.com.crt''. This should be the same file indicated on the ''SSLCertificateFile'' line of your VirtualHost block.
* Paste the contents of the intermediate certificate into the text file, appending it to the existing certificate block. You will now have two certificate blocks in that file.
* Save your server certificate file (in the same location it was originally)
* Edit your VirtualHost configuration, and **comment out** the line beginning with ''SSLCertificateChainFile''. The file referenced by ''SSLCertificateFile'' now contains both certificates, so commenting out the chain file is all you need to do.
* Restart Apache
===== Check your completed SSL chain =====
Using the following openssl command with your IP address (or the hostname of the server) and the associated port of the service (443 in case of apache2/SSL) :
openssl s_client -connect ip.ip.ip.ip:port
Or you can use http://www.digicert.com/help/ to visualize the chain on a more graphical way.