Integrate the Server Certificate
- We assume you are using certificates from the GÈANT/TCS PKI in the following descriptions.
- You will receive a digitally signed e-mail (from "email@example.com") that the server certificate has been issued.
- If you had used ra-portal.itc.rwth-aachen.de to submit your certificate signing request, then you can also download your certificate there. You have three download options:
- just the SSL-Certificate
- SSL-Certificate and Certificate Chain (1. ssl-cert, 2. intermediate-cert, 3. intermediate-cert)
- Certificate Chain only (1. intermediate-cert, 2. intermediate-cert)
- the Root Certificate (Built-in-Token) is not available for download
- Which certificate chain applies, depends on your chosen cryptographic key algorithm (RSA or ECC) and the chosen path of CSR-submission, so be wary of using the correct certificate chain.
- the received certificate file
- the generated and saved cryptographic key pair file (private.pem)
- the appropriate certificate chain.
Depending on the server software used, these files may need to be converted into other formats.
- Convert from DER to PEM: openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
- Convert from PEM to DER: openssl x509 -in cert.pem -inform pem -outform der -out cert.crt
Apache uses PEM formatted key parts, so you can easily integrate your key parts.
In the "httpd.conf" the following points are especially important:
- SSLCertificateFile: Your server certificate
- SSLCertificateKeyFile: Your private key part
- SSLCertificateChainFile: The complete certificate chain as PEM formatted file
Like Apache, lighttpd uses key components in PEM format.
In the configuration, the following points are particularly important:
- ssl.engine = "enable"
- ssl.pemfile: Combination of
- the private key part ("private.pem")
- and the server certificate
- combine them e.g. via "cat private.pem cert-<serial number>.pem > server.pem"
- ssl.ca-file: The complete certificate chain as PEM formatted file
In order to use your certificate, you must create a "pkcs12" file from your private key part and your server certificate. This can be done with OpenSSL:
openssl pkcs12 -export -in cert-<Seriennummer>.pem –inkey private.pem -out Ihre_neue_PKCS12_Datei.p12 -name "My Certificate"
- Use the server certificate issued by thePKI as "cert-<serial number>.pem".
- The file "private.pem" must correspond to your private key part.
- The newly created file "Your_new_PKCS12_file.p12" can then be imported into your server software.
You will need to configure your server to use the downloaded intermediate certificates. For further details, check out the available online Microsoft Documentation.