SSLCertificateChainFile 已过时 [英] SSLCertificateChainFile is obsolete
问题描述
我使用的是 Apache 2.4.12,所以 SSLCertificateChainFile 现在已过时,任何中间证书都应该包含在服务器证书文件中.但是,我无法弄清楚如何执行此操作——除了仅 指定文件中的站点证书之外的任何证书组合都会导致无效密钥错误.如何在我使用 SSLCertificateFile<指定的文件中正确包含中间证书/a>?
摘自 Apache 2.4 Module mod_ssl
文档:
这些文件还可能包括中间 CA 证书,从叶到根排序.这在 2.4.8 及更高版本中受支持,并且已过时 SSLCertificateChainFile
.
这意味着 SSLCertificateFile
指令现在(2.4.8 之后)接受具有完整证书链(从叶子到根)的文件.如果您的服务器证书在 domain.crt
中,而 CA 链文件在 domain-ca.crt
中,则需要将这两个文件从叶子连接到root,即以您的服务器证书开头,如
cat domain.crt domain-ca.crt >包.crt
并在您网站的 conf
文件中使用该文件:
SSLCertificateFile/path/to/bundle.crt
(例如,使用Ubuntu默认路径,这些文件将存储在/etc/apache2/ssl/
.)
I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?
Taken from the Apache 2.4 Module mod_ssl
documentation:
SSLCertificateFile
DirectiveThe files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes
SSLCertificateChainFile
.
What this means is that the SSLCertificateFile
directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt
and the CA chain file in domain-ca.crt
, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in
cat domain.crt domain-ca.crt > bundle.crt
and use that file inside your site's conf
file:
SSLCertificateFile /path/to/bundle.crt
(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/
.)
这篇关于SSLCertificateChainFile 已过时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!