SSLCertificateChainFile 已过时 [英] SSLCertificateChainFile is obsolete
问题描述
我使用的是 Apache 2.4.12,所以 SSLCertificateChainFile 现在已过时,任何中间证书都应该包含在服务器证书文件中.但是,我无法弄清楚如何执行此操作——除了仅 指定文件中的站点证书之外的任何证书组合都会导致无效密钥错误.如何在我使用 SSLCertificateFile<指定的文件中正确包含中间证书/a>?
摘自 Apache 2.4 Module mod_ssl 文档:
这些文件还可能包括中间 CA 证书,从叶到根排序.这在 2.4.8 及更高版本中受支持,并且已过时 SSLCertificateChainFile.
这意味着 SSLCertificateFile 指令现在(2.4.8 之后)接受具有完整证书链(从叶子到根)的文件.如果您的服务器证书在 domain.crt 中,而 CA 链文件在 domain-ca.crt 中,则需要将这两个文件从叶子连接到root,即以您的服务器证书开头,如
cat domain.crt domain-ca.crt >包.crt并在您网站的 conf 文件中使用该文件:
SSLCertificateFile/path/to/bundle.crt(例如,使用Ubuntu默认路径,这些文件将存储在/etc/apache2/ssl/.)
I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?
Taken from the Apache 2.4 Module mod_ssl documentation:
SSLCertificateFileDirectiveThe files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes
SSLCertificateChainFile.
What this means is that the SSLCertificateFile directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt and the CA chain file in domain-ca.crt, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in
cat domain.crt domain-ca.crt > bundle.crt
and use that file inside your site's conf file:
SSLCertificateFile /path/to/bundle.crt
(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/.)
这篇关于SSLCertificateChainFile 已过时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
