Using Apache SSL default certificates or third party certificates on SLES

Enable SSL

YaST | Network Services | HTTP Server | Server Modules | Enable SSL module

Copy the vhost-ssl.template to vhost-ssl.conf (to create a new .conf file)
Under /etc/apache2/vhosts.d/

cp vhost-ssl.template vhost-ssl.conf

Default certs:

Create the default certificates by doing the following, if they do not already exist.

Use YaST  - Go to Security and Users | Common Server Certificate and select Finish, that’s all.

(It will create the default certificates and put them at the location /etc/ssl/servercerts/ servercert.pem and serverkey.pem)

Test SSL using default certificates
In vhost-ssl.conf file reference the default server certificates.
Edit the vhost-ssl.conf file and change it to reference the default server certificates including the path.

# Server Certificate:
SSLCertificateFile /etc/ssl/servercerts/servercert.pem
# Server Private Key:
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

rcapache2 restart

For third party certs:
- See above part that entails enabling SSL.

- To use a Third Party certificate with Apache2 on SLES 10 or SLES 11, at a minimum, a server certificate and a server certificate private key files are needed. In addition to that, an intermediate certificate and/or a certificate bundle may be needed and used if they are provided by the Third Party vendor.

The Third Party server certificate needs to be in PEM format to work with Apache2 and is usually already in that format.
If it is needed, convert the Third Party certificate to PEM format, using the following openssl command. 

Change Directories to the linux directory wherever the Third Party certs are placed, for this example: /etc/ssl/servercerts

openssl x509 -in servercertificate.crt -out mycert.pem -outform PEM

The private key certificate file may need to be extracted, if the Third Party Certificate has been already imported to eDirectory.  Extract and get the private key certificate file, by doing the following:

Export the Personal Information Exchange File using iManager.

1. In iManager, go to xxxxxx Certificate Access | Server Certificates
2. Select the Third Party Certificate, check box and click Validate. It should come back as Valid.
3. Select the Third Party Certificate by checking the box again.
4. Select Export and select the Third Party Certificate name in the ‘certificates’ drop down list of the certificates to export.
5. Select "Export private key" and "Include all certificates in the certification path if available."
6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password may be used in a future step.
7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on the server. The default file name is cert.pfx

8. On the server run the following openssl command to extract the private key certificate file.

openssl pkcs12 -in cert.pfx -nocerts -out mykey.key

The server certificate can be extracted from the cert.pfx file as needed using the following command:

openssl pkcs12 -in cert.pfx -nokeys -out mycert.crt

# Server Certificate Chain:

SSLCertificateChainFile /etc/ssl/servercerts/intermediate.crt

...and sometimes point to the bundle, if there is one...

# Certificate Authority (CA):
SSLCACertificateFile /etc/ssl/servercerts/ca-bundle.crt

rcapache2 restart

Enable SSL port (port 443) on the firewall. By default this port is close for the external traffic. Go to YaST -> Security and Users -> Firewall. Click on Allowed Services and chose HTTPS Server from the drop down menu and click Add. HTTPS Server will be added to the list of allowed services for the firewall. Click Next and Accept.