Using Apache SSL default certificates or third party certificates on SLES
This document (7004384) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 10
YaST | Network Services | HTTP Server | Server Modules | Enable SSL module
Copy the vhost-ssl.template to vhost-ssl.conf (to create a new .conf file)
cp vhost-ssl.template vhost-ssl.conf
Create the default certificates by doing the following, if they do not already exist.
Use YaST - Go to Security and Users | Common Server Certificate and select Finish, that’s all.
(It will create the default certificates and put them at the location /etc/ssl/servercerts/ servercert.pem and serverkey.pem)
Test SSL using default certificates
In vhost-ssl.conf file reference the default server certificates.
Edit the vhost-ssl.conf file and change it to reference the default server certificates including the path.
# Server Certificate:
# Server Private Key:
For third party certs:
- See above part that entails enabling SSL.
- To use a Third Party certificate with Apache2 on SLES 10 or SLES 11, at a minimum, a server certificate and a server certificate private key files are needed. In addition to that, an intermediate certificate and/or a certificate bundle may be needed and used if they are provided by the Third Party vendor.
The Third Party server certificate needs to be in PEM format to work with Apache2 and is usually already in that format.
If it is needed, convert the Third Party certificate to PEM format, using the following openssl command.
Change Directories to the linux directory wherever the Third Party certs are placed, for this example: /etc/ssl/servercerts
openssl x509 -in servercertificate.crt -out mycert.pem -outform PEM
The private key certificate file may need to be extracted, if the Third Party Certificate has been already imported to eDirectory. Extract and get the private key certificate file, by doing the following:
Export the Personal Information Exchange File using iManager.
1. In iManager, go to xxxxxx Certificate Access | Server Certificates
2. Select the Third Party Certificate, check box and click Validate. It should come back as Valid.
3. Select the Third Party Certificate by checking the box again.
4. Select Export and select the Third Party Certificate name in the ‘certificates’ drop down list of the certificates to export.
5. Select "Export private key" and "Include all certificates in the certification path if available."
6. Assign the private key a password. This will be used to protect the private key while it is being transferred. This password may be used in a future step.
7. Save the resulting pkcs12 file (Personal Information Exchange format) to a secure location on the server. The default file name is cert.pfx
8. On the server run the following openssl command to extract the private key certificate file.
openssl pkcs12 -in cert.pfx -nocerts -out mykey.key
The server certificate can be extracted from the cert.pfx file as needed using the following command:
openssl pkcs12 -in cert.pfx -nokeys -out mycert.crt
Decrypt the private key if needed, using the openssl command. Type in the passphrase to complete the command (optional - to keep from having to enter the passphrase every time apache reloads)
openssl rsa -in Privatekey.key -out mykey.key
Edit the vhost-ssl.conf file and change it to reference or point to the server certificate and private key certificate including the correct path.
# Server Certificate:
SSLCertificateFile /etc/ssl/servercerts/mycert.pem (or mycert.crt)
# Server Private Key:
...and sometimes point to the intermediate certificate, if there is one...
# Server Certificate Chain:
...and sometimes point to the bundle, if there is one...
# Certificate Authority (CA):
Enable SSL port (port 443) on the firewall. By default this port is close for the external traffic. Go to YaST -> Security and Users -> Firewall. Click on Allowed Services and chose HTTPS Server from the drop down menu and click Add. HTTPS Server will be added to the list of allowed services for the firewall. Click Next and Accept.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7004384
- Creation Date: 04-Sep-2009
- Modified Date:10-Mar-2021
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com