Instructions on how to add CA certificates into a SSLCACertificateFile from Trustis.com.
Installing CA certificates
On startup, Stronghold loads CA certificates from the file specified by the SSLCACertificateFile entry in its ‘httpd.conf’ file.
To install the PEM format bundled CA certificate file, reference it in the httpd.conf file. as follows
- Ensure that you have saved the PEM format bundled CA certificate as a text file.
- Open your ‘httpd.conf’ file and find the SSLCACertificateFile entry. By default the entry will be SSLCACertificateFile=’/ssl/CA/client-rootcerts.pem’. You will find ‘httpd.conf’ in the directory /conf.
- Open the file identified by SSLCACertificateFile (for example, /ssl/CA/client-rootcerts.pem) in a text editor.
- Open the file that contains the PEM format bundled CA certificates (e.g. cachainpem.txt) in a text editor.
- Copy the contents of this PEM format bundled CA certificate file
(including all the ‘—–BEGIN CERTIFICATE—–‘ and ‘—–END CERTIFICATE—–‘ lines)
to the clipboard.
- Now Paste what you have just copied into the file identified by SSLCACertificateFile.
In most cases you will want to insert the bundle CA certificate at the end of the file and add a comment to identify the certificate.
- Save the modified file and close the text editor.
- Restart your web server.
List of commands from a citrix website to convert SSL certificates from one format to another.
Use the openssl command to convert between formats as follows:
- To convert a certificate from PEM to DER:
- x509 –in input.crt –inform PEM –out output.crt –outform DER
- To convert a certificate from DER to PEM:
- x509 –in input.crt –inform DER –out output.crt –outform PEM
- To convert a key from PEM to DER:
- rsa –in input.key –inform PEM –out output.key –outform DER
- To convert a key from DER to PEM:
- rsa –in input.key –inform DER –out output.key –outform PEM
By default, when you first get Apache2.2 installed and running correctly on Ubuntu 6.06, the doc_root (document root) is set to /var/www/apache2-default. That means that in order to navigate to the default page to see if your install is working, you have to go to http://localhost/apache2-default/ instead of just http://localhost. Ugh.
I don’t want to have to append the /apache2-default directory to my url when I am testing, or working with content on my Apache2.2 server. So, that value just had to be changed.
In the Ubuntu 6.06 installation of Apache2.2, the DocumentRoot value is set in file called “default” located in the /etc/apache2/sites-available directory. Presumably this file is configurable to accommodate multiple DocumentRoot values for different URLs being served by the same Apache2.2 server.
Once I had changed the DocumentRoot value in the “default” file to /var/www, I then copied all of the files in the /apache2-default directory into its parent directory one level above:
/var/www# cp apache2-default/* .
Note, that is a period at the end to signify the current directory in Linux.
In my last post I discussed where exactly the Apache2.2 executable was located in an Ubuntu 6.06 installation. (This assumes you have installed Apache2.2 at the time of installation, or at some point subsequent.) Once you have actually installed Apache2.2 – and know where it is located on your system – you are ready to start, stop, and restart the application.
Apache advises invoking the httpd daemon via the apachectl script. The syntax to stop, start, and restart Apache2.2 is the exectuable script name followed by the parameter “-k” and then the action you wish to take [start/stop/restart]. For starting the httpd daemon, you can pass the “-f” parameter to indicate the location of the configuration file to be used for start-up, and omit the “start” action command. (I assume it is implied.)
The commands look like this:
/usr/sbin# ./apachectl -f /etc/apache2/apache2.conf
/usr/sbin# ./apachectl -k stop
/usr/sbin# ./apachectl -k restart
If you want to do things “gracefully” – and who doesn’t – you can issues the commands to stop and re-start Apache2.2 in a graceful manner. That is, the parent process “advises” the children processes to stop when they have finished serving up what they’ve got, and all others to stop immediately.
To do a graceful restart:
/usr/sbin# ./apachectl -k graceful
To do a graceful shutdown:
/usr/sbin# ./apachectl -k graceful-stop
Here is the actual manual for running Apache 2.2.
First off, Apache2.2 wasn’t installed in my default installation of Ubuntu 6.06. The reason this surprised me was because a) it was part of the default installation in Fedora, and b) there were various configuration files and directories which indicated that it should have been installed.
After I ran the installation of Apache2.2 via Synaptic, I needed to know where to go to stop and start the http server.
First, the aforementioned configuration files are located at:
The actual location the Apache2.2 executable(s) are at:
If you want to give Apache2.2 the ability to serve up an index.php file by default, in addition to index.html, you must add”index.php” to the DirectoryIndex entry in the httpd.conf file for Apache2.2.
The entry needs to look something like this:
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
DirectoryIndex index.html index.php
Straight out of the box, with no configuration….
If /sbin is not in your path:
service httpd start
/sbin/service httpd start
You might also have to enable WWW services in Administration > Security Level and Firewall