I am setting up a Certificate Authority for an intranet. There is a root certificate which will be installed on all the network machines, an intermediate certificate signed by the root, and a http server certificate signed by the intermediate.
I need to bundle the http and intermediate certificates in order for them to be validated by the root
#> cat intermediate.crt server.crt > both.crt
#> openssl verify -CAfile root.crt both.crt
OK
However, I can't use both.crt and server.private.key for the internal website because when apache starts:
Certificate and private key mysite.com:443:0 from /www/both.crt and /www/server.private.key do not match
This is because intermediate.crt is the first entry in both.crt. If I switch the order of server.crt and intermediate.crt then apache launches but both.crt won't validate against root.crt.
The requirement is that root.crt is installed permanently, but server.crt and intermediate.crt are subject to change and need to be served ad hoc by apache. How do I construct a certificate bundle which apache accepts?
Put the server certificate as the argument to the
SSLCertificateFiledirective and a file containing all subordinate CAs, excluding Root CA, as an argument toSSLCertificateChainFile. Finally, the private key for your server certificate as the argument toSSLCertificateKeyFile: