You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.
1- Retrieve your certificate(s) on your serverGo back where the private key has been generated, for example:In the delivery email you'll find several links. Click on them and download the associated files:
Openssl x509 -outform der -in certificate.pem -out certificate.der. Convert PEM to P7B. Openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cert. Convert PEM to PFX. Openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt. OpenSSL commands to convert DER file. Openssl x509 -outform der -in certificate.pem -out certificate.der. Convert PEM to P7B. Openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer. Convert PEM to PFX. Openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt OpenSSL commands to Convert DER file.(from your certificate's status page, click on 'See the certificate' or 'See the last certificate')
- Copy the.p7b file into the same directory as the OpenSSL executable Run the command openssl pkcs7 -printcerts -in certificate.p7b -out certificate.pem, with certificate.p7b replaced by the name of the existing cert, and your name for the exported cert replacing certificate.pem (ex.
- If you can open the p7b with a text editor and see - BEGIN PKCS7 -then you have a pem formatted p7b. In this case, you dont want to use -inform der because that tells openssl to expect a binary file, but this is in text (base64) format. You can read more about the differences between PEM and DER here.
- A: your server certificate (.cer or .crt file)
- B: the certification chain (.txt file)
2- Set up ApacheTo install a cert on Apache, you'll have to define 3 variables in the configuration file of your server:
- SSLCertificateKeyFile path to the private-key.key file used for the initial generation of the CSR
- SSLCertificateFile path to the certificate.cer
- SSLCertificateChainFile (or SSLCACertificateFile) path to the chain.txt. file. This file contains the certificate(s) forming the certification chain of your certificate (it can be updated anytime, so after each renewal or reissuance, reinstall the latest certification chain).
If you are using Apache 1.3 with mod_ssl or Apache 2 and similar others (Mac OS X, WAMP, EasyPHP)
Find the setup file of your apache. It is often:you can also find the SSL setup in an other file. For example:
Or in a Windows environment (EasyPHP, Wamp, ..) :
Nota: Your Apache Set up might raises problems if:
the path includes special characters such as : spaces, bracket (), accents éàèêîï, .. the path is too long ( > 200 characters) the private key, certificate or certification chain files can't be read by the user/session that runs the Apache/httpd server.
If you only have one certificate on this machine, spot the section beginning by:and edit the following instructions to make them point at your files:Warning: SSLHonorCipherOrder is not available on every version of Apache, see our documentation.
And for your certification chain (B), add:For very old versions of Apache, see SSLCACertificateFile
Disable SSLv2 and SSLv3 on your Apache serverIn your Apache configuration, for example:
- General configuration of the server: /etc/apache2/conf/httpd.conf
- SSL Module / SSL configuration : /etc/apache2/conf/sites-enable/ssl.conf
- Your site configuration : <VirtualHost *:443>
Retrieve the parameter SSLProtocol to disable SSLv2 and SSLv3, for example:
What are the risks linked to obsolete protocols?
N.B.: In this configuration, we also recommend the following configuration for the protocols/ key excahngeand cipherment algorithms:
TOMCAT under apache APR
3- Restart Apache and run a testOnce setted up, restart the Apache server.Verify the log (for any syntax error) and check the access of your website's secured pages with IE 6 and Firefox.
N.B.: if the certificate does not match the private key, Apache won't be able to restart and the HTTP service will then be out-of-order.How to make sure your certificate matches the key?
On windows platforms (Easy Php, WAMP, ..)
- You must see an administration/management menu in the task bar of your Apache server to start and stop it.
- Make sure the HTTPS port (443) is open in the Firewall rules.
- If an error occurs the server might not start. You'll then need to consult the error logs: the error messages can also appear in the Widows 'Events Logs'.
Activate OCSP Stappling
We recommand to activateOCSP Stappling to give your users the guarantee of the non-revocation of your certificate more efficiently than with the simple mecanisms provided by browsers.
Activate HSTS support
To protect your users from Man in the Middle attacks and to guarantee your site security, we advise the activation of HSTS.
Generate stron dh groups
We recommand to generate unique dh groups on your machine in order to enhance its security level. To do so, execute the following command and place its result in a file available on your web server (SSL2015 file for example).
If you use OpenSSL 1.0.2+
Add the following line to your configuration:
If you use an older version of OpenSSLEdit your certificate file (pem-xxx-yyy.pem) and add at the end of it the content of the dhparams.pem file you just generated.
Meticulous adjustment of the encypherment levelIn a standard installation under linux, the advanced SSL configuration file is located
- Set up Apache for a 128-bit server certificate
Choose a strong elliptical curve for ECDH (openssl 1.0.2+)We recommend that you choose a strong elliptical curve for the ECDH key exchange:
4 - Check the installation of your certificate using CO-PiBot:On your certificate status page, in your customer area at TBS CERTIFICATS,You will find a button 'Check your certificate' to test the correct installationof your certificate.
Apache and SNI (TLS Server Name Indication)It is used to install several SSL certificates on a single server using a unique IP address. Almost all browsers are compatible with SNI (consult the list).
- Make sure the SSL modul install on your Apache server can handle SNI (apache/mod_ssl)
- In the SSL configuration, forbid the use of version 2 of SSL protocol: SSLProtocol all -SSLv2 -SSLv3
- For each VirtualHost indicate the private key, the certificate and the certification chain to be used:
External links about SNI
- Apache + SNI: having several SSL certificates on a singla IP address
- Note: For servers that do not support SNI.
Solution: order a UCC certificate (Multi-SANs) or Wildcard.
Convert P7b To X509
- Create a #PKCS12 (or PFX) from OpenSsl files (PEM : .cer, .p7b, .key)