daknetworks.com

You are here: Blog Install Rapid SSL Certificate, RapidSSL Intermediate Certificate & RapidSSL CA

Install Rapid SSL Certificate, RapidSSL Intermediate Certificate & RapidSSL CA

Thursday, 11 August 2011 18:37
When you get a RapidSSL Certificate (see instructions below somewhere), you have to install it. You also have to install the intermediate certificate. You also have to install the parent certificate or the certificate authority also known as the Root CA. The intermediate certificate & root certificate together is known as the CertificateChainFile or intermediate file or intermediate bundle or CA bundle.

So our structure from below is:

view source
print?
1.ssl.crt
2.ssl.key
3.ssl.pem

We'll change into the certificate directory:

view source
print?
1.cd ssl.crt

In this directory, you should have your server.crt, the certificate that you bought & they sent you in an email.

You should also have the INTERMEDIATE CERTIFICATE FILE. This is also called the CA BUNDLE.

Caution! They only send you the single intermediate certificate in the email. They don't send the bundle. You have to get it. Also, they send a link to the incorrect CA bundle in the email.

The problem with the RapidSSL bundle is that it contains the RAPIDSSL CA & the GEOTRUST CROSS ROOT CA and nothing else.

The GEOTRUST CROSS ROOT CA is here:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426&actp=search&viewlocale=en_US&searchid=1283360269668

This works fine for newer devices like ANDROID phones as they have the GEOTRUST CROSS ROOT CA installed as something they can trust.

But it doesn't work for stable production systems like CENTOS 4, RHEL 4 or anything with OPENSSL v0.9.7a-43.17.el4_8.6 . The problem is that these items have a different CA STORE or items they can trust and the GEOTRUST CROSS ROOT CA isn't in the STORE.

The older GEOTRUST GLOBAL ROOT CA is in the store (which is different than the GEOTRUST CROSS ROOT CA... confusing, isn't it). First we have to get it:

So now the directory looks like this:

view source
print?
1.server.crt
2.RapidSSL_CA_bundle.pem
3.GeoTrust_Global_CA.cer

Great! We have to join these together into one certificate.

view source
print?
1.openssl x509 -inform PEM -in "server.crt" -text > ca_bundle.crt
2.openssl x509 -inform PEM -in "RapidSSL_CA_bundle.pem" -text >> ca_bundle.crt
3.openssl x509 -inform PEM -in "GeoTrust_Global_CA.cer" -text >> ca_bundle.crt

That's it! You know have a certificate called ca_bundle.crt to incorporate the certificate into you server directly. For me that's:

view source
print?
1.config setprop modSSL crt /home/e-smith/path/to/your/crt/ca_bundle.crt
2.signal-event domain-modify
3.signal-event email-update

This ensures you have no error messages on the browsers (firefox, opera, safari, ie) and it ensures you have no error messages on the email clients (thunderbird, etc).

You can test your work directly on the server directory with:

view source
print?
1.openssl verify -CAfile ca_bundle.crt -verbose server.crt

You can test your work directly on the public HTTPS side with:

view source
print?
1.echo GET | openssl s_client -connect yourwebnameserver.tld:443

And the public IMAPS with:

view source
print?
1.echo GET | openssl s_client -connect yourwebnameserver:993

Both will give you the chain structure and where it breaks, if it breaks.

Caution! If it tells you, you have a self-signed certificate, that's fine. The ROOT CA is always a self-signed certificate.

Hope this helps someone. Most importantly me, since it took a good 48 hours to pull all this together from different places & trial and error.

Contact Dak Networks

We are not taking on new clients at this time.