IT_Architect
Verified User
- Joined
- Feb 27, 2006
- Messages
- 1,088
Apparently, I don't understand certs. To save time, I'll tell you what I THINK I know, and your can correct me where I'm wrong.
There are two pieces to the security and they must match, the public certificate and the private key. The private key is generated off the server key when you create the CSR using the information you provide to create the CSR. When you submit your csr, they can generate a cert that matches your private key without actually having it. When they send the cert back, you have both halves, and the rest of the world only sees the cert. Third parties can get the cert from the CA or your can give it to them and their browser or other program can check the validity of the certificate with the CA. The one you need to hide, is the private key.
Apache by default keeps the cert and the key in /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key respectively by virtue of the DA install which places the following entries into the httpd.conf file located in /etc/httpd/conf/httpd.conf file:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
The ips.conf, in the same directory, and included by the httpd.conf, shows an IP address as well as something called Servername shared.domain, which is oddly on an IP address that is not the server's base address. It also points to a non-visible domain named /home/admin/domains/sharedip. I thought that address was available to be assigned to someone else as a private IP? I don't understand this.
I appears that the cert last made by the admin user, ends up in the in /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key directories, although, one was named .tmp rather than the extension it should have.
Once the new cert works with Apache, you can copy the cert and key to the DirectAdmin area at /usr/local/directadmin/conf, chown them to root:directadmin, chmod, and modify the DirectAdmin.conf accordingly to use this copy of the files.
There is obviously something wrong with what I THINK I know. Before I ever make it to the DirectAdmin are, I have Apache problems whenever I restart Apache. BTW, to see the error on the command line, I need to restart Apache twice.) The sites don't even come up much less the SSL work.
Apparently I have some fuzzy logic that needs to be clarified. For one, what is it doing using the .93 address in the ips.conf file when the domain with the cert, and server domain, use the .90 address, and DA shows everyione sharing the .90 address, not the .93 address? (Which I cannot be sure was ever set up correctly by the DC in the first place.)
I'm sure there are other connections I'm not making, but I would think Apache wouldn't have a cow if my new cert and key matched in the /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key directories, but it does.
What I need is a clear view of how this all works, and where my logic is faulty.
Thanks!
There are two pieces to the security and they must match, the public certificate and the private key. The private key is generated off the server key when you create the CSR using the information you provide to create the CSR. When you submit your csr, they can generate a cert that matches your private key without actually having it. When they send the cert back, you have both halves, and the rest of the world only sees the cert. Third parties can get the cert from the CA or your can give it to them and their browser or other program can check the validity of the certificate with the CA. The one you need to hide, is the private key.
Apache by default keeps the cert and the key in /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key respectively by virtue of the DA install which places the following entries into the httpd.conf file located in /etc/httpd/conf/httpd.conf file:
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
The ips.conf, in the same directory, and included by the httpd.conf, shows an IP address as well as something called Servername shared.domain, which is oddly on an IP address that is not the server's base address. It also points to a non-visible domain named /home/admin/domains/sharedip. I thought that address was available to be assigned to someone else as a private IP? I don't understand this.
I appears that the cert last made by the admin user, ends up in the in /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key directories, although, one was named .tmp rather than the extension it should have.
Once the new cert works with Apache, you can copy the cert and key to the DirectAdmin area at /usr/local/directadmin/conf, chown them to root:directadmin, chmod, and modify the DirectAdmin.conf accordingly to use this copy of the files.
There is obviously something wrong with what I THINK I know. Before I ever make it to the DirectAdmin are, I have Apache problems whenever I restart Apache. BTW, to see the error on the command line, I need to restart Apache twice.) The sites don't even come up much less the SSL work.
Apparently I have some fuzzy logic that needs to be clarified. For one, what is it doing using the .93 address in the ips.conf file when the domain with the cert, and server domain, use the .90 address, and DA shows everyione sharing the .90 address, not the .93 address? (Which I cannot be sure was ever set up correctly by the DC in the first place.)
I'm sure there are other connections I'm not making, but I would think Apache wouldn't have a cow if my new cert and key matched in the /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key directories, but it does.
What I need is a clear view of how this all works, and where my logic is faulty.
Thanks!
.