To create a signed certificate, we first ran genkey and created a file that I happened to call cs.wellesley.edu.1.csr. I put that in /etc/pki/tls/certs.
When I uploaded it to the certificate company’s website, they complained that it didn’t meet the 2048 bit minimum, so I created a second as cs.wellesley.edu.2.csr
After they did their work, I got an email back that looked like this:
* Click the following link to download your SSL certificate (generally try to use a version that includes intermediates & root or your certificate may be rejected by some older clients)
Format(s) most suitable for your server software:
as X509 Certificate only, Base64 encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=12345678&format=x509CO
as X509 Intermediates/root only, Base64 encoded: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=12345678&format=x509IO
And no further information. Thanks to help from Andy Maroney, I now know that these files are the targets of two config variables in /etc/httpd/conf.d/ssl.conf. There’s also a third variable that needs to be configured.
- The first one downloads as cs_wellesley_edu_cert.cer. I put it in /etc/pki/tls/certs and made it the value of SSLCertificateFile
- The second one downloads as cs_wellesley_edu_interm.cer. I put it in /etc/pki/tls/certs and made it the value of SSLCertificateChainFile
- The third variable is SSLCertificateKeyFile and the value of that is set to a file that was generated simultaneously with the original .csr file, and that is /etc/pki/tls/private/cs.wellesley.edu.key. (That file holds the private key and is readable only by root.)
Restart Apache and you’re done!
