What is an SSL certificate chain file? -

What is an SSL certificate chain file? -

edit : may have been preferable inquire on server fault, reputation wouldn't allow me post more 2 links. :(

i want pages require passwords on website secure, followed this create custom ssl certificate. followed this, because explains how generate self-signed multidomain certificates (the subjectaltname allows me valid certificate example.com , *.example.com, didn't find way this). had mix commands wanted, , think ok did (though i'll detail later in case). have configure apache hear queries on port 443 , provide ssl security on according pages. found this.

when defining virtualhost listening on port 443, says :

<virtualhost 127.0.0.1:443> sslengine on sslcertificatefile /etc/apache2/ssl/something.crt sslcertificatekeyfile /etc/apache2/ssl/something.key sslcertificatechainfile /etc/apache2/ssl/gd_bundle.crt ... </virtualhost>

i think know files need specify sslcertificatefile , sslcertificatekeyfile fields, can't seem figure out sslcertificatechainfile. found searching on google , stack exchange communities didn't help me far, asking clear here :

what file should provide sslcertificatechainfile, , how create if needed ?

here files created next instructions of different links, commands used create them.

certificate authorization key (ca.key) : openssl genrsa -des3 -out ca.key 1024 key certificate (ca.san.csr) : openssl req -new -key ca.key -out ca.san.csr -config /etc/ssl/openssl.cnf here specified config file path because had alter little bit add together subjectaltname. check went openssl req -text -noout -in ca.san.csr. described here. creation , signature of certificate (ca.san.crt) : openssl x509 -req -days 3650 -in ca.san.csr -signkey ca.key -out ca.san.crt -extensions v3_req -extfile /etc/ssl/openssl.cnf again, conf file needed because subjectaltnames defined in it. server key (server.key) : openssl genrsa -out server.key 1024 key certificate (server.san.csr) : openssl req -new -key server.key -out server.san.csr -config /etc/ssl/openssl.cnf server certificate (server.san.crt) : openssl x509 -days 3650 -ca ca.san.crt -cakey ca.key -set_serial 01 -in server.san.csr -req -out server.san.crt

for sslcertificatefile, thought i'd provide server.san.crt file, seems logical thing me, server.key file sslcertificatekeyfile. sslcertificatechainfile seems inquire .crt file, may other .crt file have, ca.san.crt, i'm not sure this.

does have hint ? give thanks time reading this.

solution particular case, since using custom certificate, sslcertificatechainfile doesn't create much sense (see marked reply below). thus, have specify same certificate file both directives, sslcertificatefile , sslcertificatechainfile. there's 1 thing need apache before can utilize ssl* directives. ssl disabled default on apache need enable sudo a2enmod ssl, or when restarting apache error saying may have mispelt in vhosts files. 1 time have done , restarted server may connect on vhosts https. browser tell certificate not valid because self-signed, connection secure.

i want pages require passwords on website secure

just note. best practice, entire web site should protected ssl. here blog post explains why ssl on authentication pages not sufficient: securing asp.net mvc 4 app , new allowanonymous attribute (although related asp mvc, other platforms affected too).

but can't seem figure out sslcertificatechainfile

i think, pkcs#7 container contains intermediate ca certificates. self-signed certificates, there no other certificates, hence (sorry, i'm not apache expert) file may be:

self-signed certificate (only public part) can deleted (this file doesn't create sense self-signed ssl certificates) empty (less likely, apache may complain wrong file format).

i go step 1, pass same certificate sslcertificatefile , sslcertificatechainfile parameters.

ssl ssl-certificate