11-10-2011 05:44 AM
I am trying to enable SSL in a CAE 7.8 Core-Satellite environment. Everything as far as configuration through the Core and Satellite consoles seems to work, but the Configuration Server logs shows a complaint that the Apache Server being used has an expited certificate (ca-bundle.crt).
When I check the actual certificate file, it is indeed expired (as of 10.23.2011). My question is: How do I get that certificate renewed or get a new one installed so that I can use SSL in my environment? I can find nothing on managing the Apache Server certificate in any reference manuals.
Any assistance or insight is appreciated.
Solved! Go to Solution.
11-10-2011 08:12 AM
You may just delete the offending certificate from the ca-bundle.crt (it is a text file). If it is the first one this will be needed, otherwise, you may apply the latest patch for 7.8 which will have code that does not error out if one of the certificates is not valid in the Certificate Authority (CA) bundle. It is mostly the resposibilty of the user to maintain the CA bundle upto date. You could get an good version of all the CAs from the Internet it is used by IE and so on. I could let you know in a future post on how to get that.
For documentation, there is an SSL Implementation Guide which describes most of this.
11-11-2011 01:10 PM
Thank you for that quick reply. Yes, I checked the SSL Implementation Guide right off, but it does not discuss this particular situation at all. I have worked through all of the rest of the certificate-gathering steps and was trying to test, but this ca-bundle.crt issue stopped me cold.
I would appreciate any insight you can share about getting that ca-bundle.crt. Also, which CAE 7.8 patch should have had the fix you mentioned? I thought we were up-to-date on patches but maybe not.
11-11-2011 06:40 PM
I have attached the latest CA certificate bundle. My colleague usually gathers this for us. I will find out and let you know how to do it. Take care to rename to the correct name for your configuration - I suppose ca-bundle.crt.
11-16-2011 11:51 PM
One way to update the ca-bundle.crt would be:
- Look at the Certificate Authorities listed in the CA bundle existing, go to their web site and see if any new ones are available. Add these.
- Delete the expired/revoked certificates from the bundle.
- Add any other new ones that are present in the standard bundles available on the net – used by web browsers. For this one way would be to use a script to generate certificates i.e. http://mxr.mozilla.org/seamonkey/source/security/n