Skip to content

Instantly share code, notes, and snippets.

@n2o

n2o/New_StartSSL_Certs.md

Created December 31, 2015 14:01
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save n2o/60570b30dda5bbf92c31 to your computer and use it in GitHub Desktop.
Save n2o/60570b30dda5bbf92c31 to your computer and use it in GitHub Desktop.
Download ZIP
Apache SSL Configuration with new StartSSL certificates
Raw
New_StartSSL_Certs.md

StartSSL reworked their homepage and some other stuff, which is why it now seems that sub.class1.server.ca.pem is unsupported. They now provide new certificates, which must be included into the Apache configuration. The new certificate is called 1_root_bundle.crt and provides all you need to complete the Chain of the certificates to enable trusted and secure communication with your webserver.

Therefore, you have to use the new root_bundle.crt instead of the old sub.class1.server.ca.pem. These lines have to be changed in your Apache configuration:

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

    SSLCertificateFile /etc/apache2/ssl/ssl.crt
    SSLCertificateKeyFile /etc/apache2/ssl/private.key
    SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment