From popdata
Jump to: navigation, search

Apache Config


  • /etc/apache2/sites-available - definitions for websites
  • /etc/apache2/sites-enable - links to sites-available for websites that are enabled
  • /etc/apache2/mods-available - available apache modules
  • /etc/apache2/mods-enabled - modules actually enabled
  • /etc/apache2/ssl - SSL certificates

SSL Certificates

Lately boughts from To get a new one:

  • generate a CSR (certificate signing request). On any machine:
% openssl req -nodes -newkey rsa:2048 -keyout snagserver.key -out snagserver.csr
Generating a 2048 bit RSA private key
writing new private key to 'snagserver.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:British Columbia
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SNAG
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This creates two files: snagserver.key which is the private key for the webserver, and snagserver.csr which is the CSR file needed by the SSL provider. It is just a text file, and is pasted in when buying the certificate. (The format is Apache/Openssl) They will send a verification to one of the addresses for the domain (like or

  • Install certificate in the webserver

You will receive a zip attachement from the SSL provider by email:

% unzip -l 
  Length      Date    Time    Name
---------  ---------- -----   ----
     1521  2000-05-30 10:48   AddTrustExternalCARoot.crt
     1952  2000-05-30 10:48   COMODORSAAddTrustCA.crt
     2151  2014-02-12 00:00   COMODORSADomainValidationSecureServerCA.crt
     1895  2015-01-13 00:00   www_snag_ubc_ca.crt
---------                     -------
     7519                     4 files

The first three are the intermediate and root CA certificates, they need to be combined into one file:

cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt OMODORSADomainValidationSecureServerCA.crt > snag-chain.pem

Then copy the files into the /etc/apaches/ssl directory:

cp snag-chain.pem /etc/apache2/ssl/snag-chain.pem
cp www_snag_ubc_ca.crt /etc/apache2/ssl/snag-cert.pem
cp snagserver.key /etc/apache2/ssl/snag-key.pem

Then add these lines to one of the websites in /etc/apache2/sites-available:

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/snag-cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/snag-key.pem
    SSLCertificateChainFile /etc/apache2/ssl/snag-chain.pem

Generate SSL for Cisco

Cisco needs the certificate in a different format, and it has to have a password on it.

openssl pkcs12 -export -in STAR_popdata_bc_ca.crt -inkey popdatserver.key -certfile AddTrustExternalCARoot.crt -certfile COMODORSAAddTrustCA.crt -certfile COMODORSADomainValidationSecureServerCA.crt -out popdata-cisco.p12

popdataserver.key is the private key, STAR_popdata_bc_ca.crt is the certificate from the provider, the other .crt files are the intermediate files. Enter a password and remember it. Then you can use the Cisco ASA web interface to add a new identity certificate using the popdata-cisco.p12 generated above. Then change the VPN anyconnect access interfaces to use that trustpoint.

Install certificate in Zimbra

As root backup old one:

cp /opt/zimbra/ssl/zimbra/commercial/commercial.key .
cp /opt/zimbra/ssl/zimbra/commercial/commercial.crt .

Install new one

/opt/zimbra/bin/zmcertmgr verifycrt comm popdatserver.key popdata2015-cert.pem popdata2015-chain.pem
cp popdatserver.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm popdata2015-cert.pem popdata2015-chain.pem
/opt/zimbra/bin/zmcertmgr viewdeployedcrt