Eu estava configurando a autoridade de certificação EJBCA sobre um apache server para o certificado comercial em centos 7 e apache version is 2.4.6 .
Com a configuração do apache para o arquivo vim /etc/httpd/conf.d/ca.company.cz.conf:
NameVirtualHost ca.company.cz:80
<VirtualHost ca.company.cz:80>
DocumentRoot /var/www/
#Listen 80
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
RewriteEngine On
# Redirect all but the CRL Distribution Point, OCSP and Helthcheck to HTTPS
RewriteCond %{THE_REQUEST} !(/publicweb/webdist/certdist.*cmd=crl|/publicweb/status/)
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %{THE_REQUEST} /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure log
LogLevel debug
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
NameVirtualHost ca.company.cz:443
<VirtualHost ca.company.cz:443>
DocumentRoot /var/www/
#Listen 443
RewriteEngine On
# Treat reqeusts to / and /ejbca/ as the same. Required by EJBCA's Admin Web.
RewriteCond %{THE_REQUEST} /ejbca/
RewriteRule ^/ejbca/(.*)$ /$1 [PT]
# Configure secure SSL for this server using SSL certificate generated by EJBCA
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
#SSLCertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
SSLCertificateKeyFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/serverkey.key
SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.crt
# Require Client SSL certificate for the Admin GUI
<Location /adminweb>
SSLVerifyClient require
SSLVerifyDepth 1
#SSLCACertificateFile /root/UBUNTU/ejbca_ce_6_3_1_1/p12/wildcard.system4u.cz_2015_incl_private_key.pem
</Location>
# Proxy requests to EJBCA instances (only one on local machine configured)
<Proxy balancer://mycluster-kerb>
BalancerMember ajp://localhost:8009/ejbca/
</Proxy>
ProxyPass / balancer://mycluster-kerb/
# Configure log
LogLevel warn
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
</VirtualHost>
Eu também incluí esta configuração no httpd.conf:
Listen 80
Listen 443
Include conf.modules.d/*.conf
Include /etc/httpd/conf.d/ca.company.cz.conf
Include /etc/httpd/conf.d/*.conf
Em seguida, verifiquei o certificado que foi convertido do formato pfs para o formato crt com a saída:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:24:68:14:5c:8b:09:cd:44:0f:0b:e4:23:2d:0b:4e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: May 4 00:00:00 2017 GMT
Not After : Jun 3 23:59:59 2019 GMT
Subject: CN=*.company.cz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Também verifiquei o certificado on-line e ele foi verificado como certificado válido. Quando eu reiniciei o serviço httpd me mostrou a mensagem de erro:
Jul 19 17:57:42 c76vm4u.hosting4u.s4u httpd[22216]: SSLCertificateFile: file '/root/UBUNTU/ejbca_ce_6_3_1_1/p12/certificate.pem' does not exist or is empty
Quando verifiquei o certificado, o certificado continha:
Bag Attributes
localKeyID: 5B 57 E2 C3 7F 0E 76 12 F1 70 35 44 91 CE 56 34 58 CE 5D B9
subject=/CN=*.company.cz
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQPCRoFFyLCc1EDwvkIy0LTjANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE3MDUwNDAwMDAwMFoXDTE5MDYwMzIzNTk1
OVowGDEWMBQGA1UEAwwNKi5zeXN0ZW00dS5jejCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANnpLQDxv5GY5b9F0/U38MLK7NI8peMcvXYOwqEk2akaADJX
CLR5vGkySXBaJ6K8m0DQKq2sZ1A62bai0B77SMuCZfqnndjwf+6odibuk1eFE12k
+U+CR/G0+r0cSZIzWiGB6yNJl4VYnAwyJYioqwOcJnFyTEKR1rOPNYqT74TyAdPt
SMsQ4QUvQy0f2q7Yp+7oIusjF5aDwj9QdqYPxhUdP3Xkq6WaFyojt5ty4NzExqU1
lvgGwS0Th9rEV+HC8tYFZtqRSqVtE5ZwqPKe8/M61kOyeBI6cRK9F70jWOx5i4EK
fYTBlblPUFaJ4LAWYNcSA3XlMe6RUpHwfvIjumsCAwEAAaOCAv4wggL6MCUGA1Ud
EQQeMByCDSouc3lzdGVtNHUuY3qCC3N5c3RlbTR1LmN6MAkGA1UdEwQCMAAwKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0g
BGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRz
c2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3Ns
LmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsG
AQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggr
BgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggF9BgorBgEEAdZ5
AgQCBIIBbQSCAWkBZwB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7M
AAABW9OvN08AAAQDAEcwRQIhAMIJGR5p+GAdeQpcK8OZYF6t/303Hl8RKgh3cgGp
0OH6AiA9clDoLK8z+8GYj5EV0yAbOrabYRHhKdnzOH7SG9H8WgB1AKS5CZC0GFgU
h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABW9OvN5YAAAQDAEYwRAIgZPbNdVp7
ExZG650RLrdUsrcK8DPS4J35HIJB3CxoxNYCIEVOmim6cpbVXFbWXi4IcYel6bXm
Xssed+c2CinvmlfBAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csA
AAFb0685bAAABAMARzBFAiAhU1Ie1mqBlWFb/NurPRYlGNiEwyFXelqE+0kWC7jA
PAIhAMA5teg26Gwpn2o+nCxGkus7jqC/exq0CBVfeSet8z/zMA0GCSqGSIb3DQEB
CwUAA4IBAQCAaIgO1XPTJvaRd4dUKZ5AMyHC71EYl1EYxIyptRhqWL9bzhejq2cC
q2te40m3R0JTl78wG+JD6ub6HDb6BysI+oYp6I1Amg3luWS8gnn2i+SCFNKVuDKU
fQ5cPbZtWEg5mMx64X5NlF0owxTPpJM4Om8ahvIb88r2T7eJUBTW1F1nVkI4xZr5
i+wPX0VGDxf+/QD+Xwc+Wu13SznX3Z44XB5SAjG4RKEuc/KuKdc+ErUYaXxuPDzW
cIQoO9NCOI1enEBm0nKGVrQBrwcB0voOMXwOqD3fRT4RULsO+x05QZ9FM1nklyr5
dUlLC3ukq6v3EDgbVn0ENSIrSIf29g5J
-----END CERTIFICATE-----