How to install a SWITCHpki QuoVadis certificate in the Apache HTTP server

For the Apache HTTP server and mod_ssl, the SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile directives are used to configure the server's certificate. There are two possible options, which apply to both Apache HTTP server 2.2.x and 2.4.x:

Option 1: Server certificate and intermediate CA in the same file

Recommended for best compatibility with future Apache HTTP server versions (2.4.8 or later)

The SSLCertificateFile and SSLCertificateChainFile can refer to the same file name provided that this file includes both the server and the intermediate CA certificate (concatenated, in PEM format). In this case, the configuration looks like this:

SSLCertificateKeyFile   myserver.key
SSLCertificateFile      myserver.crt.pem
SSLCertificateChainFile myserver.crt.pem
# SSLCertificateChainFile is needed for the Apache HTTP server up to 2.4.7

A properly formatted file for use with this option can be retrieved from the SWITCHpki download page, where it is listed as Server certificate with chain in PEM format.

The advantage of this option is its future proofness: with the Apache HTTP server 2.4.8 and later, the SSLCertificateChainFile directive is obsolete (it is deprecated in favor of a more versatile form of the SSLCertificateFile directive, which can include intermediate CA certificates as well, making it possible to use a single configuration directive and file).

Option 2 (legacy): Server certificate and intermediate CA in separate files

This is the configuration which was favored by SWITCH until spring 2014. In this case, the file referenced by SSLCertificateFile only includes the server certificate ("end-entity certificate"), while the intermediate CA certificate is stored in the file pointed to by SSLCertificateChainFile. In the Apache HTTP server configuration, separate file names for each of the three directives are used:

SSLCertificateKeyFile   myserver.key
SSLCertificateFile      myserver.crt.pem
SSLCertificateChainFile qvsslg2.crt.pem
# for EV SSL certificates with the CT extension (introduced in Februar 2015)
# SSLCertificateChainFile qvevssl1.crt.pem

The files for the SSLCertificateChainFile directive can be retrieved from https://www.switch.ch/pki/manage/download/qvsslg2.crt.pem (Business SSL certificates or EV SSL certificates without the CT extension) or https://www.switch.ch/pki/manage/download/qvevssl1.crt.pem (EV SSL certificates with the CT extension), respectively.

Enabling OCSP Stapling

Apache supports OCSP Stapling since version 2.4. Enabling OCSP Stapling is highly recommended. (Also see this IAB Statement on OCSP Stapling.)

The following instructions describe how to enable OCSP Stapling in Apache. For detailed information on the various statements and for specific configuration needs, please consult the Apache SSL Documentation.

DISCLAIMER: SWITCH provides these configurations on best effort. Please carefully check whether this configuration suits your needs.

Red Hat Enterprise Linux 7, CentOS 7, and Fedora 20

You need to add the following configuration to the file /etc/httpd/conf.d/ssl.conf:

# OCSP Stapling

SSLUseStapling on
SSLStaplingCache shmcb:/run/httpd/ssl_stapling(32768)
# Prevent browsers from blocking access if an OCSP query is temporarily not possible.
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLStaplingFakeTryLater off

You need to add these statements before the following existing lines:

##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
Ubuntu (14.04LTS), Debian (8 "jessie")

You need to add the following configuration to the file /etc/apache2/mods-available/ssl.conf:

# OCSP Stapling

SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(32768)
# Prevent browsers from blocking access if an OCSP query is temporarily not possible.
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLStaplingFakeTryLater off

You need to add these statements before the following existing line:

</IfModule>