Correctly configuring a SSL certificate is very important for two reasons:

  • A wrong configuration may compromise the security and defeat the very purpose of a SSL certificate.
  • A wrong configuration may break the normal functioning of your site.

Some time ago we got a SSL certificate signed by RapidSSL and at the moment I was not very good with configuring the Apache web server to use it. I googled a little, I found about the SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile directives and I used them accordingly to the documentation. For the SSLCertificateChainFile I used only the intermediate certificate of the RapidSSL.

Only recently I discovered that this is not the correct setup because RapidSSL is not a root authority and its certificate is not bundled with the ca-certificates package on Linux distros and it's not trusted on some older browsers and operating systems (ex: using websockets over https in Android browsers)

To fix this, one need to create a new a new certificate bundle (ex. /etc/ssl/certificates/rapidssl_intermediate_chain.crt) and put in that file two certificates concatenated: the certificate of RapidSSL (in our case RapidSSL SHA256 CA - G3) and the certificate of its issuer: GeoTrust Inc. and to use it as the intermediate certificate:

  • For Apache2:
SSLCertificateChainFile /etc/ssl/certificates/rapidssl_intermediate_chain.crt
  • For a https server in node.js:
var httpsOptions = {
  key: fs.readFileSync('/etc/ssl/private/my_key.key'),
  cert: fs.readFileSync('/etc/ssl/certs/my_cert.crt'),
  ca: [
    fs.readFileSync("/etc/ssl/certs/rapidssl_intermediate_chain.crt")
  ],
};
var srv = require('https').createServer(httpsOptions).listen(443)

If you're lazy, you may download the file from https://gist.github.com/printesoi/7b4e01b77475c47ff957 and to use it directly.

To check the https configuration of the server you may use the SSL Certificate checker from Symantec. This is a useful tool as it checks also for common SSL errors and vulnerabilities such as Poodle, Heartbleed or FREAK.

This procedure is suitable for other signing authorities as well. If your certificate is /etc/ssl/certificates/my_cert.crt you may find your issuer by running:

openssl x509 -inform pem -in /etc/ssl/certificates/my_cert.crt -noout -issuer | sed -n '/^issuer/s/^.*CN=//p'

in my case is RapidSSL SHA256 CA - G3. Download the certificate from your issuer site, from the Symantec site or from other sites such as https://ssl-tools.net. You may repeat the the command above for your issuer certificate, until you get to a root certificate authority.