#4254 Virtualmin: single file with bundled cert and key (.pem)

[Luís Pedro Algarvio]

Hello

Virtualmin currently isn't accepting SSL certificates which are bundled with the key in a single file.
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatefile

They are like regular PEM format Certficate and Private key files, except that they contain the content from both files, one after another (in any order).

Example:
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
(...)
-----END RSA PRIVATE KEY-----

The file extension is typicaly .pem
Like stated, the cert and key can come in any order.

[Luís Pedro Algarvio]

how to implement

add "Bundle of Certificate and Private Key"
the apache directive is SSLCertificateFile.
SSLCertificateKeyFile must be removed when using a single file.

the other options will need a change: no file option, and rename to "Certificate" and "Private key"

[Jamie Cameron]

This should be supported actually..

Which specific page in Webmin or Virtualmin are you attempting to use a combined cert/key file on?

[Luís Pedro Algarvio]

on "Manage SSL Certificate", /virtual-server/cert_form.cgi

[Jamie Cameron]

Which specific field did you use to enter the combined SSL cert/key ?

[Luís Pedro Algarvio]

on "Signed SSL certificate".

The field does not specificy that it accepts bundles/combined cert+key.
Additionally, if that field would allow such files, "Matching private key" does not have an option "No file" (and remove the existing file if present).

I also had the following errors:

"Failed to install certificate : Missing or invalid signed SSL certificate : Data does not end with line -----END CERTIFICATE-----"
When uploading a cert+key, with cert on top of file

"Failed to install certificate : Missing or invalid signed SSL certificate : Data does not start with line -----BEGIN CERTIFICATE-----"
When uploading a cert+key, with cert on bottom of file.

In short, it's not accepting bundles.
Some software explicitly require a pem file with cert+key, while others only accept split files, or accept both. Apache for instance, accepts both, but recommends split files because of file permissions.

Depending on the openssl commands or tools like TinyCA, the order in the file may be different.
Also, Windows does not accept bundles where the cert is on the bottom of the file (must come first), and uses the .crt extension.

[Jamie Cameron]

The "signed SSL certificate" field is normally used for entering the cert that you got back from your CA, after they have signed it. That file would never contain a key, because the CA doesn't normally get to see your key.

Are you trying to install a signed cert based on a CSR that you generated within Virtualmin?

[Luís Pedro Algarvio]

I'm issuing certificates made with my own CA, using openssl commands and tinyca2.
I've also used some self-signed certificates.

they are regular bundles of certs+key. tried only with unencrypted keys.

[Jamie Cameron]

Ok, the correct place to upload such a cert and key would be the "Update Certificate and Key" tab. However, it doesn't currently support a file that contains both .. I'll look into that.