Installing Origin CA certificate on Raspberry PI

I have a LAMP setup on a Raspberry Pi and I am trying to secure my websites with SSL. At the moment I have two websites in a multiple virtual host setting on Apache; one of them is a static website that I coded from scratch, while the other uses Wordpress (and so is also connected to a MySQL database and PHP, if that is of any relevance).

I am following Step 2 of this guide by Cloudflare, which then refers to this other page for specific instructions on Apache2 by DigiCert.

I have some questions about each of the steps described in the second guide:

  1. The guide describes how to upload the DigiCert certificates, and refers to an intermediate certificate ( DigiCertCA.crt), a primary certificate (your_domain_name.crt), and a .key file.
    From what I understand, what DigiCert calls a primary certificate corresponds to what Cloudflare calls Origin Certificate (mydomain.pem), and the .key file is my private key (mydomain.pem.key). What is the intermediate certificate, then? Do I need one?
    (Is it Cloudflare Origin CA root certificate? Since there are two available, which should I pick? Should I pick the cloudflare_origin_rsa.pem, since I chose RSA as private key type when creating the Origin CA certificate on my dashboard?)

  2. The guide says to copy the three files “to the directory on the server where you keep your certificate and key files.” I guess I could copy them wherever I want, but is there a standard or suggested location where I should put them?

Digicert doesnt play any role here. You only configure the certificate, the key, and if necessary the root certificate. Thats it.

Thank you @sandro.
Cloudflare’s own guide refers to DigiCert’s and I was trying to understand which files correspond to which, since I see that Cloudflare and Digicert use different naming. I need to make sure I have it right otherwise I cannot configure my Apache VirtualHost correctly.

To put it in different words, are these equivalences correct? (what I find in the guide is on the left side, and what Cloudflare provides is on the right)

  • Primary certificate (your_domain_name.crt) = origin certificate (mydomain.pem)
  • .key file = private key (mydomain.pem.key)
  • Intermediate certificate (DigiCertCA.crt) = root certificate ( cloudflare_origin_rsa.pem)

Also, any suggestion on where it would be best to copy them on the server?

That should be about right. You have three components (key, certificate, and root), out of which you definitely need the first two, possibly also the root certificate, but that depends on what your webserver actually requires.

I am not sure about your question how to copy them to the server. You can do that in any way available to you, if you have shell access you can even paste the few lines of text.

You essentially just need the files on the server, in the right directory, with the correct file permissions for the web server, and all of that configured in your server. Then you should be good to go.

Having said all of that, server administration is not exactly the purpose of the forum, however, I am afraid. So StackExchange is probably better suited for these questions. :slight_smile:

I was able to secure my website. Indeed, this might not be the right place for such questions, however I here is the solution, in case some other user looks for it in the future.

As regards my question about the best location for certificates, “the preferred way to get local certificate files into the trusted store is to put them into /usr/local/share/ca-certificates, and then run [sudo] update-ca-certificates. You do not need to touch /etc/ssl/certs directly.”

That works for the primary certificate (in my case, mydomain.pem, downloaded from the dashboard) and the root certificate (cloudflare_origin_rsa.pem). However, my setup (apache2 on raspbian) does not seem to require the root certificate.

The private key (mydomain.key, also downloaded from dashboard) can be directly copied to etc/ssl/private.

However, one can install certificates wherever. For example, I had found an answer that placed the certificates in /etc/apache2/ssl and the private keys in /etc/apache2/ssl/private (detailed instructions here)