When working with SSL/TLS configurations, you'll typically encounter these key files:
SSLCertificateFile- Your domain's public certificateSSLCertificateKeyFile- The private key (should be kept secure)SSLCertificateChainFile- Intermediate certificatesSSLCACertificateFile- Root CA certificates
The proper sequence for combining certificates into a single PEM file is crucial:
- Private Key (typically with .key extension)
- Primary Certificate (your_domain.crt)
- Intermediate Certificates (in order of chaining)
- Root Certificate
Example command:
cat private.key domain.crt intermediate.crt root.crt > combined.pem
Here's how to convert typical Apache SSL configurations to a SimpleSAMLphp-compatible PEM:
# Combine in correct order
cat /etc/apache2/ssl/example.com.key \
/etc/apache2/ssl/example.com.crt \
/etc/apache2/ssl/intermediate_bundle.crt \
/etc/apache2/ssl/root_ca.crt > /var/simplesamlphp/cert/combined.pem
# Set proper permissions
chmod 640 /var/simplesamlphp/cert/combined.pem
chown www-data:www-data /var/simplesamlphp/cert/combined.pem
Always verify your combined PEM file:
openssl verify -CAfile combined.pem domain.crt
- Including the private key is optional - some applications require it separate
- Duplicate certificates cause validation failures
- Wrong file permissions can prevent services from reading the file
- Windows line endings (CRLF) can break some implementations
For non-PEM format sources, use OpenSSL to convert first:
# Convert PKCS#12 to PEM openssl pkcs12 -in certificate.pfx -out combined.pem -nodes # Convert DER to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem
When working with SSL/TLS certificates in Apache or SimpleSAMLphp, you typically deal with four key files:
SSLCertificateFile- Your domain's primary certificateSSLCertificateKeyFile- The private key for your certificateSSLCertificateChainFile- Intermediate certificatesSSLCACertificateFile- Root CA certificates
The order of certificates in a combined PEM file is crucial for proper validation. Here's the correct sequence:
# Private Key (must come first)
-----BEGIN PRIVATE KEY-----
[Your private key content]
-----END PRIVATE KEY-----
# Primary Certificate
-----BEGIN CERTIFICATE-----
[Your domain certificate]
-----END CERTIFICATE-----
# Intermediate Certificates (from most specific to least)
-----BEGIN CERTIFICATE-----
[Intermediate CA 1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA 2]
-----END CERTIFICATE-----
# Root Certificate (optional, usually not needed)
-----BEGIN CERTIFICATE-----
[Root CA]
-----END CERTIFICATE-----
Here's how to combine them using command line:
# Combine files in the correct order
cat private.key domain.crt intermediate1.crt intermediate2.crt > combined.pem
# For SimpleSAMLphp specifically (often requires only cert + intermediates)
cat domain.crt intermediate1.crt intermediate2.crt > sp.pem
After creating your combined PEM file, verify its contents:
openssl x509 -in combined.pem -text -noout # View certificate details
openssl rsa -in combined.pem -check -noout # Verify private key (if included)
For SimpleSAMLphp configuration, you would typically reference this file in config/authsources.php:
'default-sp' => array(
'saml:SP',
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
// Alternatively with combined file:
'privatekey' => 'combined.pem',
'certificate' => 'combined.pem',
),
When combining certificates:
- Ensure file permissions are secure (600 for private keys)
- Never expose private keys in public repositories
- Test the configuration using SSL labs' tester
- Consider using separate files for better key management