Rename ssl cert/key/ca file names for better understanding with LetsEncrypt.

2017-10-13 08:53:42 +08:00 · 2017-10-13 08:53:42 +08:00 · 7d867d25e2
parent cca66fdb10
commit 7d867d25e2
2 changed files with 58 additions and 58 deletions
--- a/en_US/howto/use.a.bought.ssl.certificate.md
+++ b/en_US/howto/use.a.bought.ssl.certificate.md
@ -34,12 +34,12 @@ key and signing request file on your server with `openssl` command:
    Do NOT use key length smaller than `2048` bit, it's insecure.

 ```
-# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
+# openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out server.csr
 ```

 This command will generate two files:

-* `server.key`: the private key for the decryption of your SSL certificate.
+* `privkey.pem`: the private key for the decryption of your SSL certificate.
 * `server.csr`: the certificate signing request (CSR) file used to apply
  for your SSL certificate. __This file is required by SSL certificate
  provider.__
@ -66,22 +66,22 @@ specified during enrollment. For example, a certificate for the domain
 or `secure.domain.com`, because `www.domain.com` and `secure.domain.com` are
 different from `domain.com`.

-Now you have two files: `server.key` and `server.csr`. Go to the website of
+Now you have two files: `privkey.pem` and `server.csr`. Go to the website of
 your preferred SSL privider, it will ask you to upload `server.csr` file to
 issue an SSL certificate.

 Usually, SSL provider will give you 2 files:

-* server.crt
-* server.ca-bundle
+* cert.pem
+* fullchain.pem (some SSL providers use name `server.ca-bundle`)

-We need above 2 files, and `server.key`. Upload them to your server, you can
+We need above 2 files, and `privkey.pem`. Upload them to your server, you can
 store them in any directory you like, recommended directories are:

-* on RHEL/CentOS: `server.crt` and `server.ca-bundle` should be placed under
-  `/etc/pki/tls/certs/`, `server.key` should be `/etc/pki/tls/private/`.
-* on Debian/Ubuntu, FreeBSD: `server.crt` and `server.ca-bundle` should be
-  placed under `/etc/ssl/certs/`, `server.key` should be `/etc/ssl/private/`.
+* on RHEL/CentOS: `cert.pem` and `fullchain.pem` should be placed under
+  `/etc/pki/tls/certs/`, `privkey.pem` should be `/etc/pki/tls/private/`.
+* on Debian/Ubuntu, FreeBSD: `cert.pem` and `fullchain.pem` should be
+  placed under `/etc/ssl/certs/`, `privkey.pem` should be `/etc/ssl/private/`.
 * on OpenBSD: `/etc/ssl/`.

 ## Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate
@ -93,9 +93,9 @@ one on your server according to above description.

 We can use `postconf` command to update SSL related settings directly:
 ```
-postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/server.crt'
-postconf -e smtpd_tls_key_file='/etc/pki/tls/private/server.key'
-postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
+postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/cert.pem'
+postconf -e smtpd_tls_key_file='/etc/pki/tls/private/privkey.pem'
+postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/fullchain.pem'
 ```

 Restarting Postfix service is required.
@ -108,9 +108,9 @@ SSL certificate settings are defined in Dovecot main config file,

 ```
 ssl = required
-ssl_cert = </etc/pki/tls/certs/server.crt
-ssl_key = </etc/pki/tls/private/server.key
-ssl_ca = </etc/pki/tls/certs/server.ca-bundle
+ssl_cert = </etc/pki/tls/certs/cert.pem
+ssl_key = </etc/pki/tls/private/privkey.pem
+ssl_ca = </etc/pki/tls/certs/fullchain.pem
 ```

 Restarting Dovecot service is required.
@ -130,9 +130,9 @@ Restarting Dovecot service is required.
 Example:

 ```
-SSLCertificateFile /etc/pki/tls/certs/server.crt
-SSLCertificateKeyFile /etc/pki/tls/private/server.key
-SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
+SSLCertificateFile /etc/pki/tls/certs/cert.pem
+SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
+SSLCertificateChainFile /etc/pki/tls/certs/fullchain.pem
 ```

 Restarting Apache service is required.
@ -147,8 +147,8 @@ server {
    listen 443;
    ...
    ssl on;
-    ssl_certificate /etc/pki/tls/certs/server.crt;
-    ssl_certificate_key /etc/pki/tls/private/server.key;
+    ssl_certificate /etc/pki/tls/certs/cert.pem;
+    ssl_certificate_key /etc/pki/tls/private/privkey.pem;
    ...
 }
 ```
@ -165,7 +165,7 @@ certificates in the combined file:

 ```
 # cd /etc/pki/tls/certs/
-# cat server.crt server.ca-bundle > server.chained.crt
+# cat cert.pem fullchain.pem > server.chained.crt
 ```

 Then update `ssl_certificate` parameter in `/etc/nginx/conf.d/default.conf`:
@ -189,9 +189,9 @@ Restarting Nginx service is required.
 ```
 [mysqld]

-ssl-ca = /etc/pki/tls/certs/server.ca-bundle
-ssl-cert = /etc/pki/tls/certs/server.crt
-ssl-key = /etc/pki/tls/private/server.key
+ssl-ca = /etc/pki/tls/certs/fullchain.pem
+ssl-cert = /etc/pki/tls/certs/cert.pem
+ssl-key = /etc/pki/tls/private/privkey.pem
 ```

 ### OpenLDAP
@ -205,9 +205,9 @@ ssl-key = /etc/pki/tls/private/server.key
 * On OpenBSD, it's defined in `/etc/openldap/slapd.conf`.

 ```
-TLSCACertificateFile /etc/pki/tls/certs/server.ca-bundle
-TLSCertificateFile /etc/pki/tls/certs/server.crt
-TLSCertificateKeyFile /etc/pki/tls/private/server.key
+TLSCACertificateFile /etc/pki/tls/certs/fullchain.pem
+TLSCertificateFile /etc/pki/tls/certs/cert.pem
+TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
 ```

 Restarting OpenLDAP service is required.
@ -223,7 +223,7 @@ error message like `Peer's Certificate issuer is not recognized`.
 * On OpenBSD, it's defined in `/etc/openldap/ldap.conf`.

 ```
-TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
+TLS_CACERT /etc/pki/tls/certs/fullchain.pem
 ```

 To connect with TLS, please run `ldapsearch` with argument `-Z` and use
--- a/html/use.a.bought.ssl.certificate.html
+++ b/html/use.a.bought.ssl.certificate.html
@ -68,12 +68,12 @@ key and signing request file on your server with <code>openssl</code> command:</
 <p class="admonition-title">Warning</p>
 <p>Do NOT use key length smaller than <code>2048</code> bit, it's insecure.</p>
 </div>
-<pre><code># openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
+<pre><code># openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out server.csr
 </code></pre>

 <p>This command will generate two files:</p>
 <ul>
-<li><code>server.key</code>: the private key for the decryption of your SSL certificate.</li>
+<li><code>privkey.pem</code>: the private key for the decryption of your SSL certificate.</li>
 <li><code>server.csr</code>: the certificate signing request (CSR) file used to apply
  for your SSL certificate. <strong>This file is required by SSL certificate
  provider.</strong></li>
@ -99,21 +99,21 @@ specified during enrollment. For example, a certificate for the domain
 <code>domain.com</code> will receive a warning if accessing a site named <code>www.domain.com</code>
 or <code>secure.domain.com</code>, because <code>www.domain.com</code> and <code>secure.domain.com</code> are
 different from <code>domain.com</code>.</p>
-<p>Now you have two files: <code>server.key</code> and <code>server.csr</code>. Go to the website of
+<p>Now you have two files: <code>privkey.pem</code> and <code>server.csr</code>. Go to the website of
 your preferred SSL privider, it will ask you to upload <code>server.csr</code> file to
 issue an SSL certificate.</p>
 <p>Usually, SSL provider will give you 2 files:</p>
 <ul>
-<li>server.crt</li>
-<li>server.ca-bundle</li>
+<li>cert.pem</li>
+<li>fullchain.pem (some SSL providers use name <code>server.ca-bundle</code>)</li>
 </ul>
-<p>We need above 2 files, and <code>server.key</code>. Upload them to your server, you can
+<p>We need above 2 files, and <code>privkey.pem</code>. Upload them to your server, you can
 store them in any directory you like, recommended directories are:</p>
 <ul>
-<li>on RHEL/CentOS: <code>server.crt</code> and <code>server.ca-bundle</code> should be placed under
-  <code>/etc/pki/tls/certs/</code>, <code>server.key</code> should be <code>/etc/pki/tls/private/</code>.</li>
-<li>on Debian/Ubuntu, FreeBSD: <code>server.crt</code> and <code>server.ca-bundle</code> should be
-  placed under <code>/etc/ssl/certs/</code>, <code>server.key</code> should be <code>/etc/ssl/private/</code>.</li>
+<li>on RHEL/CentOS: <code>cert.pem</code> and <code>fullchain.pem</code> should be placed under
+  <code>/etc/pki/tls/certs/</code>, <code>privkey.pem</code> should be <code>/etc/pki/tls/private/</code>.</li>
+<li>on Debian/Ubuntu, FreeBSD: <code>cert.pem</code> and <code>fullchain.pem</code> should be
+  placed under <code>/etc/ssl/certs/</code>, <code>privkey.pem</code> should be <code>/etc/ssl/private/</code>.</li>
 <li>on OpenBSD: <code>/etc/ssl/</code>.</li>
 </ul>
 <h2 id="configure-postfixdovecotapachenginx-to-use-bought-ssl-certificate">Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate</h2>
@ -121,9 +121,9 @@ store them in any directory you like, recommended directories are:</p>
 one on your server according to above description.</p>
 <h3 id="postfix-smtp-server">Postfix (SMTP server)</h3>
 <p>We can use <code>postconf</code> command to update SSL related settings directly:</p>
-<pre><code>postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/server.crt'
-postconf -e smtpd_tls_key_file='/etc/pki/tls/private/server.key'
-postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
+<pre><code>postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/cert.pem'
+postconf -e smtpd_tls_key_file='/etc/pki/tls/private/privkey.pem'
+postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/fullchain.pem'
 </code></pre>

 <p>Restarting Postfix service is required.</p>
@ -132,9 +132,9 @@ postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
 <code>/etc/dovecot/dovecot.conf</code> (Linux/OpenBSD) or
 <code>/usr/local/etc/dovecot/dovecot.conf</code> (FreeBSD):</p>
 <pre><code>ssl = required
-ssl_cert = &lt;/etc/pki/tls/certs/server.crt
-ssl_key = &lt;/etc/pki/tls/private/server.key
-ssl_ca = &lt;/etc/pki/tls/certs/server.ca-bundle
+ssl_cert = &lt;/etc/pki/tls/certs/cert.pem
+ssl_key = &lt;/etc/pki/tls/private/privkey.pem
+ssl_ca = &lt;/etc/pki/tls/certs/fullchain.pem
 </code></pre>

 <p>Restarting Dovecot service is required.</p>
@ -151,9 +151,9 @@ ssl_ca = &lt;/etc/pki/tls/certs/server.ca-bundle
  ship Apache anymore.</li>
 </ul>
 <p>Example:</p>
-<pre><code>SSLCertificateFile /etc/pki/tls/certs/server.crt
-SSLCertificateKeyFile /etc/pki/tls/private/server.key
-SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
+<pre><code>SSLCertificateFile /etc/pki/tls/certs/cert.pem
+SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
+SSLCertificateChainFile /etc/pki/tls/certs/fullchain.pem
 </code></pre>

 <p>Restarting Apache service is required.</p>
@ -166,8 +166,8 @@ SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
    listen 443;
    ...
    ssl on;
-    ssl_certificate /etc/pki/tls/certs/server.crt;
-    ssl_certificate_key /etc/pki/tls/private/server.key;
+    ssl_certificate /etc/pki/tls/certs/cert.pem;
+    ssl_certificate_key /etc/pki/tls/private/privkey.pem;
    ...
 }
 </code></pre>
@ -182,7 +182,7 @@ bundle of chained certificates which should be concatenated to the signed
 server certificate. The server certificate must appear before the chained
 certificates in the combined file:</p>
 <pre><code># cd /etc/pki/tls/certs/
-# cat server.crt server.ca-bundle &gt; server.chained.crt
+# cat cert.pem fullchain.pem &gt; server.chained.crt
 </code></pre>

 <p>Then update <code>ssl_certificate</code> parameter in <code>/etc/nginx/conf.d/default.conf</code>:</p>
@ -206,9 +206,9 @@ network, this is OPTIONAL.</p>
 </ul>
 <pre><code>[mysqld]

-ssl-ca = /etc/pki/tls/certs/server.ca-bundle
-ssl-cert = /etc/pki/tls/certs/server.crt
-ssl-key = /etc/pki/tls/private/server.key
+ssl-ca = /etc/pki/tls/certs/fullchain.pem
+ssl-cert = /etc/pki/tls/certs/cert.pem
+ssl-key = /etc/pki/tls/private/privkey.pem
 </code></pre>

 <h3 id="openldap">OpenLDAP</h3>
@ -222,9 +222,9 @@ network, this is OPTIONAL.</p>
 <li>On FreeBSD, it's defined in <code>/usr/local/etc/openldap/slapd.conf</code>.</li>
 <li>On OpenBSD, it's defined in <code>/etc/openldap/slapd.conf</code>.</li>
 </ul>
-<pre><code>TLSCACertificateFile /etc/pki/tls/certs/server.ca-bundle
-TLSCertificateFile /etc/pki/tls/certs/server.crt
-TLSCertificateKeyFile /etc/pki/tls/private/server.key
+<pre><code>TLSCACertificateFile /etc/pki/tls/certs/fullchain.pem
+TLSCertificateFile /etc/pki/tls/certs/cert.pem
+TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
 </code></pre>

 <p>Restarting OpenLDAP service is required.</p>
@ -238,7 +238,7 @@ error message like <code>Peer's Certificate issuer is not recognized</code>.</p>
 <li>On FreeBSD, it's defined in <code>/usr/local/etc/openldap/ldap.conf</code>.</li>
 <li>On OpenBSD, it's defined in <code>/etc/openldap/ldap.conf</code>.</li>
 </ul>
-<pre><code>TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
+<pre><code>TLS_CACERT /etc/pki/tls/certs/fullchain.pem
 </code></pre>

 <p>To connect with TLS, please run <code>ldapsearch</code> with argument <code>-Z</code> and use