You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "sieger007@gmail.com" <si...@gmail.com> on 2009/11/16 21:48:36 UTC
Re: [users@httpd] cannot install a SSL certificate : any idea folks ?
Going nuts over SSL..
Thank you friends. This SSL stuff drives me nuts .
Just to clarify, I had sent a certificate request with xyz.abc.com
<http://cmsevalspry.house.gov/>as the common name. I got back a
certificate with *.
abc.com as the common name from the CA. Can I still use the same key or is
it a mismatch?
On Mon, Nov 16, 2009 at 6:17 AM, Mark Watts <m....@eris.qinetiq.com>wrote:
> On Sun, 2009-11-15 at 23:05 -0800, sieger007@gmail.com wrote:
> > Hello Friends
> >
> >
> > I'm trying to figure out why I cannot install a SSL certificate that
> > I'd been given. Using openssl, I looked at the key file that was
> > generated by openssl, and the corresponding certificate file that was
> > returned by the CA.
>
> I assume you did the following:
>
> 1) Generate a key:
>
> $ openssl genrsa -out www.example.com-key 2048
> Generating RSA private key, 2048 bit long modulus
> ..............................................+++
> ....+++
> e is 65537 (0x10001)
>
> 2) Generate a Certificate Sigining Request (CSR):
>
> $ openssl req -new -key www.example.com-key -out
> www.example.com-csr
> You are about to be asked to enter information that will be
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished
> Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [GB]:
> State or Province Name (full name) [Berkshire]:Greater London
> Locality Name (eg, city) [Newbury]:London
> Organization Name (eg, company) [My Company Ltd]:Acme Websites
> Ltd.
> Organizational Unit Name (eg, section) []: <Leave blank>
> Common Name (eg, your name or your server's hostname)
> []:www.example.com
> Email Address []: <Leave blank>
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []: <Leave blank>
> An optional company name []: <Leave blank>
>
> 3) Buy a certificate:
>
> Go to www.verisign.com (or wherever) and buy a certificate.
> Upload the CSR file you generated when they ask for it.
> Download the Certificate when they let you.
>
> 4) Setup an SSL Vhost:
>
> <VirtualHost 0.0.0.0:443>
> ServerName "www.example.com"
> SSLEngine on
> SSLCertificateFile "/etc/httpd/conf/ssl/www.example.com-cert"
> SSLCertificateKeyFile "/etc/httpd/conf/ssl/www.example.com-key"
> ...
> </VirtualHost>
>
> If you are running SELinux, ensure the context is correct.
> Ensure both files are mode 400 and owned by root.
>
> This should be all you need to do, aside from any other mod_ssl
> configuration you need.
>
> Mark.
>
> --
> Mark Watts BSc RHCE MBCS
> Senior Systems Engineer, Managed Services Manpower
> www.QinetiQ.com
> QinetiQ - Delivering customer-focused solutions
> GPG Key: http://www.linux-corner.info/mwatts.gpg
>
Re: [users@httpd] cannot install a SSL certificate : any idea folks
? Going nuts over SSL..
Posted by Crypto Sal <cr...@gmail.com>.
On 11/17/2009 11:37 AM, sieger007@gmail.com wrote:
> Thanks a lot folks. I am getting some sort of handle here .
> The problem is If I use the original key and the certificate that
> they give me, the web server does not start I assume because the CN,
> OU, etc. does not match.I just want a SSL cert that works.So right now
> I use a self signed CA.Now is there a concept of applying for a
> *Revoke *of an old CA before you apply for a a new CA .
> Because if I give the CN as xyz.abc.com <http://xyz.abc.com> I get a
> certificate *.abc.com <http://abc.com> why should that be so .
> Thanks again
>
Hello,
Again, the only real thing that needs to match is the modulus on both
the key and certificate (outside of setting up a proper VHost, of
course). I assume you downloaded the wrong certificate from the CA(Very
common). You could always generate a new key and CSR and send that CSR
to the CA, who then will send you a new certificate.
Re: [users@httpd] cannot install a SSL certificate : any idea folks ?
Going nuts over SSL..
Posted by "sieger007@gmail.com" <si...@gmail.com>.
On Mon, Nov 16, 2009 at 8:41 PM, Crypto Sal <cr...@gmail.com> wrote:
> In the future, please bottom post to the mailing list. It makes it much
> easier to read.
>
> Here's a great article on how to see if the modulus on the private key and
> the modulus on the certificate match.
>
> http://kb.wisc.edu/middleware/page.php?id=4064
>
> You may also want to read the openssl man pages.
>
>
>
>
>
> On 11/16/2009 07:46 PM, sieger007@gmail.com wrote:
>
> Thanks.what kind of changes do I need to make to the modules. I assume that
> is what you referred to by 'modulus matches on the private key and
> certificate file'
> If you can shine some light on thus 'modulus matches on the private key and
> certificate file'
> Thx
> Sam
>
> On Mon, Nov 16, 2009 at 2:27 PM, Crypto Sal <cr...@gmail.com> wrote:
>
>> On 11/16/2009 03:48 PM, sieger007@gmail.com wrote:
>>
>> Thank you friends. This SSL stuff drives me nuts .
>> Just to clarify, I had sent a certificate request with xyz.abc.com <http://cmsevalspry.house.gov/>as the common name. I got back a certificate with *.
>> abc.com as the common name from the CA. Can I still use the same key or
>> is it a mismatch?
>>
>> Hello,
>>
>> As long as the modulus matches on the private key and certificate file,
>> yes it will still work.
>>
>
>
>
Thanks a lot folks. I am getting some sort of handle here .
The problem is If I use the original key and the certificate that they give
me, the web server does not start I assume because the CN, OU, etc. does not
match.I just want a SSL cert that works.So right now I use a self signed
CA.Now is there a concept of applying for a *Revoke *of an old CA before you
apply for a a new CA .
Because if I give the CN as xyz.abc.com I get a certificate *.abc.com why
should that be so .
Thanks again
Re: [users@httpd] cannot install a SSL certificate : any idea folks
? Going nuts over SSL..
Posted by Crypto Sal <cr...@gmail.com>.
In the future, please bottom post to the mailing list. It makes it much
easier to read.
Here's a great article on how to see if the modulus on the private key
and the modulus on the certificate match.
http://kb.wisc.edu/middleware/page.php?id=4064
You may also want to read the openssl man pages.
On 11/16/2009 07:46 PM, sieger007@gmail.com wrote:
> Thanks.what kind of changes do I need to make to the modules. I assume
> that is what you referred to by 'modulus matches on the private key
> and certificate file'
> If you can shine some light on thus 'modulus matches on the private
> key and certificate file'
> Thx
> Sam
>
> On Mon, Nov 16, 2009 at 2:27 PM, Crypto Sal <crypto.sal@gmail.com
> <ma...@gmail.com>> wrote:
>
> On 11/16/2009 03:48 PM, sieger007@gmail.com
> <ma...@gmail.com> wrote:
>> Thank you friends. This SSL stuff drives me nuts .
>> Just to clarify, I had sent a certificate request with
>> xyz.abc.com <http://cmsevalspry.house.gov/> as the common name. I
>> got back a certificate with *.abc.com <http://abc.com> as the
>> common name from the CA. Can I still use the same key or is it a
>> mismatch?
>>
> Hello,
>
> As long as the modulus matches on the private key and certificate
> file, yes it will still work.
>
>
Re: [users@httpd] cannot install a SSL certificate : any idea folks ?
Going nuts over SSL..
Posted by "sieger007@gmail.com" <si...@gmail.com>.
Thanks.what kind of changes do I need to make to the modules. I assume that
is what you referred to by 'modulus matches on the private key and
certificate file'
If you can shine some light on thus 'modulus matches on the private key and
certificate file'
Thx
Sam
On Mon, Nov 16, 2009 at 2:27 PM, Crypto Sal <cr...@gmail.com> wrote:
> On 11/16/2009 03:48 PM, sieger007@gmail.com wrote:
>
> Thank you friends. This SSL stuff drives me nuts .
> Just to clarify, I had sent a certificate request with xyz.abc.com <http://cmsevalspry.house.gov/>as the common name. I got back a certificate with *.
> abc.com as the common name from the CA. Can I still use the same key or
> is it a mismatch?
>
> Hello,
>
> As long as the modulus matches on the private key and certificate file, yes
> it will still work.
>
Re: [users@httpd] cannot install a SSL certificate : any idea folks
? Going nuts over SSL..
Posted by Crypto Sal <cr...@gmail.com>.
On 11/16/2009 03:48 PM, sieger007@gmail.com wrote:
> Thank you friends. This SSL stuff drives me nuts .
> Just to clarify, I had sent a certificate request with xyz.abc.com
> <http://cmsevalspry.house.gov/> as the common name. I got back a
> certificate with *.abc.com <http://abc.com> as the common name from
> the CA. Can I still use the same key or is it a mismatch?
>
Hello,
As long as the modulus matches on the private key and certificate file,
yes it will still work.
Re: [users@httpd] cannot install a SSL certificate : any idea folks
? Going nuts over SSL..
Posted by Marcin 'Rambo' Roguski <ra...@id.uw.edu.pl>.
On Mon, 16 Nov 2009 12:48:36 -0800
"sieger007@gmail.com" <si...@gmail.com> wrote:
> *.abc.com as the common name from the CA.
> Can I still use the same key or is it a mismatch?
Yes, although the wildcard for CN is not recommended,
though not so unusual either.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org