You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "sieger007@gmail.com" <si...@gmail.com> on 2009/11/16 08:05:31 UTC
[users@httpd] cannot install a SSL certificate : any idea folks ? Thanks
Hello Friends
I'm trying to figure out why I cannot install a SSL certificate that I'd
been given. Using openssl, I looked at the key file that was generated by
openssl, and the corresponding certificate file that was returned by the CA.
I noticed that the modulus part does not match. I think they have to match,
right?
*Key file*
modulus:
00:b9:etc ...L2
7f:1c:37:f7:...L3
..
all the way to L9
publicExponent: 65537 (0x10001)
*Certificate file*
Modulus (1024 bit):
l1
l2
all the way to l9
but none of the lines L1 and l1 , L2 and l2 ever match
Exponent: 65537 (0x10001)
Also I noticed that the subject part does not match. This is the subject
line from the two files:
*Key file*
Subject: O=foo, OU=bar, CN=something.com
*Certificate file*
Subject: C=US, ST=<state name >, L=<value2>, O=<value3>OU=*.<value4>
CN=*.<value5>
Is this an issue? Should I request for a new certificate with the same
subject line?
I'm not too familiar with how a certificate is generated from the
certificate request file, so any insight into the process would be
appreciated.
Thanks for your help folks
Sam
Re: [users@httpd] cannot install a SSL certificate : any idea
folks ? Thanks
Posted by Mark Watts <m....@eris.qinetiq.com>.
On Sun, 2009-11-15 at 23:05 -0800, sieger007@gmail.com wrote:
> Hello Friends
>
>
> I'm trying to figure out why I cannot install a SSL certificate that
> I'd been given. Using openssl, I looked at the key file that was
> generated by openssl, and the corresponding certificate file that was
> returned by the CA.
I assume you did the following:
1) Generate a key:
$ openssl genrsa -out www.example.com-key 2048
Generating RSA private key, 2048 bit long modulus
..............................................+++
....+++
e is 65537 (0x10001)
2) Generate a Certificate Sigining Request (CSR):
$ openssl req -new -key www.example.com-key -out
www.example.com-csr
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:Greater London
Locality Name (eg, city) [Newbury]:London
Organization Name (eg, company) [My Company Ltd]:Acme Websites
Ltd.
Organizational Unit Name (eg, section) []: <Leave blank>
Common Name (eg, your name or your server's hostname)
[]:www.example.com
Email Address []: <Leave blank>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <Leave blank>
An optional company name []: <Leave blank>
3) Buy a certificate:
Go to www.verisign.com (or wherever) and buy a certificate.
Upload the CSR file you generated when they ask for it.
Download the Certificate when they let you.
4) Setup an SSL Vhost:
<VirtualHost 0.0.0.0:443>
ServerName "www.example.com"
SSLEngine on
SSLCertificateFile "/etc/httpd/conf/ssl/www.example.com-cert"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/www.example.com-key"
...
</VirtualHost>
If you are running SELinux, ensure the context is correct.
Ensure both files are mode 400 and owned by root.
This should be all you need to do, aside from any other mod_ssl
configuration you need.
Mark.
--
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg
Re: [users@httpd] cannot install a SSL certificate : any idea folks ?
Thanks
Posted by Krist van Besien <kr...@gmail.com>.
On Mon, Nov 16, 2009 at 8:05 AM, sieger007@gmail.com
<si...@gmail.com> wrote:
> I'm trying to figure out why I cannot install a SSL certificate that I'd
> been given.
What did you exactly do, and what error messages did you receive, what
problems do you have? Just telling us that you have a problem is not
really sufficient.
> I'm not too familiar with how a certificate is generated from the
> certificate request file, so any insight into the process would be
> appreciated.
You create a key, then create a certificate signing request. This you
send to your CA. It will come back with the CA's signature.
Your key doesn't have a "subject", but your certificate request does,
and if it doesn't match the of the signed certificate something went
wrong. Public key information must also match.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org