× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. January 2012

Apache 2.2 on Win Server 2003 with new self-signed cert

Hi Everyone,

I originally posted this on PC Tech on 01/17/2012, but I haven't seen any activity on that list since my post, so I thought I'd try here. Although my situation has Apache running on Win 2003 server, I'm pretty sure the problem is with how I use OpenSSL, or my Apache configuration, which would be the same on the System i.

The self-signed certificate expired, so I generated a new one using OpenSSL as follows:

cd c:\data\websites\security

# create a private key (.key)
openssl genrsa -des3 -out mir-ca.org.key 2048

# remove the passphrase from the private key (.pem)
openssl rsa -in mir-ca.org.key -out mir-ca.org.pem

# generate a certificate signing request (.csr)
openssl req -new -key mir-ca.org.pem -config "C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf" -out mir-ca.org.csr

# create a self-signed certificate (.crt)
openssl x509 -req -days 3650 -in mir-ca.org.csr -signkey mir-ca.org.pem -out mir-ca.org.crt


Now when I try to start Apache, I get

[Tue Jan 17 10:40:39 2012] [error] Unable to configure RSA server private key
[Tue Jan 17 10:40:39 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

I used

openssl req -noout -modulus -in %1.csr | openssl md5
openssl rsa -noout -modulus -in %1.key | openssl md5
openssl x509 -noout -modulus -in %1.crt | openssl md5
openssl rsa -noout -modulus -in %1.pem | openssl md5

openssl verify %1.crt

to compare the keys in the files, and got

6d225e8b11aee91bcf38788a42db58cd
6d225e8b11aee91bcf38788a42db58cd
6d225e8b11aee91bcf38788a42db58cd
6d225e8b11aee91bcf38788a42db58cd

mir-ca.org.crt: /C=US/ST=California/L=Redlands/O=Montessori In Redlands/CN=mir-c
a.org/emailAddress=info@xxxxxxxxxxxxxxxxxxxxxxxx
error 18 at 0 depth lookup:self signed certificate


The Apache httpd.conf hasn't changed, nor has httpd-ssl.conf, which is Included by httpd.conf, and the latter has

SSLCertificateFile "C:/Data/Websites/Security/mir-ca.org.crt"
SSLCertificateKeyFile "C:/Data/Websites/Security/mir-ca.org.pem"
SSLCACertificatePath "C:/Data/Websites/Security"


I'm no expert at this stuff - what else should I be looking at? Am I doing something completely boneheaded?

--
*Peter Dow* /
Dow Software Services, Inc.
909 793-9050
pdow@xxxxxxxxxxxxxxx <mailto:pdow@xxxxxxxxxxxxxxx> /



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.