Home / server / Questions / 370776
Accepted
CountMurphy
Asked: 2012-03-18 12:20:44 +0800 CST

Have a legitimate ssl certificate, but I fail at installing it

  • 772

I'm running an Ubuntu 10.04 LTS server that has been running Apache2 with a self signed certificate up until now. I finally purchased a real certificate but I can't manage to install it. I received three files from the provider:

AddTrustExternalCARoot.crt
mynewdomain_com.crt
PositiveSSLCA2.crt

Currently in my sites-enabled/ssl I have this for my self signed certificate:

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/cert.pem

So I googled how to convert crt files to pem and it just looks to be a concatination of all the crt files. This is the guide I found that mostly matched what I'm using (I am using namecheap for my DNS now). So I created my new pem file, and pointed my config at it. When I run 

service apache2 restart

the daemon fails to start. I figured that I must have put the crts in the wrong order, but it still fails to start. What am I doing wrong? How can I use my new certificate?

As for Key files, I generated one called server.key (which was used to create my csr). It now resides in /etc/apache2/server.key

When starting apache I get these errors:

[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate is a CA certificate  (BasicConstraints: CA == TRUE !?)
[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate CommonName (CN) `PositiveSSL CA 2' does NOT match server name!?
[Sat Mar 17 13:44:43 2012] [error] Unable to configure RSA server private key
[Sat Mar 17 13:44:43 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
ubuntu apache-2.2 ssl-certificate

3 Answers

  1. Best Answer

    Can you provide information on how you generated the certificate?

    You're missing the private key (probably a .key file) which was used to generate the .csr file that you sent to the certificate authority. That specific private key is required for Apache to be able to use the public key that you were given.

    Edit:

    With that key file, you'll need something like this added to your config:

    SSLCertificateKeyFile /etc/apache2/server.key

    Make sure that file is set to a permission mode where it's not viewable to everything on the server - mode 600 should be good.

    If it won't start after that's added, let me know what errors come up (on the console or in the Apache error log).

    With the .crt files that you got concatenated together, your Apache server should be sending full certificate chains properly; you can verify that it's working with openssl s_client -connect localhost:443 -showcerts.

    • 4

  2. RSA server certificate is a CA certificate means thay you've specified you CA's cert as certificate file, not yours (which was signed by CA).

    You may want to try to replace path to SSLCertificateFile to crt that was signed by CA, not CA cert itself.

    Update: A bit more detailed explanation:

    You should have 3 files:

    1. Secret key (usually something with .key extension). This is the most important one. You should keep it secret and never ever send to anyone. This file is actually used to encrypt data. You should specify path to this file in SSLCertificateKeyFile directive.

    2. Certificate of your CA. This is public certificate of ceritficate authority that you've used to sign your public key. You should specify path to this file in SSLCACertificateFile directive.

    3. Signed public key. This is public part of your key which you've extracted from key file (in form of certificate request) and send to CA for signing. You should specify path to this file in SSLCertificateFile directive.

    • 1

  3. I never requested a certificate from a "real" CA, in my tests I also created the CA.

    But then, in apache2 config I also configured in which path is the CA cert, you may check that, just in case.

    • 0