I are using a product from a vendor that has to use Apache on Windows.
We have our own CA.
For naming purposes:
AppServer - Server2012r2 - Apache 2.4
OldCertsha1 - Server2012r2
NewCertsha2 - Server2012r2
I created the CSR on the AppServer using the two commands below.
genrsa –des3 –out name.sub.domain.com.key 2048
req –new –key name.sub.domain.com.key –out name.sub.domain.com.csr
Thats all goes fine
req -noout -text -in name.sub.domain.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=name.sub.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
321:rf
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
aa:e4:b7:1d
Then on the CA server
Request a certificate
advanced certificate request.
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Open the CSR on the AppServer and paste the CSR info in the box
-----BEGIN CERTIFICATE REQUEST-----
MIIC0zCCAbsCAQAwgY0xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaWNoaWdhbjER
MA8GA1UEBxMIRGVhcmJvcm4xFjAUBgNVBAoTDWRmY3VmaW5hbmNpYWwxDDAKBgNV
BAsTA2l2cjEyMDAGA1UEAxMpcDAxMWRjMDEtY3JlYzAzLmNlbnRyYWwuZGZjdWZp
bmFuY2lhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCej1o0
EEq6UcgB4uhr9bYzA4u8pvxvaCE0JXCqW/8m8D2DBHnJFA2Ui4kEjQlKy1eRTfE0
6lRmowrsJVvvlz0pfsdfghksdkjfgsjskhgfksgfdfmjwHd1D/Bgg60AOPmUBIFl
rgaGcw9CasdkjlhaslkdjhsaklfjhdsfkhsldfjhsdlkjfhdlFOoGVtQdgticLqy
dzpLnAnqwezEnsdflsjhdfksdkfjhwsdkfjhLqKDx1b0z1n7tV4F8DS261dmm8+r
ONz9oYqZfdAFu55gG7sHgOn14P5gP2QIoV/c6CJ2hzbtlifKmZp2A+9F/csXTMIJ
w2sgfQzgv+UPEkH9AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAMwjmg96iCLnB
uTF4LOoeA788NAt9cYdsWuaUsHptnw70Mj5wWIiaZYgY0hCvWPezRsgOfFrWinN0
y4n0trlyEYXJquBKZbxJZ2yscNMqOJyKl70Ckb83IwpIdhxRYr0JZffEmFlx+2yv
4rhFquS3HZpWtCLopRroQx1v74bYGZHBiz2cM4peowzqGrs8r5NKYYqLRiH00VTs
GEEB+Rihen4tnrn0Y1KLkumrSOrTghIrpQ0j2MZrmvhAIlcZ0W+6bJQcbl0lQ3Hv
STaH9EyIj+47jpMhpfazRPOjSDdFiokjchVDS0Wj/iQJlNDurU7xd+570gduZfcF
M4YoMCwv7Q==
-----END CERTIFICATE REQUEST-----
Template Web Server (10 Years)
Here I get two Choices
DER encoded or Base 64 encoded
No matter which one I select It downloads a .cer and a .p7b file
I did the same steps on the OldCertsha1 server and I get the same results
When i Edit the httpd-ssl.conf file add the following and restart the Apache2.4 service
SSLCertificateFile "E:/Apache24/conf/Certs/name.sub.domain.com.crt"
SSLCertificateKeyFile "E:/Apache24/conf/Certs/name.sub.domain.com.key"
I get the following errors, different errors for different types from the choices above (DER encoded or Base 64 encoded):
DER encoded:
[Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] (OS 10061)No connection could be made because the target machine actively refused it. : AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed
[Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s
[Wed Jan 11 08:37:44.471616 2017] [proxy_http:error] [pid 4804:tid 1780] [client ::1:61346] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://name.sub.domain.com/knoahsoft/faces/client/index1.jspx?_afPfm=5600447c
[Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer
[Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
[Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer
[Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
Base 64 encoded:
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key)
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key)
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
I read a couple articles saying CER and CRT files are interchangeable just rename them.
If I rename the cer to crt and update httpd-ssl.conf then I get a lot of errors in the logs about 100 of these:
[Wed Jan 11 14:06:43.943865 2017] [autoindex:error] [pid 70976:tid 1784] [client 10.1.41.110:50933] AH01276: Cannot serve directory E:/KnoahSoft/EmpPhotos/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
Now the vendor put server.crt, server.cre, server.csr and server.key file that they loaded when the box was delivered, if i change the two lines in the httpd-ssl.conf back to what they had it will restart fine and everything works but I get the SSL warning
SSLCertificateFile "E:/Apache24/conf/Certs/server.crt"
SSLCertificateKeyFile "E:/Apache24/conf/Certs/server.key"
Can someone tell me what I might be doing wrong, if you need to see the configs just ask I will put them up.
Update:
I took their server.csr opened the CertSrv page on both OldCertsha1 and NewCertsha2, when i used the Web Server Web Server (10 year) template i got an error:
Your Request Id is 118. The disposition message is "Denied by Policy Module The certificate validity period will be shorter than the WebServer(10Years) Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period. ".
So then i tried the Web Server (5 year) same error then i tired the (Web Server) didnt get an error and download both the DER encoded or Base 64 encoded cer and p7b files.
Changed the Base 64 encoded server.cer to server.crt, renamed the old server.crt to server1.crt and restarted apache,
No error worked perfectly,
Why? What did I do wrong from the beginning?
This was my first time working with SSL and apache and using my own CA, what did I do wrong? The only think i can think of i used the Web Server (10 year) template but that really doesnt make sense to me.
If i view both crt files the both have same info
The certificate is intended for the following purposes
- Ensure the identity of a remote computer
Issued to: name.sub.domain.com
Issued by: OldCertsha1
The only real difference from the General tab is how long that are valid, the cst from my csr is valid for 10 years, the crt from their csr is valid for 2 years.
I will take a deeper looking into the other parts of the SSL and see if I can find differences tomorrow.
First, Apache will always use base64, file extensions are irrelevant (pem,crt,cer).
Second, you cannot issue a certificate for longer than the certificate authority.
10 years is a bit much, I wouldn't be surprised to see browsers begin to mark them as insecure.
If you still have the issued certs, you can validate them with openssl.
https://security.stackexchange.com/a/56699/84379
Base 64 everywhere, please :-).
Your httpd.conf line
is specifying an encrypted key file. Apache on Windows does not support suplying the decryption passphrase at runtime... See error log line:
You'll have to pre-decrypt your key file:
providing the passphrase when asked. Correct httpd.conf and restart Apache.