Apache cannot read certificate file

apache-2.2opensslssl-certificate

I use self-signed certificates with no issue but today I have tried to create a SSL certificate for commercial use. But apache doesn't start and gives the following error:

Notice: I have confirmed that crt file is valid as CSR decoder loads the content as well.

AH02241: Init: Unable to read server certificate from file XXXX/XXXX/XXXX.csr
SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509)
AH02312: Fatal error initialising mod_ssl, exiting.

Softwares: OpenSSL 1.0.1e 11 Feb 2013 , Apache HTTP 2.4.6

Best Answer

Looks like you are using CSR instead of the certificate file. Make sure you have created self-signed certificate with openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt and use the server.crt in the SSLCertificateFile setting in apache ssl config. If you are using a commercial signing authority you must use the certificate provided by the authority and not the signing request generated.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

SSL Certificate – How to View Details of a .cer File

OpenSSL will allow you to look at it if it is installed on your system, using the OpenSSL x509 tool.

openssl x509 -in cerfile.cer -noout -text

The format of the .CER file might require that you specify a different encoding format to be explicitly called out.

openssl x509 -inform pem -in cerfile.cer -noout -text

openssl x509 -inform der -in cerfile.cer -noout -text

On Windows systems you can right click the .cer file and select Open. That will then let you view most of the meta data.

On Windows you run Windows certificate manager program using certmgr.msc command in the run window. Then you can import your certificates and view details.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

SSL Certificate – How to View Details of a .cer File

Related Topic