I have a signed CA, issued by my university. I generated my CSR using their public key file as so:
openssl genrsa -out myservername.key 2048 (new key)
openssl req -new -key myservername.key -out myservername.csr
I sent them the CSR, they sent me back the signed .crt file.
I created a directory for my CA keys and certs and placed them in there.
The relevent part of my httpd.conf looks like this:
<VirtualHost _default_:443>
SSLEngine on
SSLCACertificateFile /var/cosign/certs/CA/publickey.pem
SSLCertificateFile /var/cosign/certs/myserver.crt
SSLCertificateKeyFile /var/cosign/certs/myserver.key
DocumentRoot /var/www/html/
<Directory /var/www/html>
Options -Indexes
AllowOverride All
</Directory>
But it's not using this certificate for SSL. If I do this command:
openssl s_client -connect localhost:443 -showcerts
I get this:
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = portcharlotte, emailAddress = root@portcharlotte
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = portcharlotte, emailAddress = root@portcharlotte
verify return:1
---
Certificate chain
My CSR contained proper details, not this 'SomeState', 'SomeCity' nonsense which I'm guessing is a default.
The openssl module is installed, and loaded.
The only errors I get in logs are:
[Fri Jan 25 13:27:40 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 25 13:27:40 2013] [warn] RSA server certificate CommonName (CN) `portcharlotte' does NOT match server name!?
I'm guessing this mismatch is because it's using the wrong certificate.
My question is, how do I make it use the correct one? What am I missing?
Best Answer
Unless that PEM file actually contains the CA certificate for the client certificates you wish to grant access, this is incorrect; to provide apache with a certificate chain, use
SSLCertificateChainFile
instead.Apache must have the actual certificate and any intermediate certificates used to sign/produce the endpoint certificate, up to and including a root certificate that is trusted by browsers.
To verify the certificate they gave you, run:
Quite apart from the certificate issues, you're missing an
SSLRequireSSL
directive in your vhost; without it, apache will not check for a secure connection.You should also not use
_default_
as the virtualhost, and you're missing aServerName
.Use either *:443 or IP:443 as the virtualhost.
Every vhost must have a valid ServerName set, and in addition, an SSL vhost must have a ServerName that corresponds to the certificate's CN.
For example:
Study the documentation for a bit.