Ssl – Can’t make httpd use correct SSL

certificate-authorityhttpdopensslsslssl-certificate

I have a signed CA, issued by my university. I generated my CSR using their public key file as so:

openssl genrsa -out myservername.key 2048 (new key)
openssl req -new -key myservername.key -out myservername.csr

I sent them the CSR, they sent me back the signed .crt file.

I created a directory for my CA keys and certs and placed them in there.

The relevent part of my httpd.conf looks like this:

<VirtualHost _default_:443>
SSLEngine on
SSLCACertificateFile /var/cosign/certs/CA/publickey.pem
SSLCertificateFile /var/cosign/certs/myserver.crt
SSLCertificateKeyFile /var/cosign/certs/myserver.key

DocumentRoot /var/www/html/
<Directory /var/www/html>
    Options -Indexes
    AllowOverride All
</Directory>

But it's not using this certificate for SSL. If I do this command:

openssl s_client -connect localhost:443 -showcerts

I get this:

CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = portcharlotte, emailAddress = root@portcharlotte
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU =     SomeOrganizationalUnit, CN = portcharlotte, emailAddress = root@portcharlotte
verify return:1
---
Certificate chain

My CSR contained proper details, not this 'SomeState', 'SomeCity' nonsense which I'm guessing is a default.

The openssl module is installed, and loaded.

The only errors I get in logs are:

[Fri Jan 25 13:27:40 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 25 13:27:40 2013] [warn] RSA server certificate CommonName (CN) `portcharlotte' does NOT match server name!?

I'm guessing this mismatch is because it's using the wrong certificate.

My question is, how do I make it use the correct one? What am I missing?

Best Answer

SSLCACertificateFile /var/cosign/certs/CA/publickey.pem

Unless that PEM file actually contains the CA certificate for the client certificates you wish to grant access, this is incorrect; to provide apache with a certificate chain, use SSLCertificateChainFile instead.

Apache must have the actual certificate and any intermediate certificates used to sign/produce the endpoint certificate, up to and including a root certificate that is trusted by browsers.

To verify the certificate they gave you, run:

openssl verify -CApath /path/to/CA/certs -purpose sslserver -verbose /your/certificate

Quite apart from the certificate issues, you're missing an SSLRequireSSL directive in your vhost; without it, apache will not check for a secure connection.

You should also not use _default_ as the virtualhost, and you're missing a ServerName.
Use either *:443 or IP:443 as the virtualhost.

Every vhost must have a valid ServerName set, and in addition, an SSL vhost must have a ServerName that corresponds to the certificate's CN.

For example:

<VirtualHost 1.2.3.4:443>
  ServerName your.certificates.common.name
  ServerAlias any.subject.alternate.names

  DocumentRoot /your/protected/content

  SSLEngine On
  SSLCertificateChainFile /path/to/your/issuers/CA/cert/bundle

  SSLCertificateFile /path/to/your/certificate.crt
  SSLCertificateKeyfile /path/to/your/private.key
 -OR- 
  SSLCertificateFile /path/to/your/combined.cert-and-keyfile

  SSLRequireSSL

</VirtualHost>

Study the documentation for a bit.

Best Answer

Related Solutions

OpenVPN: self-signed certificate in chain

Ssl – In Stud, which Private RSA Key should be concatenated in the x509 SSL certificate pem file to avoid “self-signed” browser warning

Related Topic