I have got a nic signed certificate which I am trying to configure in my apache server without much luck :(. For this certificate to be generated, they needed CSR from my side. I created CSR using the following commands:
Created keystore file first using command –
keytool -genkey -alias generated -keyalg RSA -keysize 2048 -keystore generated.keystore
Generated CSR from this keystore using following command:
keytool -certreq -keyalg RSA -alias generated -file generated.csr -keystore generated.keystore
My csr looked like:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAwgagxCzAJBgNVBAYTAklOMRAwDgYDVQQIEwdNYW5pcHVyMQ8wDQYDVQQHEwZJ
bXBoYWwxNTAzBgNVBAoTLE1hbmlwdXIgU3RhdGUgSW5mb3JtYXRpb24gVGVjaG5vbG9neSBTb2Np
ZXR5MRkwFwYDVQQLDBBTUCBTU0RHICYgZUZvcm1zMSQwIgYDVQQDExt3d3cubWFuaXB1cnBvcnRh
......
......
bC5tbi5nb3YuaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRVxKwt/xCiAgGfuCs
ud5kcf+BKQURwKExLHUeUNQHpT1IMcx/is9anki+u3ijFbV1ei/ybgSRzFgesem+yTUutTYCgyqd
U7ZxJTuKmHDkZCVEBzGxl+Jl8AQxHHQzBI9PWuCBURR0q1eNeasfO3yWZpkRvK58uXf6vGZakYHZ
-----END NEW CERTIFICATE REQUEST-----
They have generated a certificate (.cer) file for this, which looks like:
-----BEGIN CERTIFICATE-----
MIIEKTCCAxGgAwIBAgIJEiLiRbpaYkqOMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV
BAYTAklOMSQwIgYDVQQKExtOYXRpb25hbCBJbmZvcm1hdGljcyBDZW50cmUxDzAN
BgNVBAsTBlN1Yi1DQTEgMB4GA1UEAxMXTklDIHN1Yi1DQSBmb3IgTklDIDIwMTEw
HhcNMTIwMTIzMDcyNzEyWhcNMTQwMTIyMDcyNzEyWjAmMSQwIgYDVQQDExt3d3cu
bWFuaXB1cnBvcnRhbC5tbi5nb3YuaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDRVxKwt/xCiAgGfuCsud5kcf+BKQURwKExLHUeUNQHpT1IMcx/is9a
nki+u3ijFbV1ei/ybgSRzFgesem+yTUutTYCgyqdU7ZxJTuKmHDkZCVEBzGxl+Jl
8AQxHHQzBI9PWuCBURR0q1eNeasfO3yWZpkRvK58uXf6vGZakYHZ9vWAYP7uhtMP
5je1Scqcc09vB5F33ux2svkwzXPxB+KOwx2stvKJ93Vw2VChLLDNByW321L/A7AA
nwZ4Jdplh/z+armGZtQO27kgNQdWAA7wQ2wr
..
...
..
fDpYOCBy87y4C6CrCaR9WMrAOP2PIazHZFKNjz0sng6TOVQ+SxBW0mmBWJamt2DJ
RoBV8pUPMvKmO6ptqklhWOYe4lIIbowhM9K7qyQR03ICiGwMuocj6IbGrJwdfgr1
CTm+L1Zs7UNMJvNxBXTZ41gd9tRazFdo5yAqKO4nPXys0oV6NAmFtUjix+sy6rkn
4O5pyizzRdB2ABcBbpn2yTEggerL2SBwxEwoD1WR3+b09UNZKMBDkHcd8HuJ3NpO
F4b5LXnKDXNG9ZKFUVxcDM70mD0YH/ypCthp/2aBFzV46yF73hqXaQwMNQY+dd+R
orWm8k2LfwFOxs5jqQ==
-----END CERTIFICATE-----
Apache configuration in ssl.conf file:
SSLCertificateFile /etc/pki/tls/certs/signed.cer
SSLCertificateKeyFile /etc/pki/tls/private/generated.keystore
Now when I start my apache I get an error saying:
[Tue Jan 24 13:10:38 2012] [error] Init: Private key not found
[Tue Jan 24 13:10:38 2012] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Tue Jan 24 13:10:38 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Jan 24 13:10:38 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Jan 24 13:10:38 2012] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
Does anyone know what is the issue?
Best Answer
You need to convert the private key from the Java keystore format to the PEM format used by OpenSSL. With the keytool version from JDK >= 1.6 you can do it by first converting the keystore to the PKCS#12 format, and then extracting just the private key:
This writes the private key file to generated.pem; then specify this file in the Apache configuration:
Because the private key file is by default encrypted with a password, every time you start Apache you will need to enter this password. You can either use the
SSLPassPhraseDialogto provide the password automatically, or just add the-nodesoption to theopenssl pkcs12command to produce an unencrypted private key file.