I'm running an Ubuntu 10.04 LTS server that has been running Apache2 with a self signed certificate up until now. I finally purchased a real certificate but I can't manage to install it. I received three files from the provider:
AddTrustExternalCARoot.crt
mynewdomain_com.crt
PositiveSSLCA2.crt
Currently in my sites-enabled/ssl I have this for my self signed certificate:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/cert.pem
So I googled how to convert crt files to pem and it just looks to be a concatination of all the crt files. This is the guide I found that mostly matched what I'm using (I am using namecheap for my DNS now). So I created my new pem file, and pointed my config at it. When I run
service apache2 restart
the daemon fails to start. I figured that I must have put the crts in the wrong order, but it still fails to start. What am I doing wrong? How can I use my new certificate?
As for Key files, I generated one called server.key (which was used to create my csr). It now resides in /etc/apache2/server.key
When starting apache I get these errors:
[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Mar 17 13:44:43 2012] [warn] RSA server certificate CommonName (CN) `PositiveSSL CA 2' does NOT match server name!?
[Sat Mar 17 13:44:43 2012] [error] Unable to configure RSA server private key
[Sat Mar 17 13:44:43 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Best Answer
Can you provide information on how you generated the certificate?
You're missing the private key (probably a
.key
file) which was used to generate the.csr
file that you sent to the certificate authority. That specific private key is required for Apache to be able to use the public key that you were given.Edit:
With that key file, you'll need something like this added to your config:
Make sure that file is set to a permission mode where it's not viewable to everything on the server - mode 600 should be good.
If it won't start after that's added, let me know what errors come up (on the console or in the Apache error log).
With the
.crt
files that you got concatenated together, your Apache server should be sending full certificate chains properly; you can verify that it's working withopenssl s_client -connect localhost:443 -showcerts
.