I'm currently installing a Comodo certificate from Cheapssls.com. Im getting the following error:
SSL Library Error: 185073780 error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
Im 100% sure the privatekey and the CSR are from the same generation
Im using the follinwg syntax:
SSLEngine on
SSLCertificateKeyFile /usr/local/apache/conf/x-x-nl-new.key
SSLCertificateFile /usr/local/apache/conf/x_x_nl.crt
SSLCertificateChainFile /usr/local/apache/conf/x_x_nl.ca-bundle
which is correct im my opinion.
Anyone suggestions?
Are your key on PEM format ?
It's needed by apache : https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#SSLCertificateKeyFile
PEM is a Base64 encoded certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
You can check it with a simple file editor
Edit1:
You can also check that the modulus are the OK for that make a diff between Cert modulus and KEY modulus with this command.
# Change KEY and CERT by your file name
diff <(openssl rsa -in KEY -modulus -noout) <(openssl x509 -in CERT -modulus -noout)
You shouldn't have any out put, If you have some, the key and the certificate don't match.
Related
I have 4 certificates with the following extensions
_com-bundle.pem
_com.der
_com.p7b
_com.pem
In my internal tool i need to add the SSL Cert and SSL key.
How can i merge/extract the correct cert and key from the above extensions?
i've tried the bellow command
openssl x509 -inform DER -in *_com.pem -outform PEM -out cert.pem
but i've received and error that the key file is incorrect
I have a wildcard ssl certificate chain for *.mydomain.one.
The certificates are pem files and look like:
Thawte RSA CA 2018.pem
DigiCert Global Root CA.pem
mydomain.one.pem
With the following begin/ending:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
When I want to add a certificate to an Azure Gateway in the listener section it requires to be in pfx format.
So I tried to convert the files with openssl pkcs12.
openssl pkcs12 -export -nokeys -in mydomain.one.pem -certfile DigiCert_Global_Root_CA.pem -certfile Thawte\ RSA\ CA\ 2018.pem -out mydomain.pfx
When uploading to Azure it fails because the file has no private key.
I also tried using one of the pem files as private key which fails while the pfx creation.
So my question is if its even possible to create a valid pfx file from this pem files and if not where and how to get the private key?
I'm trying to generate a key to enable https on apache server under linux.
I took the certificat from godaddy that gave me .crt and .pem
I've tried to generate the key from the pem in many way:
openssl pkey -in foo.pem -out foo.key
openssl rsa -in foo.pem -out foo.key
Then I tried by an other way explain in some post I've found under stackoverflow
openssl rsa -in key.pem -out keyout.pem
and I always get this error message:
unable to load Private Key
139675415795008:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
Someone can explain to me what is my mistake and how to resolve it ?
Thanks a lot
I am trying to establish node to node encryption. I am following datastax online guidance available for ssl encryption on below link- https://docs.datastax.com/en/security/5.1/security/secSetUpSSLCert.html
as per the documentation i have skipped first two steps and followed from step-3.
so, I have created the keystore, using below command-
keytool -genkeypair -keyalg RSA -alias node1 -keystore cassandra.jks -storepass cass123 -keypass cass123 -validity 365 -keysize 2048 -dname "CN=host1, OU=cluster1, O=org, C=US"
after creating the keystore, here the public certificate authority have two level of encryption or certs. first is root.cert and another is intermediate.cert.
when i have checked through below command, intermediate.cert is signed or verifyed by root.cert.
openssl verify -CAfile root.cert intermediate.cert , Got OK in Response.
after than with keystore(cassandra.jks), i have raise the certificate signed request (CSR):
keytool -keystore cassandra.jks -alias node1 -certreq -file cassandra.csr -keypass cass123 -storepass cass123 -dname "CN=host1, OU=cluster1, O=org, C=US"
then after uploading this CSR file (cassandra.csr) to public certificate authority i got in response one Cert.cer file.
so, then i checked whether the Cert.cer file get signed by root.cert or not.
openssl verify -CAfile root.cert Cert.cer
Got unable to load certificate in Response, with error message-
140044398696338:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c707:Expecting TRUSTED CERTIFICATE
Even I have Checked the Cert.cer with intermediate.cert-- got the same above error message.
Is this mean the Cert.cer which i got in response to csr request in not properly signed by certificate authority.
So i have stopped further steps here, which needed for cassandra ssl implementation.
Please, let me know, if i miss something or doing in wrong manner. much appreciated all help and suggestions
This issue is resolved, due to platform issue certs generated have extras carriage characters ^M. after removing this and merging root and intermediate certs together it works fine.
I'm facing an issue in installing SSL certificate in IIS and below are the step before I got the certificate from my CA.
Generated a private key file using OpenSSL with: "openssl genrsa -out key_name.key 2048" command.
Generated .csr file with: "openssl req -out CSR.csr -key key_name.key -new -sha256" command.
Once I generated the CSR file, I provided the same CSR file to CA to get me certificate.
I got the certificate in .p7b format, which I converted to .cer format.
Installed certificate using "Complete certificate request" option in IIS.
Now the problem is that newly installed certificate vanishes from IIS after a refresh. I Googled this issue and understood that, it's happening so because there is no private key associated with certificate. My question is where the private key has gone?? I had created the CSR using the private key in step 1. Secondly, how do I over come this issue, I have to install the certificate anyhow. Please help.
You did not generate the certificate request via IIS Manager. Thus, you should not use IIS to complete the request.
Instead, you need to use OpenSSL to generate a PFX file,
create a pfx file from a .cer and a .pem file
Then you can import it to IIS.
You might read this post for more details,
https://blog.lextudio.com/2015/06/the-whole-story-of-server-certificate-disappears-in-iis-77-588-510-0-after-installing-it-why/