Hello --

We are running Apache 2.2.10 on a Fedora 10 64-bit virtual box. The server currently uses a self-signed certificate and key combination for secure access to the website. I received a request to implement a certificate from a public authority as a replacement.

I went through the motions of generating a new key along with a csr that was submitted via email to the authority. A return email was sent listing the url where I could download the cer file. This file was downloaded directly to the server. The file in question is an X509 Based 64 Encoded file with four, 4, certificate sections. Affter that the file was renamed with the .crt extension, and copied in the ssl.crt directory. A similar action was done for the .key file in the ssl.key folder. The ssl.conf file was modified to reference the new files.

The /etc/init.d/httpd restart command was run, but the Apache server failed to start. The only way to get the server to start was to have it revert back to the private crt and key files.

I checked the log files: ssl_access, ssl_request, access, and error for entries that would indicate the problem, but there weren't any. The only thing that is apparent is the server will not run with the issued certificate.

Does anyone have an idea as to why this is occurring, and what steps need to be done to correct it? Thanks.

Could be a number of things. Bad CA, bad key type, etc. Can you separate out the cert to a file mycert and post the output of:

Hello --

Thank-you for your reply. Per your instructions, the output of the file is the following:

That's a CA certificate only says https://www.sslshopper.com/certificate-decoder.html

X509v3 Key Usage:
Certificate Sign, CRL Sign

Means this is not your web cert.

I had better list the steps that I had taken to determine what I, probably, did wrong:

1. I received an email indicating that enrollment was successful, and the SSL certificate had been issued for the host. The email listed several links to download the certificate in various formats. The formats listed were the following:

Each version of the certificate was saved in a different folder.

2. I copied the X509, Base64 encoded file to the appropriate folder, and changed the .cer suffix to the .crt ending. As mentioned previously, the .key file retained its suffix, and it was copied to its directory.

Did I copy the wrong version of the file, or should I have deployed the file and key differently?

I think most likely your crt file contains multiple certs and you did not separate out the web cert before running openssl. Apache configuration expects the CA cert and web cert to be in different files.

Hello --

Thank-you for your reply. The hyperlink listed has the procedure that I used to generate the csr and key files.

https://support.rackspace.com/how-to...-with-openssl/

I did a comparison of the public crt with that of the private crt, and while the private one had one 'paragraph' with a header and footer, the public one had four paragraphs.

If the procedure is wrong, then what steps should I have taken to complete this task?

Where can I go from here?

I'm not an expert by any means, but can you try using the "X509 Certificate only, Base64 encoded" file instead?
Perhaps the first link has some CA chains along with the cerftificate.

Key > csr > x509 crt
Have a look through https://www.instantssl.com/ssl-certi...te-apache.html
for some common scenarios and possible solutions.

Hello --

I contacted the technical support staff of the certificate issuer, and after talking with them, I made the following configuration changes:

1. I downloaded the ca-bundle file from their website, and renamed it to reflect the name of our server. This file, along with the .crt file was then copied to the /etc/httpd/ssl.crt folder. The key file that had been generated on the server was, in turn, copied to the /etc/httpd/ssl.key folder.

2. The following changes were made to the httpd.conf and ssl.conf files:

httpd.conf
ssl.conf
I attempted to restart the server, and it failed to do so. During the process of bringing the server back to its original state I noticed two things:

1. The server restarted when the httpd.conf file was left with the changes made, while the ssl.conf had to be brought back to its original configuration.
2. There is another set of ssl.crt and ssl.key folders located in the /etc/httpd/conf directory. The files at these locations were not modified during this procedure.

Hi Kaplan,

Good thing you are following up on this!

Did you manage to solve the problem and use the certicate sent by your CA?
If not, you should post the error message generated by the service httpd start command (or output of systemctl status httpd if the server is running systemd).

Most likely it was complaining that you had setup two SSL configurations and only one is allowed.
You should put your SSL configuration in ssl.conf, and not int httpd.conf (ssl.conf should be included automatically by httpd.conf)

First it seems you have a typos in the lines above (for example "SSLCertfiicateFile" should be "SSLCertificateFile", etc...).

Second (as mentioned by PastulioLive) why do you define the key, cert and chain in both httpd.conf and ssl.conf. They should be defined only in one place (I suppose ssl.conf where, by the way, also "SSLEngine On" and all the other required SSL related configuration options should be located).

I don't think your problem is related to the certificate itself. Most probably you have a syntax error(s) in the SSL configuration of your Apache server.

You could check your configuration starting the server with the option "configtest".

Try:

could be lax permission on the key.