top button
Flag Notify
    Connect to us
      Facebook Login
      Site Registration Why to Join

Facebook Login
Site Registration

Trouble installing renewed SSL certificate with Apache

+4 votes

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

posted Oct 25, 2013 by Amit Parthsarthi

Share this question
Facebook Share Button Twitter Share Button Google+ Share Button LinkedIn Share Button Multiple Social Share Button
It sounds like the configured private key does not match your new certificate. Did you create a new private key and CSR when you ordered the new certificate?
No. I just received the new certificate from Comodo. I assume they used the original csr file which I have stored somewhere :)

I thought I documented what I did to set up the cert but can't for the life of me find it now. So I probably just need to create a new private key but memory does not serve me well right now.

I'm starting to believe that receiving a renewed cert is actually like receiving a cert in the first place and should be installed like a completely new cert.

If you know of a good article on how to install a ssl cert including creating a new private key and ca-bundle please let me know.

1 Answer

+1 vote

1) If the same csr was used, it should be sufficient to replace the .crt.

2) A certificate is linked to the specific private key it was created for. The modulus of that key was stored in the CSR that was used to generate the certificate. You need to find the correct key, since you won't be able to generate a matching one. You can check the modulus of the key, csr and certificate with openssl:

openssl x509 -noout -modulus -in certificate.crt 
openssl rsa -noout -modulus -in private.key 
openssl req -noout -modulus -in csr.csr

You probably should check the certificate as well, especially the CN of the Subject, e.g. with

openssl x509 -noout -text -in certificate.crt
answer Oct 25, 2013 by Abhay Kulkarni
Solved! The new certificate was issued with a new private key but I did not receive info about that. I have now received both the crt and the private key and apache is up and running again.
Similar Questions
+4 votes

We want to set up SSL client authentication and we will only have a single client that we want to allow through to the website.

Is it possible to allow just a single certificate to authenticate by just specifying that one cert in SSLCACertificateFile? i.e. without specifying the CA cert instead?

If so, would my SSLVerifyDepth then be zero?

Are there any reasons I might not have thought about why this isn't a good idea or any other considerations?

+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

+1 vote

I have added force_ssl in ApplicationController. Then thin start --ssl. It took me to https, but with red cross. i.e. Not trusted site.

I tried with creating the certificate with -
Still the same. Can anyone suggest?

+3 votes

I have Apache 2.4 (win32) and have the following in my CA bundle.

Root 1
Subordinate 1
Subordinate 2

My server was signed off Subordinate 1, When I do openssl s_client -connect server:443, it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.

If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a acceptable CA. However, if I remove Subordinate 1, it still shows as an acceptable CA.

It seems httpd references not only cabundle/cafiles but also certs in the Chain file. as acceptable CAs.

Is it possible to prevent a user signed off Subordinate 1 from using client certificate authentication while the server cert is issued off Subordinate 1?

+1 vote

I have 3 virtual hosts that for all I can see are configured identically other the the obviously needed differences. The same is true of the 3 crt files.

 DocumentRoot /var/www/html
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/public.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 DocumentRoot /var/www/html/distrib
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/distrib.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 DocumentRoot /usr/local/squirrelmail/www
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/mail.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

The problem is that 2 of them work perfectly and the lock shows up in the browser. With the third (public), I get a gray globe indicating partial encryption which does not prevent eavesdropping. I have no clue
how to debug this or even where to look. Can someone point me in the right direction?

Contact Us
+91 9880187415
#280, 3rd floor, 5th Main
6th Sector, HSR Layout
Karnataka INDIA.