top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Trouble installing renewed SSL certificate with Apache

+4 votes
696 views

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

posted Oct 25, 2013 by Amit Parthsarthi

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button
It sounds like the configured private key does not match your new certificate. Did you create a new private key and CSR when you ordered the new certificate?
No. I just received the new certificate from Comodo. I assume they used the original csr file which I have stored somewhere :)

I thought I documented what I did to set up the cert but can't for the life of me find it now. So I probably just need to create a new private key but memory does not serve me well right now.

I'm starting to believe that receiving a renewed cert is actually like receiving a cert in the first place and should be installed like a completely new cert.

If you know of a good article on how to install a ssl cert including creating a new private key and ca-bundle please let me know.

1 Answer

+1 vote

1) If the same csr was used, it should be sufficient to replace the .crt.

2) A certificate is linked to the specific private key it was created for. The modulus of that key was stored in the CSR that was used to generate the certificate. You need to find the correct key, since you won't be able to generate a matching one. You can check the modulus of the key, csr and certificate with openssl:

openssl x509 -noout -modulus -in certificate.crt 
openssl rsa -noout -modulus -in private.key 
openssl req -noout -modulus -in csr.csr

You probably should check the certificate as well, especially the CN of the Subject, e.g. with

openssl x509 -noout -text -in certificate.crt
answer Oct 25, 2013 by Abhay Kulkarni
Solved! The new certificate was issued with a new private key but I did not receive info about that. I have now received both the crt and the private key and apache is up and running again.
Similar Questions
+4 votes

We want to set up SSL client authentication and we will only have a single client that we want to allow through to the website.

Is it possible to allow just a single certificate to authenticate by just specifying that one cert in SSLCACertificateFile? i.e. without specifying the CA cert instead?

If so, would my SSLVerifyDepth then be zero?

Are there any reasons I might not have thought about why this isn't a good idea or any other considerations?

0 votes

I'm trying to setup a forward proxy to access certain endpoints on Remote server which require https with basic authentication in header.

A(Application server) ---> Forward proxy (B) ----> Remote server(C)

i'm at B on which i have setup below Apache Virtual host in which i'm setting the headers to use basic authentication passing encoded value of user & pass configured on remote server.However,i want to include HTTPS in my request to C to ensure the headers are sent securely with encrption to remote server (C). I do Not want to use a separate Virtual host for HTTPS. Should i include a SSL Server certificate in my proxy configuration as given below with the basic authentication in header ?
How can i achieve this in Single virtual host ? I have limited knowledge on apache, so please help here.

I tried searching on the internet but did not find the required solution.

##### vHost 9099 is for basic auth with HTTPS #####
Listen *:9099
<VirtualHost *:9099>

        ServerName      myservername.com
        ServerAlias     myservername.com
        ServerAdmin     iamadmin@myservername.com
        DocumentRoot    /my/doc/root/
        SSLEngine on
        RewriteEngine On
        AllowEncodedSlashes NoDecode

        ProxyRequests On

        # SSL configuration

        SSLCertificateFile       /Path to cert.pem
        SSLCertificateKeyFile    /Path to private key
        SSLCACertificateFile     /Path to CA certs


        ##  Basic64  Encoded XXXX od user and passwd in header

         RequestHeader set Authorization "Basic XXXXX"


         ##  Endpoints accessed via https with basic authentication in header

         ProxyPass /api/api1/   https://30.30.115.22:11111/api/api1/
         ProxyPassReverse /api/api1/    https://30.30.115.22:11111/api/api1/


</VirtualHost>
+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

+1 vote

I have added force_ssl in ApplicationController. Then thin start --ssl. It took me to https, but with red cross. i.e. Not trusted site.

I tried with creating the certificate with - http://www.napcsweb.com/blog/2013/07/21/rails_ssl_simple_wa/
Still the same. Can anyone suggest?

+3 votes

I have Apache 2.4 (win32) and have the following in my CA bundle.

Root 1
Subordinate 1
Subordinate 2

My server was signed off Subordinate 1, When I do openssl s_client -connect server:443, it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.

If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a acceptable CA. However, if I remove Subordinate 1, it still shows as an acceptable CA.

It seems httpd references not only cabundle/cafiles but also certs in the Chain file. as acceptable CAs.

Is it possible to prevent a user signed off Subordinate 1 from using client certificate authentication while the server cert is issued off Subordinate 1?

...