top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Configure multiple algorithm certificate for same domain/ common name in Apache server

0 votes
321 views

I have RSA and DSA Certificates for my domain issued from Symantec Corp. The Certificate information for both the RSA and DSA Certificate is same except the CSRs are generated and submitted with different algorithm.
Now, I want to install both (RSA and DSA) certificates on my Apache server, so that it uses the same port (e.g: 443) on which I will be configuring. I am not aware as to how to configure RSA and DSA Certificates on same port.

posted Jul 19, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

Check this http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatekeyfile

"This directive can be used up to two times (referencing different filenames) when both a RSA and a DSA based private key is used in parallel."

answer Jul 19, 2013 by anonymous
Similar Questions
0 votes

Running Apache 2.4.7 and current configuration limiting access to a directory to only clients that can provide a trusted client certificate. Server is SSL host. Would like to modify configuration to allow "local" clients (127.0.0.1, etc. as defined by Require local auth provider) to access the directory without authenticating with a client certificate. So the local host may access the directory without SSL client auth, but all others must authenticate with a client certificate or access is forbidden. What is the best/proper way to do this?

I would like to use modern directives (avoiding Allow, Deny, Order etc. from mod_access_compat) but I am not clear how to combine Require related directives with mod_ssl options like SSLVerifyClient.

Thanks in advance?

+3 votes

I have Apache 2.4 (win32) and have the following in my CA bundle.

Root 1
Subordinate 1
Subordinate 2

My server was signed off Subordinate 1, When I do openssl s_client -connect server:443, it shows both Subordinate 1 and Subordinate 2 in the acceptable CA names.

If I remove Subordinate 2 from the bundle, It only shows Subordinate 1 as a acceptable CA. However, if I remove Subordinate 1, it still shows as an acceptable CA.

It seems httpd references not only cabundle/cafiles but also certs in the Chain file. as acceptable CAs.

Is it possible to prevent a user signed off Subordinate 1 from using client certificate authentication while the server cert is issued off Subordinate 1?

+4 votes

We want to set up SSL client authentication and we will only have a single client that we want to allow through to the website.

Is it possible to allow just a single certificate to authenticate by just specifying that one cert in SSLCACertificateFile? i.e. without specifying the CA cert instead?

If so, would my SSLVerifyDepth then be zero?

Are there any reasons I might not have thought about why this isn't a good idea or any other considerations?

+4 votes

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

...