|
Home > Archive > Apache Server configuration support > December 2005 > SSL certificate mismatch
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL certificate mismatch
|
|
| Markus Fischer 2005-11-23, 7:53 am |
| Hi,
I tried getting help on the mod ssl list, but wasn't able to subscribe;
I never got a response from the list manager.
I want to use a self-signed CA for testing purposes. I've therefore
created a CA certificate and a client cert. The problem I'm having is,
that for some reason the client key and cert moduli do not match.
I'm using these commands to create the CA:
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
then I used these commands to create the client key/cert:
openssl genrsa -out client.key 1024
openssl req -new -key ca.key -in client.key -out client.csr
sh sign.sh client.csr
At this point I end up with a client.crt.
When I now compare the modulus of the key and the crt file, they differ
and I get the following error in apache:
OpenSSL: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
In fact I discovered that the modulus in the csr already differs.
$ openssl rsa -noout -modulus -in client.key
Modulus=BF30F9CAA7C092CE...
$ openssl req -noout -modulus -in client.csr
Modulus=BF4E6276BF5CDFC7...
I actually was using these steps a year ago in another environment and
it worked.
The openssl version I'm using is OpenSSL 0.9.7e 25 Oct 2004.
thanks for any pointers,
- Markus
| |
| Peter Djalaliev 2005-11-23, 5:57 pm |
| Hey Markus,
When you generate the the signing request, it seems that you are using
the CA key to sign it. Even though I have some problems here and could
not test this, I think the right command should be:
openssl req -new -key client.key -out client.csr
Make sure that ca.key is specified as the CA key in the sign.sh
configuration file.
If you still haven't found a solution and this doesn't work for you,
email me at peter.djalaliev@gmail.com. I am not sure this forum is the
right place to discuss openssl problems.
Regards,
Peter
| |
| markus.private@gmail.com 2005-12-21, 7:57 am |
| Thanks, that did it!
|
|
|
|
|