Home Forums OS X Server and Client Discussion Web Need some SSL certificate help

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • December 27, 2005 at 2:11 pm #364544
    gw1500se
    Participant

    I am trying to implement SSL on my server. I first tested SSL using Apple’s “default” and it works fine although, obviously the certificate is not verifiable. Anyway, I then used openssl to generate a key. Using that key, I used openssl to generate a csr. I obtained a certificate from CACERT using that csr and also got the CACERT root certificate (PEM format). Using the server admin GUI I set the parameters (I made the assumption that the “Certificate Authority File” was CACERT’s root certificate). So far all’s well. I then saved and the web service failed to start with the following errors:

    [Tue Dec 27 08:26:15 2005] [error] mod_ssl: Init: Unable to read server certificate from file /Users/admin/Documents/Keygen/server.crt (OpenSSL library error follows)
    [Tue Dec 27 08:26:15 2005] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Tue Dec 27 08:26:15 2005] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

    Can someone help me troubleshoot this problem? TIA.

    December 30, 2005 at 2:22 pm #364583
    ryan
    Participant

    try this:
    “> openssl pkcs7 -in public.cer -print_certs -out certs.pem
    then use the certificates in ‘certs.pem’ for the server.”

    a little looking in google groups will usually get you your answer:
    http://groups.google.com/group/mailing.openssl.users/msg/0d7efe88c4fcaa8b

    December 30, 2005 at 3:45 pm #364586
    gw1500se
    Participant

    Thanks for the reply. However, these certs are from CACERT not Verisign. In any case the openssl fails with the error “unable to load PKCS7 object.” I take that to mean they are not packed the way the article says Verisign does them.

    December 30, 2005 at 8:09 pm #364587
    ryan
    Participant

    i hate to be one of THOSE people, but i gave up on the GUI interface a long time ago and resorted to learning to edit the config file by hand. if this doesnt intimidate you, i did something like this..

    i loaded the certs and requests into a directory for each server:
    /etc/httpd/certs/mydomain.com

    then edit the the config file:
    /etc/httpd/sites/0001_192.168.1.2_443_mydomain.com.conf

    SSLCertificateChainFile “/etc/httpd/certs/mydomain.com/ComodoSecurityServicesCA.crt”
    SSLCertificateFile “/etc/httpd/certs/mydomain.com/server.crt”
    SSLCertificateKeyFile “/etc/httpd/certs/mydomain.com/server.key”

    does that help?

    January 2, 2006 at 3:02 am #364603
    herbw
    Participant

    I’m not quite ready to give up on the GUI.

    The Mac OS X Mail Service Administration for Version 10.4 or Later, page 97, (Certificate Manager in Server Admin) has instructions for converting a Self Signed Certificate to a Certificate Signed by a Certificate Authority.

    Step 17 states Copy the characters [the signed Certificate from the email reply received from the Certificate Authority] from “==Begin CSR==” to “==End CSR==” into the text box.

    I’m acting as my own Certificate Authority (using OpenSSL), and the Signed Certificates generated by OpenSSL (in PEM format) are wrapped by “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. I can’t find any information about a format containing “==Begin CSR==” and “==End CSR==”, and therefore don’t have any way to generate a “signed” certificate in the format that the Certificate Manager in Server Admin is expecting.

    The bad news is, if you paste in anything other that what the Certificate Manager expects, you get the rather unfriendly response Can no longer edit record. The selected certificate could not be retrieved. Going back to the list, and your original self signed Certificate is discarded.

    Can anybody (perhaps somebody who has received a signed certificate in this format) provide any further details regarding what Apple is looking for here?

    January 6, 2006 at 5:39 pm #364668
    gw1500se
    Participant

    [QUOTE BY= ryan] i hate to be one of THOSE people, but i gave up on the GUI interface a long time ago and resorted to learning to edit the config file by hand. if this doesnt intimidate you, i did something like this..

    i loaded the certs and requests into a directory for each server:
    /etc/httpd/certs/mydomain.com

    then edit the the config file:
    /etc/httpd/sites/0001_192.168.1.2_443_mydomain.com.conf

    SSLCertificateChainFile “/etc/httpd/certs/mydomain.com/ComodoSecurityServicesCA.crt”
    SSLCertificateFile “/etc/httpd/certs/mydomain.com/server.crt”
    SSLCertificateKeyFile “/etc/httpd/certs/mydomain.com/server.key”

    does that help?[/QUOTE]

    Thanks for the reply. Now that the holidays are over I can get back to this. I have no problem doing a manual configuration as long as I understand what I’m doing (not always easy Smile ). My only question at this point is where did you get the name for the config file and how did you tie that name into Apache?

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.