I have been struggling with an SSL problem for more than 1 month.
We have used openssl to generate our own CA, server and client certificates. We have also enable "SSLrequire" on the Apache web server (in htaccess this may be wrong), which means that anyone trying to connect through https on the server needs to present a valid certificate
The step are as follows;
so we have our own CA which is used to sign our server and client certificates.
next step
So we have our server certificate & server private key which we installed succesfully on the server
Next we
We then distribute the client certificate to our users together with the CA certificate. Both were install in their browsers.
When trying to connect we got the "Peer does not recognize and trust the CA that issued your certificate. " error.
We identified the problem being that the self signed CA certificate was not installed on the server. Normally the server will present a list of trusted CA to the device trying to connect to it and the device will have to send a certificate that has been signed by any of the CAs' the server has presented. But since our self signed CA certificate was not installed on the server, the browser could present a certificate that would be acceptable by the server.
So we went on the install the CA cert on the server - control panel Hsphere.
We took the content of the ca certificate and copied it in the "Certificate Authority File" textarea on the server and the server wouldn't accept it everytime complaining "Failed to update SSL Config Different key and certificate"
The CA certificate has been signed by itself so how can the server say that the certificate and key are different.
We also tried to copy the content of both the CA certificate file and the CA key file into the "Certificate Authority File" textarea, but that also wouldn't work.
As i said we have been struggling with that for more than one month. If anyone can help that would be really appreciated. If we have to pay for the service please let us know.
Thanks in advance.
When using the SSL for non-production applications or other experiments you can use a self-signed SSL certificate. Though the certificate implements full encryption, visitors to your site will see a browser warning indicating that the certificate should not be trusted.
In simple terms, a self-signed CA is an SSL certificate authenticated by a trusted CA. A CA is an organization whose primary work is to validate the identities of individuals, companies, and any other entity.
The most common cause of a "certificate not trusted" error is that the certificate installation was not properly completed on the server (or servers) hosting the site. Use our SSL Certificate tester to check for this issue. In the tester, an incomplete installation shows one certificate file and a broken red chain.
(Perhaps https://serverfault.com/ would be a better place for this question.)
Here are a few options you can use in the Apache Httpd configuration (I'm not sure how this is mapped to your configuration panel).
SSLCertificateFile /etc/ssl/certs/host.pem
SSLCertificateKeyFile /etc/ssl/private/host.key
SSLCACertificatePath /etc/ssl/certs/trusteddir
#SSLCACertificateFile /etc/ssl/certs/trustedcert.pem
#SSLCADNRequestFile /etc/ssl/certs/advertisedcas.pem
SSLCertificateFile
and SSLCertificateKeyFile
are the basic requirements to enable SSL on your server.
Because you want client-certificate authentication, you need to configure one of SSLCACertificatePath
(for a directory) or SSLCACertificateFile
(for a file) to say which CAs you want to trust, so add you CA certificate there. These should be files in the PEM format. Any certificate in there will be considered as trusted (although it may need to have the CA basic constraint, I can't remember, that's quite standard if you've generated a root CA certificate yourself anyway).
In addition to this, you can put certificates in a SSLCADNRequestFile
. This shouldn't be necessary, as it's populated automatically from the SSLCACertificatePath
or SSLCACertificateFile
certificate directives, but if you want more control on the list of CAs the server advertises it may accept, that's where to do it. Just to clarify, this is not what manages the trust in client certificates, but just what the server advertises it may trust, so you still need SSLCACertificatePath
or SSLCACertificateFile
. Perhaps you "Certificate Authority File" option in your configuration panel controls that and not one of the other two options.
One way to debug this is to do this one the command line:
echo | openssl s_client -showcerts -connect www.your.host.example:443
This should list the certificate chain you present first (it would be good for it to present the full chain up to the CA, as some clients seem to need it sometimes, as far as I remember). Then, it should list the CAs it's willing to accept for client-certificate authentication, or No client certificate CA names sent otherwise (in which case there's a problem with one of the directives mentioned above). This will give you at least an indication of how SSLCADNRequestFile
or SSLCACertificatePath
/SSLCACertificateFile
have been configured (although it's the last two that matter).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With