My organization recently switched its SSL Certificate vendor and the newsupplier (COMODO) insists (reasonably) that we use 2048-bit Private and Public keys.
So I take a running Apache installation, HTTPD v2.2.6, with mod_ssl v2.2.6 andopenssl v0.9.8g running on Solaris 10, currently using a Thawte certificate, and upgrade it for the new vendor's certificates.
I implement the new certificates. reboot httpd, and both aspects where the new certificate is used in the server (mod_ssl and an additional module, mod_cosign from http://weblogin.org) seem to be working properly. That is, mod_cosign works as expected providing single signon features, and mod_ssl appears to be encrypting properly. Short of sniffing the wire to verify the data between browser and server, the little padlock icons are proudly displayed by the browser and page info displays confirm security by the vendor expected, dates expected, etc.
But my httpd log files present an unexpected error each and every time a browser visits an SSL encrypted page (2 examples cited): User interface error unable to load Private Key 22188:error:0906A068:PEM routines:PEM_do_header:bad password read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401: User interface error unable to load Private Key 22439:error:0906A068:PEM routines:PEM_do_header:bad password read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401: Any idea what these might be?I have already verified that the private key file is NOT password protected. I've also seen notations on both sites for Apache and mod_ssl:
"Why does my 2048-bit private key not work?"
http://www.modssl.org/docs/2.8/ssl_faq.html
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#keysize
both seem to say say that 2048-bit private keys are NOT ALLOWED because of
incompatibility w/ certain web browsers. Meanwhile it's not clear that I could
even generate a 2048-bit public key without having a 2048-bit private key. So
how could these COMODO certs EVER work if this was the issue?
Count this with a layer of extreme urgency, as this new vendor is my only
source for certificates now, and I have two production webservers with current
certs expiring in about 30 hours that I need to replace w/ these new certs.
Another server in the organization running RHEL v2.2.3 has no such issues;
naturally the powers that be have no examples of v2.2.6 on Solaris to compare
against.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@xxxxxxx
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|