On June 6, 2011 13:19 , Joe Hansen <joe.hansen.at@xxxxxxxxx> wrote:
I see the following error messages in the ssl_error_log file when I restart Apache: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?
This means that the certificate in the file specified by the SSLCertificateFile directive (/usr/local/xyzssl/xyz.com.crt) is meant to be used to sign other certificates, instead of being meant to be used with a server. While it is possible to use such a certificate with a server, it is a bad idea since if the certificate and private key are stolen (for example, if your web server is attacked and compromised) then the attacker will be able to use these to sign their own certificates under your identity.
The problem may be that you just installed the wrong certificate by mistake: the certificate for the Certification Authority, instead of the certificate you generated for the server. In this case, simply install the correct certificate.
The problem may be that you generated a certificate for the Certification Authority, but did not generate one for the server. In this case, move the CA certificate and CA private key to a secure location that cannot be accessed by Apache (ideally, these would be on a different machine that your web server). You will then need to generate a private key and CSR for your web server (this should be done on your web server machine), and then use the CA certificate and private key to sign the web server CSR, generating a certificate for your web server. Then install the certificate for your web server on your web server in the correct location.
Or, the problem may be that you did not intend to have your own Certification Authority and instead wanted to generate a self-signed certificate for use with your web server. In this case, the problem is that the self-signed certificate you generated has the CA flag set. The solution is to create a new self-signed certificate but to ensure that the CA flag is not set.
If you are unsure, then you probably do not want to have your own Certification Authority. In this case, either use a commercial SSL certificate or a self-signed SSL certificate.
RSA server certificate CommonName (CN) 'localhost.localdomain' does NOT match server name!?
Every certificate has a name that describes what the certificate applies to. Web browsers will check the name in the certificate against the server name in the URL the user is accessing to see if they match; if they do not match, the web browser will warn the user that they might be visiting a fraudulent site. In this case, you generated a certificate with a common name (CN) of localhost.localdomain, which would only be correct if users accessed your site via the URL https://localhost.localdomain/
The solution is to re-generate the certificate with a common name (CN) that matches the name of the site. For example, if your web server configuration contains the directive "ServerName www.example.com", then you should generate a certificate with the CN www.example.com.
I hope this helps. If you have additional questions, or if the answers above are not clear, please ask.
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|