All geek questions in one place

Apache2 + OpenSSL CA Certificate

I created a self-signed server certificate, a server private key, and my own certificate authority certificate using the commands below.

openssl genrsa -out ca.key 2048 openssl req -config openssl.cnf -new -x509 -days 365 -key ca.key -out ca.crt openssl genrsa -out server.key 2048 openssl req -config openssl.cnf -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Then I added them to httpd-ssl.conf using below.

 SSLCertificateFile "C:/Apache2/conf/server.crt" SSLCertificateKeyFile "C:/Apache2/conf/server.key" SSLCertificateChainFile "C:/Apache2/conf/ca.crt"

However, when visiting https: // localhost, I get: -

Secure connection failed. Error connecting to local. The peer certificate has an invalid signature. (Error code: sec_error_bad_signature) The page you are trying to view cannot be because the authenticity of the received data cannot be verified. * Please contact website owners to inform them of this problem.

Any ideas anybody?

thanks

A normal untrusted localhost error uses an invalid security certificate. The certificate is not trusted because it is signed.

CA certificate error An error occurred while connecting to localhost. The ad hoc certificate has an invalid signature.

+4
source share
3 answers

Try re-creating the certificate this way:

 openssl genrsa -des3 -out server.key 2048 openssl req -new -key server.key -out server.csr

Then, remove the passphrase from the server certificate to prevent Apache from asking for a password each time it is rebooted:

 cp server.key server.key.org openssl rsa -in server.key.org -out server.key

And then generate your self-signed certificate

 openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

After that, simply specify the SSLCertificateFile and SSLCertificateKeyFile to use the new certificate.

+11
source

Because self-signed certificates do not have a trusted root certification authority, you need to add them to the list of trusted CA browsers. The browser cannot verify an unused certificate.

+1
source

This is because it is a self-signed certificate. To avoid this message, you need to make sure it is verified and buy a certificate from a trusted CA authority such as Verisign, GoDaddy, etc. You can also try the free COMODO Instant SSL certificate.

Since you are just testing on localhost, don't worry about the warning. But in production, this can deter your users.

0
source

Source: https://habr.com/ru/post/1403650/

More articles:


All Articles