Tech, Gadgets, Photography, Social Media and Poor Spelling
The internet is akin to the Wild West of old, with Spyware, Malware, Porn and other such beasties roaming the cables between our computers let alone people sniffing the wires we need to lock it down and make it more secure so we know where we are going is where we are supposed to be going.
This week I’ve been having a bit of a nightmare with Apache and SSL certificates, specifically the ones pushed out of a Microsoft Certificate 2008R2 Server.
Note: This worked for me, and is a guide, however certificates are a minefield and this may not work in your scenario please feel free to comment however use google if this doesn’t work for you, or if it did, say so. I don’t approve comments by Trolls, moaners or rude people.
I was using the following in my https. config
And on restart of apache I was getting a fail, the apache error logs were telling me the following
[debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
incomplete client cert configured for SSL proxy (missing or encrypted private key?)
Which was bothering me as i’d extracted the private key out with the certificate from the MS Cert Serv and when i ran a cat on the cert file there was no indication that the private key was encrypted.
I knew i hat to convert the pk7 file which the Microsoft Cert server exported into a pem file which includes both the cert and the keyfile. I was using the following command
openssl pkcs12 -in cert.pfx -out client.pem -nodes
Which spat out the required output (A file containing both cert and key with no password) or so I thought This however was not the case.
What i should have been doing was this:
Extract the key from the Microsoft Cert File and remove the passwordopenssl pkcs12 -in cert.pfx -out cert.key -nocerts -nodes
Append an RSA header to the keyfile (Linux specifically needs this)openssl rsa -in cert.key -out client.key
Extract the certificate only from the Microsoft certificateopenssl pkcs12 -in cert.pfx -out client.pem -clcerts -nokeys
Append the RSA headed key file to the PEM Filecat client.key >> client.pem
The output of this is now in the correct format, put the pem file in the location required by your apache config and try restarting.