Tech, Gadgets, Photography, Social Media and Poor Spelling

Tip: SSLProxyMachineCertificateFile returns (missing or encrypted private key?)



The internet is akin to the Wild West of old, with Spyware, Malware, Porn and other such beasties roaming the cables between our computers let alone people sniffing the wires we need to lock it down and make it more secure so we know where we are going is where we are supposed to be going.


This week I’ve been having a bit of a nightmare with Apache and SSL certificates, specifically the ones pushed out of a Microsoft Certificate 2008R2 Server.

Note: This worked for me, and is a guide, however certificates are a minefield and this may not work in your scenario please feel free to comment however use google if this doesn’t work for you, or if it did, say so. I don’t approve  comments by Trolls, moaners or rude people.

The Problem

I was using the following in my https. config

SSLProxyEngine On
SSLProxyMachineCertificateFile ssl/client.pem

And on restart of apache I was getting a fail, the apache error logs were telling me the following

[debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Which was bothering me as i’d extracted the private key out with the certificate from the MS Cert Serv and when i ran a cat on the cert file there was no indication that the private key was encrypted.

The Solution

I knew i hat to convert the pk7 file which the Microsoft Cert server exported into a pem file which includes both the cert and the keyfile. I was using the following command

openssl pkcs12 -in cert.pfx -out client.pem -nodes

Which spat out the required output (A file containing both cert and key with no password) or so I thought This however was not the case.

What i should have been doing was this:

Extract the key from the Microsoft Cert File and remove the password

openssl pkcs12 -in cert.pfx -out cert.key -nocerts -nodes

Append an RSA header to the keyfile (Linux specifically needs this)

openssl rsa -in cert.key -out client.key

Extract the certificate only from the Microsoft certificate

openssl pkcs12 -in cert.pfx -out client.pem -clcerts -nokeys

Append the RSA headed key file to the PEM File

cat client.key >> client.pem

The output of this is now in the correct format, put the pem file in the location required by your apache config and try restarting.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: