Reputation: 587
Apache2 + OpenSSL, Certificate CA
I've created the self-signed server certificate, the private server key and the Certificate Authority's own certificate using the below commands.
openssl genrsa -out ca.key 2048
openssl req -config openssl.cnf -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -config openssl.cnf -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
I've then added them to httpd-ssl.conf using the below.
SSLCertificateFile "C:/Apache2/conf/server.crt"
SSLCertificateKeyFile "C:/Apache2/conf/server.key"
SSLCertificateChainFile "C:/Apache2/conf/ca.crt"
However when visiting https://localhost I get:-
Secure Connection Failed An error occurred during a connection to localhost. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature) The page you are trying to view can not be shown because the authenticity of the received data could not be verified. * Please contact the web site owners to inform them of this problem.
Any ideas anyone?
Thanks
Normal untrusted error localhost uses an invalid security certificate. The certificate is not trusted because it is self signed.
My CA certificate error An error occurred during a connection to localhost. Peer's certificate has an invalid signature.
Upvotes: 3
Views: 11048
Answers (3)
Reputation:
Try re-generating your certificate this way:
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
Then, remove the passphrase from the server certificate for avoiding Apache asking you the password everytime you restart it:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
And then, generate your self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
After, just specify SSLCertificateFile and SSLCertificateKeyFile to use your new certificate.
Upvotes: 11
Reputation: 1505
This is because it's a self signed certificate. To avoid this message, you'll need to get yourself verified and buy a certificate from trusted CA authority like Verisign, GoDaddy,etc. You can also try the free certificate from COMODO Instant SSL
Since you're just testing on localhost, don't worry about the warning. But on production, this might deter away your users.
Upvotes: 0
Reputation: 1224
Because self signed certificates don't have a trusted root certificate authority you need to add them to the the browser's trusted CA list. A browser cannot verify an untrused certificate.
Upvotes: 1
Related Questions
- Apache warns that my self-signed certificate is a CA certificate
- SSL on Apache HTTP Server
- My ssl certificate is not trusted
- Apache2 SSL certificate error
- Apache SSL Certificate
- Two-way SSL authentication with Apache - CA certificate
- openssl -connect returns wrong certificate
- Apache2 SSL Certificate/Key mismatch
- SSL config on Apache
- SSL Certificate Files and Usage