My organization recently switched its SSL Certificate vendor and the new
supplier (COMODO) insists (reasonably) that we use 2048-bit Private and Public
keys.
So I take a running Apache installation, HTTPD v2.2.6, with mod_ssl v2.2.6 and
openssl v0.9.8g running on Solaris 10, currently using a Thawte certificate,
and upgrade it for the new vendor's certificates.
I implement the new certificates. reboot httpd, and both aspects where the new
certificate is used in the server (mod_ssl and an additional module, mod_cosign
from http://weblogin.org) seem to be working properly. That is, mod_cosign
works as expected providing single signon features, and mod_ssl appears to be
encrypting properly. Short of sniffing the wire to verify the data between
browser and server, the little padlock icons are proudly displayed by the
browser and page info displays confirm security by the vendor expected, dates
expected, etc.
But my httpd log files present an unexpected error each and every time a
browser visits an SSL encrypted page (2 examples cited):
User interface error
unable to load Private Key
22188:error:0906A068:PEM routines:PEM_do_header:bad password
read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401:
User interface error
unable to load Private Key
22439:error:0906A068:PEM routines:PEM_do_header:bad password
read:/on10/build-nd/G10U10B0B/usr/src/common/openssl/crypto/pem/pem_lib.c:401:
Any idea what these might be?
I have already verified that the private key file is NOT password protected.
I've also seen notations on both sites for Apache and mod_ssl:
"Why does my 2048-bit private key not work?"
http://www.modssl.org/docs/2.8/ssl_faq.html
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#keysize
both seem to say say that 2048-bit private keys are NOT ALLOWED because of
incompatibility w/ certain web browsers. Meanwhile it's not clear that I could
even generate a 2048-bit public key without having a 2048-bit private key. So
how could these COMODO certs EVER work if this was the issue?
Count this with a layer of extreme urgency, as this new vendor is my only
source for certificates now, and I have two production webservers with current
certs expiring in about 30 hours that I need to replace w/ these new certs.
Another server in the organization running RHEL v2.2.3 has no such issues;
naturally the powers that be have no examples of v2.2.6 on Solaris to compare
against.
--
J.Lance Wilkinson ("Lance") InterNet: lance.wilkin...@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
