![]() … key values mismatch: Your Private Key and SSL Certificate must contain the same modulus, otherwise the web-server won’t start. ![]() So if you got the similar error – it is time to check whatever your Private Key matches the SSL Certificate by comparing their modulus. If you are using either the incorrect Private Key or the SSL Certificate – you will receive an error as follows: Unable to configure RSA server Private Key SSL Library Error: x509 certificate routines:X509_check_private_key:key values mismatch. OpenSSL stores the modulus in the Private Key, as well as in the CSR and therefore in the SSL Certificate itself. When you create a Private Key and CSR to obtain an SSL Certificate, OpenSSL generates some internal data called a modulus. To make sure that the files are compatible, you can print and compare the values of the SSL Certificate modulus, the Private Key modulus and the CSR modulus.Ĭool Tip: Check the expiration date of the SSL Certificate from the Linux command line! The fastest way! Read more → Check Compatibility Or, for example, which CSR has been generated using which Private Key.įrom the Linux command line, you can easily check whether an SSL Certificate or a CSR match a Private Key using the OpenSSL utility. Is there a way for OpenSSL to list all certificates which it trusts?Īlso see How to find out the path for openssl trusted certificate?.When you are dealing with lots of different SSL Certificates, it is quite easy to forget which certificate goes with which Private Key. Web apps should not handle medium value or high value data because we can't place the needed security controls. The security model one of the reasons web apps are relegated to low value data. Others can still claim to certify your site, and you can claim to certify other sites. Your certificates gets tossed in the pile with the CA Zoo. Related to security models: another problem with the web app/browser model is you cannot package the one trust anchor or CA needed for your app and use it (assuming you have a trusted distribution channel). There's no reason for a Dutch CA called Diginotar to claim to certify them, or a French Cyberdefense Agency to claim to certify them. For example, you know Google Internet Authority G2 and GeoTrust Global CA certify Google's sites. For a good history of PKIX funny business, see CAcert's Risk History. This has happened in the past, and it will likely happen again in the future. Note: in this model, the wrong CA could claim to certify a site, and the browser would be no wiser. OpenSSL security model is in contrast to the web app/browser security model, where the browser carries around a list of trust anchors or trust points known as Certificate Authorities (CAs). You're not quite as bad as a browser with its hundreds of CAs and subordinate CAs, but you're getting close: $ cat cacert.pem | grep -o "\-\-\-\-\-BEGIN" | wc -l cacert.pem has lots of CAs in it: $ openssl s_client -connect :443 -CAfile cacert.pem Next, you can act like a browser by going to cURL and download cacert.pem. Below, I use -CAfile option with Google Internet Authority G2: $ openssl s_client -connect :443 -CAfile google-ca.pemĭepth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authorityĭepth=1 C = US, O = Google Inc, CN = Google Internet Authority G2ĭepth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = You can remedy the situation by telling OpenSSL what to trust. Actually, there's another trust point in the chain and that's Google Internet Authority G2. Notice the above fails because OpenSSL does not trust GeoTrust Global CA by default. ![]() Verify return code: 20 (unable to get local issuer certificate) Verify error:num=20:unable to get local issuer certificate You can also test your connection to Google to see how OpenSSL behaves: $ openssl s_client -connect :443ĭepth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA Issues similar error messages: check the verify(1) program manual page The OpenSSL program 'verify' behaves in a similar way and "trusted" by OpenSSL this typically means that the CA certificate mustīe placed in a directory or file and the relevant program configured When a certificate is verified its root CA must be Like "unable to get local issuer certificate" or "self signedĬertificate". This problem is usually indicated by log messages saying something There's even a FAQ topic covering it: Why does fail with a certificate verify error?: AFAIK OpenSSL just consults a list (such as, for example, /etc/ssl/certs) and checks if the certificate is present there.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |