problem with Verisign Certificate

Steven Shourds

unread,

May 16, 2003, 5:51:38 PM5/16/03

to

This is a multi-part message in MIME format.

------=_NextPart_000_0042_01C31BD3.ECB3ED90
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I received my Verisign Cert in email. Now I want to use it in Apache. I =
am getting the following SSL error in the apache SSL.LOG.

[Fri May 16 17:22:49 2003] [info] Init: Initializing OpenSSL library
[Fri May 16 17:22:49 2003] [info] Init: Seeding PRNG with 272 bytes of =
entropy
[Fri May 16 17:22:49 2003] [info] Loading certificate & private key of =
SSL-aware server
[Fri May 16 17:22:49 2003] [error] Init: Unable to read server =
certificate from file C:/Apache/bin/CA/VerisignCertificate.txt
[Fri May 16 17:22:49 2003] [error] SSL Library Error: 218529960 =
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 16 17:22:49 2003] [error] SSL Library Error: 218595386 =
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

And I tried the following also:

C:\Apache\bin>openssl x509 -noout -text -in public.cer
unable to load certificate
2628:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong =
tag:.\crypto\asn1\tasn_dec.c:939:
2628:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 =
error:.\crypto\asn1\tasn_dec
.c:304:Type=3DX509_CINF
2628:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 =
error:.\crypto\asn1\tasn_de
c.c:566:Field=3Dcert_info, Type=3DX509
2628:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 =
lib:.\crypto\pem\pem_oth.c:82:

I am not sure what is wrong?

Thanks for any help,

Steve
------=_NextPart_000_0042_01C31BD3.ECB3ED90
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1170" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I received my Verisign Cert in email. =
Now I want to=20
use it in Apache. I am getting the following SSL error in the apache=20
SSL.LOG.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>[Fri May 16 17:22:49 2003] [info] Init: =

Initializing OpenSSL library<BR>[Fri May 16 17:22:49 2003] [info] Init: =
Seeding=20
PRNG with 272 bytes of entropy<BR>[Fri May 16 17:22:49 2003] [info] =
Loading=20
certificate & private key of SSL-aware server<BR>[Fri May 16 =
17:22:49 2003]=20
[error] Init: Unable to read server certificate from file=20
C:/Apache/bin/CA/VerisignCertificate.txt<BR>[Fri May 16 17:22:49 2003] =
[error]=20
SSL Library Error: 218529960 error:0D0680A8:asn1 encoding=20
routines:ASN1_CHECK_TLEN:wrong tag<BR>[Fri May 16 17:22:49 2003] [error] =
SSL=20
Library Error: 218595386 error:0D07803A:asn1 encoding=20
routines:ASN1_ITEM_EX_D2I:nested asn1 error<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>And I tried the following =
also:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>C:\Apache\bin>openssl x509 -noout =
-text -in=20
public.cer<BR>unable to load certificate<BR>2628:error:0D0680A8:asn1 =
encoding=20
routines:ASN1_CHECK_TLEN:wrong=20
tag:.\crypto\asn1\tasn_dec.c:939:<BR>2628:error:0D07803A:asn1 encoding=20
routines:ASN1_ITEM_EX_D2I:nested asn1=20
error:.\crypto\asn1\tasn_dec<BR>.c:304:Type=3DX509_CINF<BR>2628:error:0D0=
8303A:asn1=20
encoding routines:ASN1_TEMPLATE_D2I:nested asn1=20
error:.\crypto\asn1\tasn_de<BR>c.c:566:Field=3Dcert_info,=20
Type=3DX509<BR>2628:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1=20
lib:.\crypto\pem\pem_oth.c:82:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I am not sure what is =
wrong?</FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT size=3D2>Thanks for any =
help,</FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2></FONT></FONT> </DIV>
<DIV><FONT face=3DArial><FONT =
size=3D2>Steve</FONT></DIV></FONT></BODY></HTML>

------=_NextPart_000_0042_01C31BD3.ECB3ED90--

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr. Stephen Henson

unread,

May 16, 2003, 6:13:54 PM5/16/03

to

On Fri, May 16, 2003, Steven Shourds wrote:

> I received my Verisign Cert in email. Now I want to use it in Apache. I am getting the following SSL error in the apache SSL.LOG.

>
> [Fri May 16 17:22:49 2003] [info] Init: Initializing OpenSSL library

> [Fri May 16 17:22:49 2003] [info] Init: Seeding PRNG with 272 bytes of entropy
> [Fri May 16 17:22:49 2003] [info] Loading certificate & private key of SSL-aware server
> [Fri May 16 17:22:49 2003] [error] Init: Unable to read server certificate from file C:/Apache/bin/CA/VerisignCertificate.txt
> [Fri May 16 17:22:49 2003] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Fri May 16 17:22:49 2003] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

>
> And I tried the following also:
>
> C:\Apache\bin>openssl x509 -noout -text -in public.cer
> unable to load certificate

> 2628:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:939:
> 2628:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec
> .c:304:Type=X509_CINF
> 2628:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:.\crypto\asn1\tasn_de
> c.c:566:Field=cert_info, Type=X509
> 2628:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.\crypto\pem\pem_oth.c:82:

>
> I am not sure what is wrong?
>
> Thanks for any help,
>
>

Verisign has been known to pack the server certificates in a PKCS#7 structure
which uses certificate PEM headers, if so you need to unpack them. Try:

openssl pkcs7 -in public.cer -print_certs -out certs.pem

then use the certificates in 'certs.pem' for the server.

If that doesn't help try posting the file you got back from Verisign.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: she...@drh-consultancy.demon.co.uk, PGP key: via homepage.

Steven R. Shourds

unread,

May 16, 2003, 8:20:28 PM5/16/03

to

That worked.

Now getting the following message in the ssl_error.log?

[Fri May 16 19:53:04 2003] [error] Unable to configure RSA server private
key
[Fri May 16 19:53:04 2003] [error] SSL Library Error: 185073780
error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch

Steve

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.478 / Virus Database: 275 - Release Date: 5/6/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.478 / Virus Database: 275 - Release Date: 5/6/2003

Dr. Stephen Henson

unread,

May 17, 2003, 6:33:45 AM5/17/03

to

On Fri, May 16, 2003, Steven R. Shourds wrote:

> That worked.
>
> Now getting the following message in the ssl_error.log?
>
> [Fri May 16 19:53:04 2003] [error] Unable to configure RSA server private
> key
> [Fri May 16 19:53:04 2003] [error] SSL Library Error: 185073780
> error:0B080074:x509 certificate routines:X509_check_private_key:key values
> mismatch
>

So its telling you the private key you have doesn't match the certificate you
have configured. This means that either the key or the certificate is wrong.

If the 'certs.pem' file you created in the previous step has more than one
certificate you have to use whichever one is the server certificate (the one
with the CN equal to the server host name).

Steven Shourds

unread,

May 17, 2003, 7:24:25 AM5/17/03

to

> On Fri, May 16, 2003, Steven R. Shourds wrote:
>
> > That worked.
> >
> > Now getting the following message in the ssl_error.log?
> >
> > [Fri May 16 19:53:04 2003] [error] Unable to configure RSA server
private
> > key
> > [Fri May 16 19:53:04 2003] [error] SSL Library Error: 185073780
> > error:0B080074:x509 certificate routines:X509_check_private_key:key
values
> > mismatch
> >
>
> So its telling you the private key you have doesn't match the certificate
you
> have configured. This means that either the key or the certificate is
wrong.
>
> If the 'certs.pem' file you created in the previous step has more than one
> certificate you have to use whichever one is the server certificate (the
one
> with the CN equal to the server host name).
>
> Steve.
> --
> Dr Stephen N. Henson.

There were two certificates in the file. I took out the second one and tried
again and got the same message. I then tried the following based on a
suggestion on the Verisign site to check the certificates and I assume that
since the Modulus is not the same the certificates do not match?

openssl rsa -noout -modulus -in PrivateKey.pem
Modulus=A9CAAF64D03....

openssl x509 -noout -modulus -in certs.pem
Modulus=A5D9D0C3F056...