SSL 不适用于 Windows 上的 Apache

Question

我正在使用来自必须在 Windows 上使用 Apache 的供应商的产品。

我们有自己的 CA。

出于命名目的：

AppServer - Server2012r2 - Apache 2.4

OldCertsha1 - Server2012r2

NewCertsha2 - Server2012r2

我使用以下两个命令在 AppServer 上创建了 CSR。

genrsa –des3 –out name.sub.domain.com.key 2048

req –new –key name.sub.domain.com.key –out name.sub.domain.com.csr

一切顺利

req -noout -text -in name.sub.domain.com.csr
Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=name.sub.domain.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (2048 bit)
            Modulus (2048 bit):
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f:
                321:rf
            Exponent: 65537 (0x10001)
    Attributes:
        a0:00
Signature Algorithm: sha1WithRSAEncryption
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8:
    aa:e4:b7:1d

然后在CA服务器上

https://NewCertsha2/CertSrv

申请证书

高级证书请求。

使用 base-64 编码的 CMC 或 PKCS #10 文件提交证书请求，或使用 base-64 编码的 PKCS #7 文件提交续订请求。

在 AppServer 上打开 CSR 并将 CSR 信息粘贴到框中

-----BEGIN CERTIFICATE REQUEST-----
MIIC0zCCAbsCAQAwgY0xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaWNoaWdhbjER
MA8GA1UEBxMIRGVhcmJvcm4xFjAUBgNVBAoTDWRmY3VmaW5hbmNpYWwxDDAKBgNV
BAsTA2l2cjEyMDAGA1UEAxMpcDAxMWRjMDEtY3JlYzAzLmNlbnRyYWwuZGZjdWZp
bmFuY2lhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCej1o0
EEq6UcgB4uhr9bYzA4u8pvxvaCE0JXCqW/8m8D2DBHnJFA2Ui4kEjQlKy1eRTfE0
6lRmowrsJVvvlz0pfsdfghksdkjfgsjskhgfksgfdfmjwHd1D/Bgg60AOPmUBIFl
rgaGcw9CasdkjlhaslkdjhsaklfjhdsfkhsldfjhsdlkjfhdlFOoGVtQdgticLqy
dzpLnAnqwezEnsdflsjhdfksdkfjhwsdkfjhLqKDx1b0z1n7tV4F8DS261dmm8+r
ONz9oYqZfdAFu55gG7sHgOn14P5gP2QIoV/c6CJ2hzbtlifKmZp2A+9F/csXTMIJ
w2sgfQzgv+UPEkH9AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAMwjmg96iCLnB
uTF4LOoeA788NAt9cYdsWuaUsHptnw70Mj5wWIiaZYgY0hCvWPezRsgOfFrWinN0
y4n0trlyEYXJquBKZbxJZ2yscNMqOJyKl70Ckb83IwpIdhxRYr0JZffEmFlx+2yv
4rhFquS3HZpWtCLopRroQx1v74bYGZHBiz2cM4peowzqGrs8r5NKYYqLRiH00VTs
GEEB+Rihen4tnrn0Y1KLkumrSOrTghIrpQ0j2MZrmvhAIlcZ0W+6bJQcbl0lQ3Hv
STaH9EyIj+47jpMhpfazRPOjSDdFiokjchVDS0Wj/iQJlNDurU7xd+570gduZfcF
M4YoMCwv7Q==
-----END CERTIFICATE REQUEST-----

模板 Web 服务器（10 年）

在这里我有两个选择

DER 编码或 Base 64 编码

无论我选择哪一个它都会下载一个 .cer 和一个 .p7b 文件

我在 OldCertsha1 服务器上做了同样的步骤，我得到了同样的结果

当我编辑 httpd-ssl.conf 文件时添加以下内容并重新启动 Apache2.4 服务

SSLCertificateFile "E:/Apache24/conf/Certs/name.sub.domain.com.crt"

SSLCertificateKeyFile "E:/Apache24/conf/Certs/name.sub.domain.com.key"

我收到以下错误，不同类型的错误来自上述选择（DER 编码或 Base 64 编码）：

DER 编码：

[Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] (OS 10061)No connection could be made because the target machine actively refused it.  : AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed
[Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s
[Wed Jan 11 08:37:44.471616 2017] [proxy_http:error] [pid 4804:tid 1780] [client ::1:61346] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://name.sub.domain.com/knoahsoft/faces/client/index1.jspx?_afPfm=5600447c
[Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer
[Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
[Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer
[Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

Base 64 编码：

[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key)
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key)
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

我读了几篇文章说 CER 和 CRT 文件可以互换，只需重命名它们。

如果我将 cer 重命名为 crt 并更新 httpd-ssl.conf，那么我会在日志中收到很多错误，大约 100 个：

[Wed Jan 11 14:06:43.943865 2017] [autoindex:error] [pid 70976:tid 1784] [client 10.1.41.110:50933] AH01276: Cannot serve directory E:/KnoahSoft/EmpPhotos/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive

现在供应商将他们在交付盒子时加载的 server.crt、server.cre、server.csr 和 server.key 文件放入，如果我将 httpd-ssl.conf 中的两行更改回他们拥有的内容，它将重新启动很好，一切正常，但我收到 SSL 警告

SSLCertificateFile "E:/Apache24/conf/Certs/server.crt"

SSLCertificateKeyFile "E:/Apache24/conf/Certs/server.key"

有人可以告诉我我可能做错了什么，如果您需要查看配置，只需问我会放上来。

更新：

我带着他们的 server.csr 打开了 OldCertsha1 和 NewCertsha2 上的 CertSrv 页面，当我使用 Web 服务器 Web 服务器（10 年）模板时，出现错误：

Your Request Id is 118. The disposition message is "Denied by Policy Module The certificate validity period will be shorter than the WebServer(10Years) Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period. ". 

然后我尝试了 Web 服务器（5 年）相同的错误然后我厌倦了（Web 服务器）没有收到错误并下载了 DER 编码或 Base 64 编码的 cer 和 p7b 文件。

将 Base 64 编码的 server.cer 更改为 server.crt，将旧的 server.crt 重命名为 server1.crt 并重新启动 apache，

没有错误完美地工作，

为什么？我从一开始就做错了什么？

这是我第一次使用 SSL 和 apache 并使用我自己的 CA，我做错了什么？我能想到的唯一想法是我使用了 Web 服务器（10 年）模板，但这对我来说真的没有意义。

如果我查看两个 crt 文件，它们都有相同的信息

该证书用于以下目的

• 确保远程计算机的身份

颁发给：name.sub.domain.com

发布者：OldCertsha1

与常规选项卡唯一真正的区别是有效期多长，我的 csr 中的 cst 有效期为 10 年，他们 csr 中的 crt 有效期为 2 年。

我将更深入地研究 SSL 的其他部分，看看明天是否能找到差异。

Answer 1

首先，Apache 将始终使用 base64，文件扩展名无关紧要（pem、crt、cer）。

其次，您颁发证书的时间不能超过证书颁发机构。

10 年有点长，看到浏览器开始将它们标记为不安全，我不会感到惊讶。

如果您仍然拥有已颁发的证书，则可以使用 openssl 对其进行验证。

https://security.stackexchange.com/a/56699/84379

Answer 2

到处都是 Base 64，请:-)。

你的 httpd.conf 行

SSLCertificateKeyFile "E:/Apache24/conf/Certs/name.sub.domain.com.key"

正在指定加密的密钥文件。Windows 上的 Apache 不支持在运行时提供解密密码...请参阅错误日志行：

[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02577: Init: SSLPassPhraseDialog 内置在 Win32 上不受支持（密钥文件 E:/Apache24/conf/Certs/ domain.com.key)

您必须预先解密您的密钥文件：

openssl rsa -in name.sub.domain.com.key -out name.sub.domain.com.decryped.key

询问时提供密码。更正 httpd.conf 并重新启动 Apache。