Thu, 27 Oct 2005

Using a Verisign SSL Certificate with mod-ssl

I received a Verisign-signed SSL certificate today. When trying to install it under Apache/mod-ssl, I got the following errors:
[Thu Oct 27 12:18:26 2005] [error] mod_ssl: Init: Unable to read server certificate from file /www/.../www.example.com.crt (OpenSSL library error follows)
[Thu Oct 27 12:18:26 2005] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Oct 27 12:18:26 2005] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

I got a similar error when trying to inspect the certificate using openssl directly:
$ openssl x509 -in www.example.com.crt -noout -text
unable to load certificate
32741:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946:
32741:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509_CINF
32741:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509
32741:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:82:

Thanks to Dr. Henson on the OpenSSL mailing list, I discovered the the certificate was packed in the PKCS#7 format. So, after converting the certificate using the following command, openssl was able to read the certificate:
openssl pkcs7 -in www.example.com.crt -print_certs -out www.example.com.crt.new

tech | Permanent Link

The state is that great fiction by which everyone tries to live at the expense of everyone else. - Frederic Bastiat