Dear mod_ssl'ers, I have in my possesion a diskette on which I backed up my Thawte CRT file (at least I'm bright enough to have done that...but at the time I didn't know that I would need to have backed up TWO files... anyhow...). It has been successfully installed previously on a SuSE Linux 7.1 server. The box crashed hard last weekend (fortunately, it is was not quite yet a production server). I could not get that fairly old P-100 system to come back up. Everything I tried failed. Apparently, it took a hit on a memory chip or something critical to the system such that it could not be rebooted. I pulled hair for about a day while searching the SuSE site, and the entire Inet crash recover routines on a SuSE box. No magical answer appeared. I made the decision to upgrade.
Now I have installed SuSE 7.3 on this new server and I need to reinstall my CERT. I have the securedomainname.crt file in my possession on a diskette but I do not have the original securedomainname.key file, or the securedomainname.csr file (because I trust servers to never crash?). The files are gone now as I have completely reformatted that system during the new install. I have gone through the steps at http://www.thawte.com/ucgi/gothawte.cgi?a=e380614470105000 to generate a new server.key and server.csr file. Since I am running Apache 2.0.35, I modified my /usr/local/apache2/conf/ssl.conf file to access the new .key and OLD .crt file. It appears to be work through the ssl.conf file just fine and then dies with a mismatch error. The entries I made look like this: SSLCertificateFile /usr/local/apache2/conf/ssl.crt/securedomainname.crt (the old file from Thawte, copied over from diskette) SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/securedomainname.key (a new file). Of course, perhaps critical to this routine is whether I answered the questions EXACTLY the same during the creation of the NEW securedomainname.csr file. It's possible, but I'm not 100% certain. When I attempt to fire up with: ./apachectl startssl the system prompts me for a passphrase and it accepts it. I did NOT enter a passphrase when I requested my original Thawte CERT. I don't know if this is critical (i.e. is my passphrase encrypted into the CSR file and they use this as part of the generation of my private.crt file?). Anyhow, when I ATTEMPT to fire up with ./apachectl startssl the system prompts with <Some of your private key files are encrypted for security reasons. In order to read them, you have to provide us with the pass phrases. securedomainname.com:443(RSA)> I enter the pass phrase, and it returns <Ok: Pass Phrase Dialog successful> and then I get an "Unable to start httpd" error message. I checked the /logs/error_log file where there is a record of a grumble... <yadda, yadda, yadda, .... key values mismatch>. Rather than spend hours attempting to make new .key and .csr files, and then to "trick" the system into accepting my old.crt file, I need to ask the question whether this is even feasible. Was my original KEY file generated with a random seed routine that made it so that when I sent my CSR file to Thawte, I cannot ever create a KEY file on this server that would match to my old CRT? NOW that I see their caveat, "Now PLEASE backup your www.xxx.com.key and make a note of the passphrase. Losing your key will cost you money!" I imagine this is why this can't be done, but I have to pose the question, just to be sure. No use spending another 100 bucks if I don't have to. TIA, Baffled and UNCERTIFIED on CRT'S, I remain... Andrew Lietzow The ACL Group, Inc. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
