search cancel

SSL Certificate is not loading on HTTPS - IDM

book

Article ID: 199930

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

Trying to deploy CSR certificate and key and Vaap logs these following error at end without additional information of what is causing:

/opt/CA/VirtualAppliance/custom/apache-ssl-certificates > sudo /etc/init.d/httpd stop
[INFO] Configuring the following IP address in Apache configuration: <ip-address>
Stopping httpd:                                            [  OK  ]
/opt/CA/VirtualAppliance/custom/apache-ssl-certificates > sudo /etc/init.d/httpd start
[INFO] Configuring the following IP address in Apache configuration: <ip-address>
Starting httpd: [Thu Sep 17 12:13:45 <Year>] [warn] module ssl_module is already loaded, skipping
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server CA_IMAG_VAPP:443 (RSA)
Enter pass phrase: <Phassphrase> <Enter>

OK: Pass Phrase Dialog successful.
                                                           [FAILED]

Cause

Looking the documentation in Replacing Virtual Appliance Web UI SSL Certificate

This asks a different command sudo /etc/init.d/httpd reload but even doing this command will not help yere.

To discover the reason go to folder /var/log/httpd/ and cat file ssl_vappAdminUI_log

[Mon Month 21 10:56:27 YYYY] [warn] RSA server certificate CommonName (CN) `hostname.domainname' does NOT match server name!?
[Mon Month 21 10:56:27 YYYY] [error] Unable to configure RSA server private key
[Mon Month 21 10:56:27 YYYY] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Check with commands if matches the hash

openssl x509 -in localhost.crt -noout -modulus | openssl sha1
openssl rsa -in localhost.key -noout -modulus | openssl sha1

 

Environment

Release : 14.3

Component : IdentityMinder(Identity Manager)

Resolution

Check with commands if matches the hash

openssl x509 -in localhost.crt -noout -modulus | openssl sha1
openssl rsa -in localhost.key -noout -modulus | openssl sha1

 

Additional Information

external reference: https://unix.stackexchange.com/questions/107952/apache-rsa-server-certificate-cn-does-not-match-server-name-error