Digi-Sign, The Certificate Corporation
Published on Digi-Sign, The Certificate Corporation (http://www2.digi-sign.com)

Home > SSL FAQ

By Digi-Sign
Created Feb 19 2008 - 10:32

SSL FAQ

Frequently Asked Questions on Digi-SSL™

The following are frequently asked questions on the most popular web servers that use Digi-SSL™ Secure Soctket Layer [SSL] security.

Frequently Asked Questions - Apache

  • Do I need to install all the certificates that I received?
  • I have accidentally deleted my Private Key
  • I am being told that my Certificate/Key is invalid
  • Do I need to use IP based hosting or Name based hosting?
  • What is the difference between Apache Mod_SSL and OpenSSL when installing my certificate?
  • Can I change the IP address?
  • I get 'The Page Cannot Be Displayed' when going to the HTTPS page
  • Normal PC browsers work OK, but I get 'Not Trusted' messages when I go to the same page with the MAC
  • Error: "Data decryption error"
  • I get the message "There are secure and non-secure items on the page, Would you like to proceed?"
  • When I access my secure site, a certificate for another site is displayed
  • Browsers are saying that something is not trusted
  • I get an intermittent server not found message when trying to access my site
  • Error: "Unable to configure RSA server private key"
  • Error: "no start line:pem_lib.c" or "no end line:pem_lib.c"
  • Error: "OpenSSL: error:0B080074:x509 certificate outines:x509_check_private_key:key values mismatch"



Do I need to install all the certificates that I received?

No, Apache users should use the bundle file on the support page instead of the Digi-Sign and GTE certificate:
http://www.digi-sign.com/support/digi-ssl/install+certificate/index [1]
If you do not install the bundle file you will receive not trusted messages when you go to the secure area of your web site.

back to top

I have accidentally deleted my Private Key

First check your backups and see if you can re-install the Private Key. If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

back to top

I am being told that my Certificate/Key is invalid

There may not be a corresponding Private Key or the key that is found is not the one that matches the certificates.
You may also see this error: "OpenSSL: error:0B080074:x509 certificate
outines:x509_check_private_key:key values mismatch"

back to top

Do I need to use IP based hosting or Name based hosting?

Name based hosting is rarely used in production environments. IP based hosting should be used due to the way that the SSL protocol works.

back to top

What is the difference between Apache Mod_SSL and OpenSSL when installing my certificate?

There is no difference, the process is the same and the directives used are the same. Apache fails on start up, what could cause this?
If the key file has a Passphrase you need to remove it, as Apache cannot read this on start-up, you can do that with the following command: openssl rsa -in file1.key -out file2.key
file2.key will contain your unencrypted key If you used Mozilla to download the file, it may have saved the file in compressed format.

back to top

Can I change the IP address?

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.digi-sign.com [2].

back to top

I get 'The Page Cannot Be Displayed' when going to the HTTPS page

Is the SSL port opened, this is usually port 443. (listen 443) Is the firewall set to allow the SSL port through. Has the server been rebooted Make sure 'Use SSL 3.0' is ticked in the web browser options.

back to top

Normal PC browsers work OK, but I get 'Not Trusted' messages when I go to the same page with the MAC

This is usually caused by the directive SSLCertificateChainFile being used instead of the SSLCACertificateFile directive.

back to top

Error: "Data decryption error"

This error message occurs because there are directives missing from the httpd.conf file. Most web servers can be configured to 'talk' to various browser versions in a different way, the fix for this particular problem is to add the following directives to the httpd.conf file so allowances can be made for Internet Explorer on the Mac:
SSLSessionCache dbm:/var/cache/httpd/ssl_cache
SSLSessionCacheTimeout 300.

back to top

I get the message "There are secure and non-secure items on the page, Would you like to proceed?"

The error means that there are embedded objects or HTML tags on the page that are not being called absolutely secure. For example, a page that is loaded securely (HTTPS), and contains an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif. In this case the image is being called absolutely using the non-secure (HTTP) protocol.

back to top

When I access my secure site, a certificate for another site is displayed

This problem occurs if you assign the same IP address to each host in your config file. SSL does not support name based virtual hosting (host headers are encrypted in SSL), so only the first certificate listed in your config file will be used.

back to top

Browsers are saying that something is not trusted

The Root Certificates and/or Intermediate Certificates may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible.
It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to.
Check your 'Internet Options' and make sure that 'Use SSL 3.0' is ticked in the 'Advanced' section. Check your .conf file to ensure that SSL Protocol version 3 is allowed.

back to top

I get an intermittent server not found message when trying to access my site

If the web server is set to check the Certificate Revocation List and the server is down, this can cause a time-out of the operation. This will not be the certificates, but something related to the browser timing out on the operation.

When I connect via HTTPS to an Apache with Mod_SSL or OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason?

The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You've to work-around these problems by forcing Apache with Mod_SSL or OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

Additionally it is known some MSIE versions also have problems with particular ciphers. Unfortunately you cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific SetEnvIf doesn't work to solve these problems.
Instead you have to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects ALL of your clients.

back to top

Error: "no start line:pem_lib.c" or "no end line:pem_lib.c"

Apache-SSL uses a toolkit called OpenSSL for its security routines. OpenSSL is very particular about the format of certificate requests and certificates. This error is specifically related to the format of the certificate.

Check that there are 5 dashes before and after the BEGIN and END text, and they must form the first and last lines of the certificate.
In particular, the BEGIN and END lines must look like:

-----BEGIN CERTIFICATE-----
Encoded Certificate
-----END CERTIFICATE-----

Be careful when you cut and pasted the certificate from the browser window into a text editor to create the certificate text file.
Make sure you remove any trailing spaces, before and after the BEGIN or END lines, or you will see this error.

back to top

Error: "Unable to configure RSA server private key"

Specify the correct private key for the certificate.

Compare the modulus of certificate against the modulus of the private key to see if they match by using the following commands:

To view the certificate modulus:

Openssl x509 -noout -text -in certfile –modulus

To view the key:

Openssl rsa -noout -text -in keyfile –modulus

Check that the certificate and private key is saved in notepad and that it has no trailing spaces.

The "modulus" and "public exponent" portions in the key and the certificate must match exactly

back to top

Error: "OpenSSL: error:0B080074:x509 certificate outines: x509_check_private_key: key values mismatch"

This error message occurs if you are using the incorrect certificate or private key during installation. So you need to use the matching key and certificate files. To check that the public key in your cert matches the public portion of your private key, view both files, and compare the modulus values with the following instructions:

To view the certificate:
Openssl x509 -noout -text -in certfile

To view the key:
Openssl rsa -noout -text -in keyfile

The "modulus" and "public exponent" portions in the key and the certificate must match exactly. If the "modulus" do not match exactly then you are using either the incorrect private key or certificate.

back to top

Frequently Asked Questions - IIS 5.x & 6.0

  • I need to install all the certificates that I received?
  • I have accidentally deleted my "pending request" or "private key"
  • I am being told that my Certificate/Key is invalid
  • Do I need to use IP based hosting or Name based hosting?
  • I get 'The Page Cannot Be Displayed' when going to the HTTPS page
  • I get the message "There are secure and non-secure items on the page? Would you like to proceed?"
  • Can I change the IP address?
  • When I access my secure site, a certificate for another site is displayed
  • Browsers are saying that something is not trusted
  • Error:'This page must be viewed over a secure channel'
  • I get an intermittent server not found message when trying to access my site.
  • How do I back up my private key in IIS 5?
  • How do I move the certificate and key from IIS5 to Apache?
  • How do I force SSL for specific pages?
  • How do I export the key in IIS 5?
  • How do I import the server certificate in IIS 5?
  • How do I create a renewal CSR in IIS 5?
  • Error: "The string contains an invalid X470 name, attribute key, OID, value or delimiter"
  • Error: "The pending certificate request for this response file was not found. This request may be cancelled. You cannot install selected response certificate using this Wizard"
  • My browser stopped responding to my SSL server, other browsers can connect from a different location?
  • How do I backup the certificate and key in IIS5?


Do I need to install all the certificates that I received?

Yes, if you do not install all the received certificates you will receive not trusted messages when you go to the secure area of your web site.

back to top

I have accidentally deleted my "pending request" or "private key"

First check your backups and see if you can re-install the "pending request" or "private key". If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

back to top

I am being told that my Certificate/Key is invalid

There may not be a corresponding 'private key' or 'pending request' or the key that is found is not the one that matches the certificates.

back to top

Do I need to use IP based hosting or Name based hosting?

Name based hosting is rarely used in production environments. IP based hosting should be used due to the way that the SSL protocol works.

back to top

I get 'The Page Cannot Be Displayed' when going to the HTTPS page

Is the SSL port opened, this is usually port 443.
Is the firewall set to allow the SSL port through?
Has the server been rebooted?
Make sure 'Use SSL 3.0' is ticked in the web browser options.

back to top

I get the message "There are secure and non-secure items on the page? Would you like to proceed?"

The error means that there are embedded objects or HTML tags on the page that are not being called absolutely secure. For example, a page that is loaded securely (HTTPS), and contains an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif. In this case the image is being called absolutely using the non-secure (HTTP) protocol.

back to top

Can I change the IP address?

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.digi-sign.com [2].

back to top

When I access my secure site, a certificate for another site is displayed

This problem occurs if you assign the same IP address to each host in your config file. SSL does not support name based virtual hosting (host headers are encrypted in SSL), so only the first certificate listed in your config file will be sent.

back to top

Browsers are saying that something is not trusted

The Root Certificates and/or Intermediate Certificates may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible.
It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to.
Check your 'Internet Options' and make sure that 'Use SSL 3.0' is ticked in the 'Advanced' section.

back to top

Error: 'This page must be viewed over a secure channel'

Microsoft IIS is configured to require a secure channel.
The following steps will allow non-secure (http) connections to your site:
Within Microsoft Internet Information Server, right click on your web site.
Under Secure Communications, click on Edit.
Un-check the box that says 'Require Secure Channel'

back to top

I get an intermittent server not found message when trying to access my site

If the web server is set to check the Certificate Revocation List and the server is down, this can cause a time-out of the operation.
This will not be the certificate, but something related to the browser timing out on the operation.

back to top

How do I back up my private key in IIS 5?

Start, run, type mmc

Go into the Console Tab, Add/Remove Snap in

Click on Add, Double Click on Certificates and Click on Add > OK

Choose Computer Account

Choose Local Computer

Open up the Certificates Consol Tree

Look for a folder labelled REQUEST, then select Certificates

Highlight the key that you wish to back up

Right click on the file and choose, All Tasks, Export

Follow the Certificate Export Wizard

Choose to mark the Private key as exportable

Leave default settings

Choose to save file on a set location.

Click Finish

You will get message that the export was successful

Note: Once the Pending Request is completed the Key is no longer available

back to top

How do I move the certificate and key from IIS5 to Apache?

Start the certificates mmc for the web server and select 'All Tasks', 'Export' against the site certificate. Do not choose to export the CA certificates. Specify a password. Specify a filename (e.g. mypkcs12.pfx). Copy the resulting .pfx file to your Apache web server.

Then import the private key and cert file into Apache using the following commands:

openssl pkcs12 -in mypkcs12.pfx -out pfxoutput.txt

You'll need to enter the password at least once.

Load pfxoutput.txt into a text editor and save each certificate as a separate file.
Also save the private key as a separate file (e.g. myencrypted.key).

The private key will probably be encrypted at the moment. i.e. looking something like.....

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,.........
.........
-----END RSA PRIVATE KEY-----

If the version of Apache we're using doesn't allow encrypted private keys, to decrypt the private key run the following command:

Openssl rsa -in myencrypted.key -out my.key

back to top

How do I force SSL for specific pages?

To use ASP to force SSL for specific pages follow the directions at the following url:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239875 [3]

back to top

How do I export the key in IIS 5?

Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/support/kb/articles/Q232/1/36.ASP [4]

back to top

How do I import the server certificate in IIS 5?

Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP [5]

back to top

How do I create a renewal CSR in IIS 5?

Create a new web site in IIS, then go to the 'Properties', 'Directory Security', 'Server Certificate' tab.

Use the certificate wizard to create your new Key/CSR file

Backup the private key file by following the instructions:

Start, run, type mmc, select OK

Go into the Console Tab, Add/Remove Snap in

Click on "Add". Double Click on "Certificates" and Click on "Add", click "OK"

Choose Computer Account, then Local Computer

Open up the Certificates Consol Tree

Look for a folder called REQUEST, Certificates

Highlight the key that you wish to back up

Right click on the file and choose, All Tasks, Export

Follow the Certificate Export Wizard

Choose to mark the Private key as exportable

Leave default settings

Choose to save file on a set location.

It is important to take a copy of the private key and store it off the server; in the event

that the server crashes.

Click Finish

You will get message that the export was successful

Save the resultant CSR file to your hard drive indicating it is a renewal CSR

Use this CSR during the purchase process.

Once you receive the renewed certificate, install it using the wizard you used to create it
on the same NEW website you created.

Once installed, go to the correct website you want the certificate to run on.

Go to 'Properties', 'Directory Security', 'Server Certificate', remove the certificate currently installed, and assign the certificate you installed in the previous step

Restart the WWW service

back to top

Error: "The string contains an invalid X470 name, attribute key, OID, value or delimiter"

To avoid this error, create a new certificate and verify that there are no special characters in any of the fields in the distinguished name.

In particular, do not include a comma in the company name.

The following characters are not allowed in any of the CSR fields:
[! @ # $ % ^ * ( ) ~ ? > < & / \ , . " ']

back to top

Error: "The pending certificate request for this response file was not found. This request may be cancelled. You cannot install selected response certificate using this Wizard"

You are attempting to install a certificate that does not match the private key (Pending request) that is currently residing in the Certificate Wizard. Microsoft IIS 5 only allows you to make one request per site. If you create a new CSR for the same website, your original request (and private key) will be overwritten.
If you have a backup of the private key, you can install the certificate via the MMC if you can restore the request to the REQUEST folder.
Unless you can find the matching private key for the certificate, you will need to have the certificates reissued.

back to top

My browser stopped responding to my SSL server, other browsers can connect from a different location?

Microsoft has released a fix for this error. Please refer to the relevant knowledge base article Q285821, which can be found at the following url:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285821 [6]

back to top

How do I backup the certificate and key in IIS5?

Start the certificates mmc for the web server and select 'All Tasks', 'Export' against the site certificate. Choose to export the CA certificates. Specify a password. Specify a filename (e.g. mypkcs12.pfx). Save the .pfx file in a safe place off the server.

back to top

Frequently Asked Questions - Cobalt Raq

  • I have accidentally deleted my Private Key
  • I am being told that my Certificate/Key is invalid
  • Do I need to use IP based hosting or Name based hosting?
  • Cobalt (Apache) fails on start up, what could cause this?
  • Error: "Data decryption error"
  • I get the message "There are secure and non-secure items on the page? Would you like to proceed?"
  • Can I change the IP address?
  • When I access my secure site, a certificate for another site is displayed
  • Browsers are saying that something is not trusted
  • I get an intermittent server not found message when trying to access my site
  • When I connect via HTTPS to an Apache with Mod_SSL or OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason?


I have accidentally deleted my Private Key

First check your backups and see if you can re-install the Private Key. If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

back to top

I am being told that my Certificate/Key is invalid

There may not be a corresponding Private Key or the key that is found is not the one that matches the certificates.
You may also see this error: "OpenSSL: error:0B080074:x509 certificate outines:x509_check_private_key:key values mismatch"

back to top

Do I need to use IP based hosting or Name based hosting?

Name based hosting is rarely used in production environments.
IP based hosting should be used due to the way that the SSL protocol works.

back to top

Cobalt (Apache) fails on start up, what could cause this?

If the key file has a pass phrase you need to remove it, as Apache cannot read this on start-up, you can do that with the following command:
Openssl rsa -in file1.key -out file2.key
File2.key will contain your unencrypted key
If you used Mozilla to download the file, it may have saved the file in compressed format
I get 'The Page Cannot Be Displayed' when going to the HTTPS page
Is the SSL port opened, this is usually port 443. (Listen 443)?
Is the firewall set to allow the SSL port through?
Has the server been rebooted?
Make sure 'Use SSL 3.0' is ticked in the web browser options.

back to top

Error: "Data decryption error"

This error message occurs because there are directives missing from the httpd.conf file. Most web servers can be configured to 'talk' to various browser versions in a different way, the fix for this particular problem is to add the following directives to the httpd.conf file so allowances can be made for Internet Explorer on the Mac:
SSLSessionCache dbm:/var/cache/httpd/ssl_cache
SSLSessionCacheTimeout 300.

back to top

I get the message "There are secure and non-secure items on the page? Would you like to proceed?"

The error means that there are embedded objects or HTML tags on the page that are not being called absolutely secure. For example, a page that is loaded securely (HTTPS), and contains an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif. In this case the image is being called absolutely using the non-secure (HTTP) protocol.

back to top

Can I change the IP address?

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.digi-sign.com [2].

back to top

When I access my secure site, a certificate for another site is displayed

This problem occurs if you assign the same IP address to each host in your config file. SSL does not support name based virtual hosting (host headers are encrypted in SSL), so only the first certificate listed in your config file will be sent.

back to top

Browsers are saying that something is not trusted

The Root Certificates and/or Intermediate Certificates may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible.
It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to.
Check your 'Internet Options' and make sure that 'Use SSL 3.0' is ticked in the 'Advanced' section.
Also ensure that SSL Protocol version 3 is supported.
The bundle file must also be specified in the Global SSL section of the. conf file.

back to top

I get an intermittent server not found message when trying to access my site

If the web server is set to check the Certificate Revocation List and the server is down, this can cause a time-out of the operation.
This will not be the certificate, but something related to the browser timing out on the operation.

back to top

When I connect via HTTPS to an Apache with Mod_SSL or OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason?

The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You've to work-around these problems by forcing Apache with Mod_SSL or OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL virtual host section:

Open the file with any text editor and carefully insert the code piece below in the appropriate place, around the directive for "SSLengine on", you may have to insert it in both the IF and the ELSIF portions of the setup:

$PerlConfig .= "Listen $ip:443\n";
$PerlConfig .= "\n";

# ------------- INSERT THIS CODE -------------
$PerlConfig .= "SetEnvIf User-Agent \".*MSIE.*\" \\n";
$PerlConfig .= " nokeepalive ssl-unclean-shutdown \\n";
$PerlConfig .= " downgrade-1.0 force-response-1.0 \n";
# ------------- END INSERT -------------------

$PerlConfig .= "SSLengine on\n";
$PerlConfig .= "SSLCertificateFile /home/sites/$group/certs/certificate\n";
$PerlConfig .= "SSLCertificateKeyFile /home/sites/$group/certs/key\n";
$PerlConfig .= join('', @ssl_conf);

Additionally it is known some MSIE versions have also problems with particular ciphers. Unfortunately one cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific SetEnvIf doesn't work to solve these problems. Instead one has to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects all (!) your clients, i.e., also your non-MSIE clients.

back to top

Frequently Asked Questions – Webstar

  • What format do I need the certificates in to load them using Webstar V4?
  • What format do I need the certificates in to load them using Webstar V5?
  • Error: "bad unsupported format" when importing certificate.
  • Error: "Netscape cannot communicate securely with this server. No common encryption algorithms"


What format do I need the certificates in to load them using Webstar V4?

The certificates must be provided in a single chain file in Netscape format. Please request this from support@digi-sign.com [7]

back to top

What format do I need the certificates in to load them using Webstar V5?

The certificates must be provided in a single text file in this order:

The customer certificate
Digi-SignClass3CA.cer
GTECyberTrustRootCA.cer
And there MUST be a blank line between

-----END CERTIFICATE-----
and
-----BEGIN CERTIFICATE-----

back to top

Error: "bad unsupported format" when importing certificate

This error happens when using the Certificate Extractor utility. If you do not use the extractor to import the certificate, it should work OK.

back to top

Error: "Netscape cannot communicate securely with this server. No common encryption algorithms"

This error is a known bug in earlier versions of 4D Webstar Server Suite/SSL. You should upgrade to the latest version, and make sure all fixes and updates have been applied.

If you are using the latest version, check that your SSL settings are correct. The server should be listening on Port 443 for SSL connections, and have the correct certificate and key file specified. Enable all ciphers. If you have not set up your server correctly for SSL, you may receive this error.

back to top

  • Install SSL

Source URL: http://www2.digi-sign.com/support/digi-ssl/faq/index

Links:
[1] http://www.digi-sign.com/support/digi-ssl/install+certificate/index
[2] http://www.digi-sign.com
[3] http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239875
[4] http://support.microsoft.com/support/kb/articles/Q232/1/36.ASP
[5] http://support.microsoft.com/support/kb/articles/Q232/1/37.ASP
[6] http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285821
[7] mailto:support@digi-sign.com