CAE 7.8 Apache Server certificate (ca-bundle.crt) update needed for SSL (454 Views)
Reply
Regular Advisor
Lyle Blosser
Posts: 186
Registered: ‎06-19-2006
Message 1 of 5 (454 Views)
Accepted Solution

CAE 7.8 Apache Server certificate (ca-bundle.crt) update needed for SSL

I am trying to enable SSL in a CAE 7.8 Core-Satellite environment.  Everything as far as configuration through the Core and Satellite consoles seems to work, but the Configuration Server logs shows a complaint that the Apache Server being used has an expited certificate (ca-bundle.crt).

 

When I check the actual certificate file, it is indeed expired (as of 10.23.2011).  My question is: How do I get that certificate renewed or get a new one installed so that I can use SSL in my environment?  I can find nothing on managing the Apache Server certificate in any reference manuals.

 

Any assistance or insight is appreciated.

 

Regards,

Lyle Blosser

Valued Contributor
Shanti Yajnik
Posts: 160
Registered: ‎06-29-2010
Message 2 of 5 (450 Views)

Re: CAE 7.8 Apache Server certificate (ca-bundle.crt) update needed for SSL

Hi,

You may just delete the offending certificate from the ca-bundle.crt (it is a text file). If it is the first one this will be needed, otherwise, you may apply the latest patch for 7.8 which will have code that does not error out if one of the certificates is not valid in the Certificate Authority (CA) bundle. It is mostly the resposibilty of the user to maintain the CA bundle upto date. You could get an good version of all the CAs from the Internet it is used by IE and so on. I could let you know in a future post on how to get that.

 

For documentation, there is an SSL Implementation Guide which describes most of this. 

 

Best Regards,

Shanti

Regular Advisor
Lyle Blosser
Posts: 186
Registered: ‎06-19-2006
Message 3 of 5 (441 Views)

Re: CAE 7.8 Apache Server certificate (ca-bundle.crt) update needed for SSL

Thank you for that quick reply.  Yes, I checked the SSL Implementation Guide right off, but it does not discuss this particular situation at all.  I have worked through all of the rest of the certificate-gathering steps and was trying to test, but this ca-bundle.crt issue stopped me cold.
 
I would appreciate any insight you can share about getting that ca-bundle.crt.  Also, which CAE 7.8 patch should have had the fix you mentioned?  I thought we were up-to-date on patches but maybe not.
 
Thanks again,
Lyle

Valued Contributor
Shanti Yajnik
Posts: 160
Registered: ‎06-29-2010
Message 4 of 5 (436 Views)

Re: CAE 7.8 Apache Server certificate (ca-bundle.crt) update needed for SSL

Hi,

I have attached the latest CA certificate bundle. My colleague usually gathers this for us. I will find out and let you know how to do it. Take care to rename to the correct name for your configuration - I suppose ca-bundle.crt.

Best Regards,

Shanti

Valued Contributor
Shanti Yajnik
Posts: 160
Registered: ‎06-29-2010
Message 5 of 5 (423 Views)

Re: CAE 7.8 Apache Server certificate (ca-bundle.crt) update needed for SSL

Hi,

 

One way to update the ca-bundle.crt would be:

  1. Look at the Certificate Authorities listed in the CA bundle existing, go to their web site and see if any new ones are available. Add these.
  2. Delete the expired/revoked certificates from the bundle.
  3. Add any other new ones that are present in the standard bundles available on the net – used by web browsers. For this one way would be to use a script to generate certificates i.e. http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1

Best Regards,

Shanti Yajnik

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.