4

We are currently working with a client who needs SAML authentication to setup their QA site on our servers. They have sent us the CRT file for the SSL to install, however they are not sending the key. I know that at the very minimum SSL requires the .crt and .key files to complete the handshake, but they are requesting that I do this without the .key file.

My question is: Is this even possible? Is this an obscure config of apache that no one has attempted because it makes no sense? I've been searching through all kinds of documentation and have come up empty.

Of course I get an error when trying to run apache without the Key:

AH02238: Unable to configure RSA server private key
SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

This was expected but now I am hoping to find a solution.

Thank you!

DidierTech
  • 53
  • 1
  • 2
  • 6

3 Answers3

2

In order for SSL to work, .key MUST be accompany with .crt (they work in pair, as .key is private key).

if you/they need SSL in your Apache, you can generate self signed (or dummy) certificate, which you'll end up having .key and .crt (or just .pem) that you can used with your Apache.

or probably better way to go would be using Let's Encrypt:

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

alexus
  • 12,342
  • 27
  • 115
  • 173
  • The QA site does have an a wildcard SSL that we use on all our testing domains but that does not send the requested signature for SAML. The issue is really using their certs. – DidierTech Apr 25 '16 at 15:50
  • @DidierTech there is no need for wildcard SSL, you can generate one specifically for your QA environment. – alexus Apr 25 '16 at 15:53
2

It completely depends what the intended use of that certificate is.

For many purposes you need the complete keypair, but I can also imagine other scenario's:

  • your client may have sent you the public key (fi of their internal CA) so you can use it to validate the SAML signatures in their messages, to verify a TLS secured connection back to them or to verify client certificates they use. In that case you don't need and should never receive the associated private key...

  • Maybe one of your colleagues sent a CSR and the signed certificate is your clients response; then you should already have the private key and your client most assuredly not...

You might want to first check the certificate with: openssl x509 -in <filename>.crt -noout -text -purpose

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • 1
    this makes the most sense - they sent you their SAML key and something got lost in translation – Sum1sAdmin Apr 22 '16 at 15:51
  • Hi, we tried to get the publick key but no go. They are refusing to share the private key (with good reason). But this is becoming a bit of an impasse at this point. – DidierTech Apr 25 '16 at 15:41
  • The certificates were generated completely on their end. We have no control over the environment or the certificates attached to it. What we do have is a QA staging env that needs to be able to authenticate though. Your first option however does seem like something I could run with... – DidierTech Apr 25 '16 at 15:48
1

No. That would outright make no sense with public-private key authentication system.

You can get the certificate of every website which uses HTTPS (take a look at this for how). Think what can you do at local environments if what you asking was doable? You could very well impersonate Google, or Facebook, or any website easily with a little bit work.

Community
  • 1
Hasan Berkay Çağır
  • 11
  • 1