I have created a self-signed certificate on my Kubernetes cluster. I can now see that the certificate is showing the status READY = True. When I describe the secret of this certificate, I can see the below.
Output of Secret
How do I extract the above files so I can use them to secure my website?
I found the answer. The keys are stored in the secret that we provide in the certificate.yaml file! I just had to do an edit secret and copied the content over.
Related
I have a VPS with Apache2.
I have installed SSL before in my websites, but always form freeSSL or ZeroSSL, they give me 3 files:
Private.key
ca_bundle.crt
certificate.crt
I replace them for the old ones and all is peachy (I configured it once and just replace the files on reactivation).
Now I have issued a year long SSL service from Comodo SSL, and they send me a mail with this information:
"Thank you for placing your order. We are pleased to announce that your PositiveSSL Certificate for * has been issued.
Attached to this email you should find a .zip file containing:
Root CA Certificate - AAACertificateServices.crt
Intermediate CA Certificate - USERTrustRSAAAACA.crt
Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - ***.crt
You can also find your PositiveSSL Certificate for ** in text format at the bottom of this email."
And I really have no Idea what to do... I tried Google but can't find any guide, they talk about CSR or other things and I just want to install this and forget about it for a year like I did before for 90 days...
Please help me, I need to have SSL running for my Magento 2 installation to work.
To use a certificate you need the certificate file itself (.crt) AND the key file (.key) ( Extensions may vary but, as you know, on linux it doesn't matter): if you're missing one of these, you're pretty much screwed.
To get a certificate, the following steps are necessary:
a key file needs to be generated
from the key file a CSR is generated
the CSR is signed by a CA (for you it's Comodo) and the result is the certificate file
The key file and the csr can be generate by you (who are requesting the new certificate) or (in this case) by Comodo during the procedure you followed. According to what you wrote, probably, during the procedure you've been asked to provide a key or let them generate one and you picked the 2nd option.
I've never used Comodo so I don't know how their interface works but IMHO you have 2 options: login with your account and look for an area where you can download the certificate and check for the possibility to download the key too OR contact them and ask for support to download the key file.
There is no way to use the certificate file without a key file.
I generated the certificate using an option of my webhosting service (Hostinger) to buy a comodo SSL certificate, as I said the email of Comodo didn't give me the key file BUT, after some hours the comodo ssl service started showing on my webhosting control center and going through some menus I reached a button called "download SSL", that downloaded a ZIP with the same files PLUS the key file. This was very random and nowhere stated, and I found it by coincidence but is solved. Thanks. The other option was to reach Comodo or Hostinger for help.
I'm trying to fix an issue related to an expired ca certificate.
I replaced a the certificate located at /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem (with these instructions).
Then restarted puppet-server, but agents still see an expired certificate.
I noticed there is also a value localcacert which points to a slightly different path etc/puppetlabs/puppet/ssl/certs/ca.pem.
I see this little snippet on Puppet documentation:
Where each client stores the CA certificate.
Default: $certdir/ca.pem
I'm confused by this. The description makes it sound like a folder where clients store certificates, yet the value is a single pem file.
Can anyone clarify the difference between these two ca pem files?
If I update one can I just overwrite the other with my new pem?
Can anyone clarify the difference between these two ca pem files?
The cacert setting is relevant only to the master. It specifies the location of the certificate with which the master's hosted CA will sign communications.
The localcacert setting specifies the location of the client's copy of the CA certificate (containing the public key, not the private one). This is what machines will use to verify certificates signed by the CA.
In both cases, you should not read too much into the word "location". These settings designate certificate files, not directories.
I used this blog to get a Letsencrypt certificate for an apache2 server on windows via letsencrypt-win-simple's manual mode. The tool reports success and all files were generated, however, I can't find any documentation on what is what. My apache2 has a temporary self-signed certificate installed with a self-generated private key. I assume the tool created an entirely new private key and certificate signing request and did not use the existing private key to verify my certificate? Sorry for my confusion, but I just found explanations that show how confusing and flexible the formats can be used.
The tool generated the following (- my assumption what the file is):
myurl.com-key.pem - Private key generated to encrypt the certificate signing request (csr) with?
myurl.com-csr.pem - The unsigned csr file?
myurl.com-gen-csr.json - Signed csr file in json to send to the CA?
myurl.com-gen-key.json - Public key to send to the CA?
myurl.com-crt.pem - My certificate?
myurl.com-crt.der - This file is encrypted, but why and what's the difference to myurl.com-crt.pem?
myurl.com-chain.pem - The chain of CAs used to create the certificate?
myurl.com-all.pfx - An encrypted file containing everything? Do I need to generate the files for my apache2 from this via openssl or can I use the others?
ca-CRYPTICODE-crt.pem - Another certificate? Or is this the final result? But what is myurl.com-crt.pem then?
ca-CRYPTICODE-crt.der - Another certificate?
Registration - Probably used for the registration process and not required anymore?
Signer - Probably used for the registration process and not required anymore?
Which files do I need to configure my apache2 with? Which files are private and never shared with anyone?
myurl.com-crt.pem - this is the SSLCertificateFile
myurl.com-key.pem - this is the SSLCertificateKeyFile
ca-CRYPTICODE-crt.pem - this is the SSLCertificateChainFile
These 3 files you should specify in apache virtual host configuration.
myurl.com-key.pem - Private key generated to encrypt the certificate signing request (csr) with?
Private key to sign the CSR and use in association with the eventual certificate.
myurl.com-csr.pem - The unsigned csr file?
myurl.com-gen-csr.json - Signed csr file in json to send to the CA?
Correct.
myurl.com-gen-key.json - Public key to send to the CA?
Don't know what it is but the CA doesn't need your public key: it is already in the CSR.
myurl.com-crt.pem - My certificate?
Correct.
myurl.com-crt.der - This file is encrypted, but why and what's the difference to myurl.com-crt.pem?
No, this is another representation of the .pem file. It isn't encrypted.
myurl.com-chain.pem - The chain of CAs used to create the certificate?
Correct.
myurl.com-all.pfx - An encrypted file containing everything?
Correct.
Do I need to generate the files for my apache2 from this via openssl or can I use the others?
You can use this as a PKCS#12 keystore with Java, or the others with Apache HTTPS.
ca-CRYPTICODE-crt.pem - Another certificate? Or is this the final result?
Looks like another CA certificate. Have a look at it with some PEM utility.
But what is myurl.com-crt.pem then?
Your signed certificate.
ca-CRYPTICODE-crt.der - Another certificate?
DER form of ca-CRYPTICODE-crt.pem.
Registration - Probably used for the registration process and not required anymore?
Signer - Probably used for the registration process and not required anymore?
Pass. Probably used in the Let's Encrypt registration or verification process.
I created a Let's Encrypt certificate using SSLforFREE. It works great in the browser, but generates an "unknown certificate" error when used with an Alexa skill. Manually uploading the certificate to the Alexa service works, but it will not work as a "trusted" certificate.
Has anyone successfully used one of these as a "trusted" certificate with Alexa?
Oh, here's what you can do:
Download the contents of your fullchain.pem cert, from /etc/letsencrypt/live/<domain>/fullchain.pem on your server
On your skill config page, select the "SSL" Tab.
Mark "I will upload a self-signed certificate in X.509 format."
Paste the contents of your fullchain.pem file.
It worked for me. Not sure if chain or cert would be enough.
Dont use sslforfree. Use Letsencrypt fullchain certificates directly
Though certificates from https://www.sslforfree.com/ utilizes letsencrypt certificate chain, amazon finds an issue while tracing to a trusted certificate authority.
This is another discussion on missing certificate chains.
The solution that will work is, Use LetsEncrypt certificates directly with chained certificates to a trusted CA certificate.
For this, use certbot in order to generate LetsEncrypt certificate on your Server and follow the steps in #aldrinleal answer.
I got this problem for about a week now, My client ask me to renew the SSL certificate which expired already. I followed a lot of tutorials already but nothing help me.
I have this certificates provided:
Private Key
Intermediate Certificate
CSR
Public Certificate
The server is Amazon and uses Apache/HTTPD
I saved the private key as .key file and the rest is .crt
By the way, I setup the ssl.conf because that is where the Virtual Host is located.
I saved my certificates in, /etc/httpd/conf/ssl.cert/
I saved my keys in, /etc/httpd/conf/ssl.key/
and the location of my ssl.conf: /etc/httpd/conf.d/ssl.conf
My questions are:
What's the usual way on renewing SSL Certificates?
What's all I need to renew it?
Can I do it only on the FTP client or I need to go to my AWS page and set it up there?
I am really desperate to get out of this embarrassment. I hope someone would help me do it. Thanks in advance.
You need to create a CSR (certificate signing request) that contains the server's information. (There are many, many guides on how to do this using openssl.) You then purchase a SSL certificate from your certificate issuer of choice and provide them with the CSR. When your order is complete they will issue you a SSL certificate that you can download and install in Apache. If you go to the issuer of the original certificate they will likely have a renew process that will walk you through all of the steps.