I'm using https://github.com/fszlin/certes to generate an SSL PEM file and private key, but throughout the process I can't seem to see where to get the certificates expiry date (or even if it's in there). I have found the order expiry date which is 7 days from now.
Does anyone know if it's a property I can extract in some method or maybe later read the PEM to get the data out from there?
I know I can get it from the https url once the certificate is installed, or just simply add on 90 days onto the created date, but it would be handy to get it from the certificate itself in some form during the creation process.
Related
Using IIS on Windows Server 2016.
The reason I'm asking if a .pfx file expires is because today I can no longer successfully use a certificate that I had exported yesterday.
I have a wildcard certificate that I installed on one server, and then I exported it from that server in order to import it into two other servers. All this was done yesterday and this worked perfectly fine.
Today I want to import that same .pfx file into a fourth server but it doesn't work. I can import it and I can bind the site to it but the browser is still showing a "this site is not secure" error.
I also made a note last year when I did the same thing that I had the same problem. Apparently last year I was able to re-export from the first server and then import and it was fine, but this year even that doesn't work.
So my question is, why was I able to import the pfx onto two servers yesterday, but today it doesn't work? Are pfx files only valid for the same day they were exported?
A pfx file does not expire, i.e. it does not simply vanish after some time. Certificates though have an explicit life time when they are valid, i.e. a start date and an expiration date. A pfx file is a container which includes certificates, but also a private key. The private key cannot expire, the certificates do. There can be multiple certificates within the same pfx file (leaf and chain certificates) with different expiration times. Certificates can also be stored in other formats than PFX.
We have an existing SSL certificate for one of our domains which will expire next week. We know that actually there is no SSL "renewal" but we will get a new certificate instead, but we got stuck with an important question in mind.
We bought the new certificate from the same company as last year, and created a new CSR code and sent them. We wanted to complete the validation by adding a CNAME DNS record, but since there is already a CNAME record with the same name which we added last year for the validation of the existing SSL certificate, we have to actually modify the existig record.
Here our question is; will the existing old certificate be cancelled as soon as we change the CNAME record and they issue the new one? Because if that is the case, our website won't be reachable until we get the new certificate and set it up in the server, which will likely take up to an hour.
Thanks in advance.
I have a free domain,sayexample.ml, and I hosted my files at byethost.com. I am trying to implement free ssl on my site. I have logged into cacert website. Added and verified my domain. And now I am stuck. I dont know how to set up an ssl certificate from this stage.
A step by step explanation will be quite a lot helpful.
Generate a private key and save it in your file system safely.
Generate a CSR with it.
You can use openSSL for 1 and 2.
Refer : http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
Get the signed server certificate from cacert.org by copying the contents of your CSR to Server certificates -> New. Save it in your file system.
You need to point your Appserver/Webserver to the location where your private key and signed server certificate is stored. Read documentation.
If it is a Apache webserver you can refer: https://techstrum.wordpress.com/2014/11/25/how-to-enable-ssl-for-ohs-oracle-http-sever/
First, you need the CSR (your public key with some information).
To generate it you have to use the tool that your server provide would be easier (such as Apache Tomcat :: using keytool, Linux :: using openssl)
Then, sending your CSR file to the certificate vendor to verify and insert Root certificate.
They will send you back certificate file.
So, you need to use this certificate file for import into your secret key which you get it from the key-pair generate process on the first step.
Finally, setup your key into your server and config some property in web server config file.
These are the concept, for the technical you need to know what platform you used and find the way to use their provided tool.
I use Windows XP SP3. I resell digital signature certificates. I get the clients data, key them into a portal and download the dsc onto my machine. I use Internet Options and export the certificate to a pfx file with a password and send it off to the client. Since, this is being done over and over again, during export to pfx, inadvertently the wrong certificate is selected. Once the pfx file is generated, is there any way of knowing the common name in the pfx file without having to reinstall the certificate. I have looked into openssl, but not sure if it can be achieved by a batch file as a password has to be physically entered. Ideally, after exporting say 10 pfx files, I would like to run a batch file which would display only the common names. Once I confirm that the names are correct (I have exported correctly), I can delete the certificates from the store.
You should write your own application, that will perform batch processing of PFX files.
The pseudo code using CryptoAPI are as follows.,
Read the pfx files from disk one by one using PFXImportCertStore. You will get the certificate store context.
Acquire the certificate context PCCERT_CONTEXT phPfxCertCtx = CertEnumCertificatesInStore
Get the subject name. phPfxCertCtx->pCertInfo->Subject
You can have a predefined list of subjects to compare the subject names that are read now.
Close the context and certificate store, CertCloseStore with CERT_CLOSE_STORE_FORCE_FLAG.
I currently have a wildcard SSL certificate running on IIS 6 and needs to be renewed. The new certificate bit-strength is now 2048 (the current one that needs to be renewed is 1024). Is there any easy way to get a certificate request file that is 2048 bit when renewing from a 1024?
I don't see the option to change bit strength for renewing an SSL certificate (I only see this when creating a totally new one from scratch).
I recently had to do this very same thing, and the way I did it was I had to remove the current certificate completely, then add a new certificate fresh, otherwise, I could not figure out how to update the CSR from 1024 to 2048, which is now a requirement.
So, to answer your question, remove the current certificate first (this might be tricky if it's a busy online store), then go through the wizard and switch the CSR from 1024 to 2048.
Not the best answer, I know, but the only one I could seem to find right off (and the easiest)
Be warned about trying to get clever with this one. I just got myself in a big mess trying to do exactly this same thing without any downtime.
What I did was :
create another website and generate a cert request for that. made sure to put in the correct common name when generating the request.
I downloaded the certificate that was generated and installed it in my 'Personal' certificates for the Local Computer account (after adding certificate snap in).
Did 'replace' on the main website for the certificate and chose the new updated one.
I ended up getting this error (as reported by Chrome) when accessing the https site.
(net::ERR_SSL_PROTOCOL_ERROR): Unknown error
After playing around and switching back to the original certificate I ended up just removing it and re-keying the certificate. It only led to 1-2 minutes of downtime.
I do think that if you do what I was attempting in the correct order you'd be fine. I think you need to export the .pfx file and then import that. I think whats happening is the original server didnt have the correct private key or something like that and was getting confused.
So I'm upvoting calweb :-)