I have a VPS with Apache2.
I have installed SSL before in my websites, but always form freeSSL or ZeroSSL, they give me 3 files:
Private.key
ca_bundle.crt
certificate.crt
I replace them for the old ones and all is peachy (I configured it once and just replace the files on reactivation).
Now I have issued a year long SSL service from Comodo SSL, and they send me a mail with this information:
"Thank you for placing your order. We are pleased to announce that your PositiveSSL Certificate for * has been issued.
Attached to this email you should find a .zip file containing:
Root CA Certificate - AAACertificateServices.crt
Intermediate CA Certificate - USERTrustRSAAAACA.crt
Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - ***.crt
You can also find your PositiveSSL Certificate for ** in text format at the bottom of this email."
And I really have no Idea what to do... I tried Google but can't find any guide, they talk about CSR or other things and I just want to install this and forget about it for a year like I did before for 90 days...
Please help me, I need to have SSL running for my Magento 2 installation to work.
To use a certificate you need the certificate file itself (.crt) AND the key file (.key) ( Extensions may vary but, as you know, on linux it doesn't matter): if you're missing one of these, you're pretty much screwed.
To get a certificate, the following steps are necessary:
a key file needs to be generated
from the key file a CSR is generated
the CSR is signed by a CA (for you it's Comodo) and the result is the certificate file
The key file and the csr can be generate by you (who are requesting the new certificate) or (in this case) by Comodo during the procedure you followed. According to what you wrote, probably, during the procedure you've been asked to provide a key or let them generate one and you picked the 2nd option.
I've never used Comodo so I don't know how their interface works but IMHO you have 2 options: login with your account and look for an area where you can download the certificate and check for the possibility to download the key too OR contact them and ask for support to download the key file.
There is no way to use the certificate file without a key file.
I generated the certificate using an option of my webhosting service (Hostinger) to buy a comodo SSL certificate, as I said the email of Comodo didn't give me the key file BUT, after some hours the comodo ssl service started showing on my webhosting control center and going through some menus I reached a button called "download SSL", that downloaded a ZIP with the same files PLUS the key file. This was very random and nowhere stated, and I found it by coincidence but is solved. Thanks. The other option was to reach Comodo or Hostinger for help.
Related
I'm trying to fix an issue related to an expired ca certificate.
I replaced a the certificate located at /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem (with these instructions).
Then restarted puppet-server, but agents still see an expired certificate.
I noticed there is also a value localcacert which points to a slightly different path etc/puppetlabs/puppet/ssl/certs/ca.pem.
I see this little snippet on Puppet documentation:
Where each client stores the CA certificate.
Default: $certdir/ca.pem
I'm confused by this. The description makes it sound like a folder where clients store certificates, yet the value is a single pem file.
Can anyone clarify the difference between these two ca pem files?
If I update one can I just overwrite the other with my new pem?
Can anyone clarify the difference between these two ca pem files?
The cacert setting is relevant only to the master. It specifies the location of the certificate with which the master's hosted CA will sign communications.
The localcacert setting specifies the location of the client's copy of the CA certificate (containing the public key, not the private one). This is what machines will use to verify certificates signed by the CA.
In both cases, you should not read too much into the word "location". These settings designate certificate files, not directories.
I got this problem for about a week now, My client ask me to renew the SSL certificate which expired already. I followed a lot of tutorials already but nothing help me.
I have this certificates provided:
Private Key
Intermediate Certificate
CSR
Public Certificate
The server is Amazon and uses Apache/HTTPD
I saved the private key as .key file and the rest is .crt
By the way, I setup the ssl.conf because that is where the Virtual Host is located.
I saved my certificates in, /etc/httpd/conf/ssl.cert/
I saved my keys in, /etc/httpd/conf/ssl.key/
and the location of my ssl.conf: /etc/httpd/conf.d/ssl.conf
My questions are:
What's the usual way on renewing SSL Certificates?
What's all I need to renew it?
Can I do it only on the FTP client or I need to go to my AWS page and set it up there?
I am really desperate to get out of this embarrassment. I hope someone would help me do it. Thanks in advance.
You need to create a CSR (certificate signing request) that contains the server's information. (There are many, many guides on how to do this using openssl.) You then purchase a SSL certificate from your certificate issuer of choice and provide them with the CSR. When your order is complete they will issue you a SSL certificate that you can download and install in Apache. If you go to the issuer of the original certificate they will likely have a renew process that will walk you through all of the steps.
I have installed a ssl certificate via WHM on one of my domain. Site is working with https://xyz.com.
However it is not working with https://www.xyz.com. I have checked the certificate and it is for www version as well. After some research it appears to be incomplete chain issue. I had no idea how to resolve this. Please help.
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.
You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.
You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver
I am trying to move a website into Azure (Azure Website). I have everything moved, except the ssl isn't working. The error that comes up says
You attempted to reach [subdomain].[domain].com, but instead you actually reached a server identifying itself as *.azurewebsites.net ...
I think it may have something to do with my certificate. The cert is a UCC cert (multiple SAN) through GoDaddy. I did not rekey the cert when I moved the site from the old server to the Azure Website. The old server was managed using Parallels. Here is what I did to move the cert:
I logged into Parallels on the old server. I opened the SSL screen, where I could see the 4 parts of the cert (csr, private key, certificate, CA certificate). I copied the text for each of those (including the ---Begin Certificate--- and ---End Certificate--- lines. EDIT: the private key began with ---Begin RSA Private Key--- and ended with ---End RSA Private key), and I pasted the data to create 4 .txt files. I then renamed the txt files so that I had 4 files named CAcertificate.cer, certificate.cer, privateKey.pem, and cert.cer. They were all saved in the c:\ directory (root).
I then pulled up OpenSSL and ran the following command:
pkcs12 -export -in c:\certificate.cer -inkey c:\privateKey.pem -out c:\certificate.pfx -certfile c:\CAcertificate.cer
I entered a password twice, and out popped a certificate.pfx file.
I uploaded that file to my Azure Website. The UCC Cert applies to 4 subdomains. I have my Azure Website set up with only one of those subdomains as a domain name. After uploading the file, I went to SSL Binding, and chose that subdomain, matched it with the cert I just uploaded, and chose "SNI SSL." I saved it, and all looked good.
Unfortunately, when I browse to the subdomain, I get the error I listed at the beginning.
I have a CName set up to forward from that subdomain to the Azure Website. I also have an A record set up to point from that subdomain to the IP Address of the Azure Website. The site is pulling up as I would expect, except for the ssl certificate error.
Did I generate the .pfx file incorrectly? Is there something I need to change in Azure or my domain registrar? I noticed that I could download a .pem file from the parallels panel. It contained all 4 parts of the cert in one file. I didn't know what I could do with that.
A missing root or intermediate certification authority can cause this behavior as documented in this article (written by a Microsoft MVP).
This answer shows how to export the full certificate chain including the private key using OpenSSL for Windows.
If the certificate is already installed in your local Windows machine you can follow this guide and be sure to select
Yes, export the private key and
Include all certificates in the certification path if possible.
This will create a .pfx file containing your certificate, its private key as well as all intermediate and root CAs.
I am trying to prepare for the switch in the SSL certificate vendors.
For the the SSL validation, Our Tomcat web application uses a JKS file created from a DigiCert certificate ( *.cer files). Our company is now switching to VeriSign next week. Since they have already provided the new *.cer files, can I simply add the new cert ( using keytool) to the existing JKS so that it works for both certificates. I am trying to avoid any downtime during the switch and prepare the server beforehand?
Any helps will be much appreciated.
You must install the certificate onto the same keystore you created the CSR from as the private key resides there. Otherwise it will not work. Please reference the article below on instructions on how to import into a tomcat server:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR234&actp=search&viewlocale=en_US&searchid=1369174910074