Questions about CSR and SSL Certificates - ssl

I'm in the process of connecting to an external server and am making a CSR to receive some certificates from them, and I have some questions regarding this.
Some tutorials state that you should save the private key as this will be used during installation of the certificate. However when using the Windows certificate manager (certmgr.msc) I think it generates the private key under the hood, and the resulting CSR-file does not contain any private key. So in that case I won't have access to any private key at all, unless I can export it from the certificate I receive later? I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store? If that's the case, does the private key have any use besides generating the public key?
I was also wondering about the location the certificate can be used. It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?
Last question: The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?
Appreciate any insight or guiding to this process. There are a tons of guides out there, but many of them seem to contradict each other in some way or another.

(certmgr.msc) I think [] generates the private key under the hood,
Correct. You generate the key and CSR, send the latter to the CA, and (we hope!) get back a cert containing your publickey and identity (for SSL/TLS your identity is your domain name or names), plus any needed chain certs (usually one intermediate and a root, but this can vary). You import the cert to certmgr, which matches it up with the existing, stored but hidden privatekey to produce a pair of cert+privatekey which is now visible and usable.
To use this in a Windows program, like IIS, you also need the chain cert(s), see below, in your store -- for these just the cert(s) not the privatekey(s), which you don't have and can't get. If you use an established public CA like Comodo, GoDaddy, LetsEncrypt their root is usually already in your store, and if you use a CA run by your employer their root may well be already in your store for other reasons such as email; if not you should add it. The intermediate(s?) may or may not already be in your store and if not you should add it(them).
I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store?
It is needed, but you don't provide it, because it's already there.
It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?
Initially, it is usable only on the system where the CSR and privatekey were generated. But using certmgr you can export the combination of the certificate and privatekey, and optionally the cert chain (which export wizard calls 'path'), to a PKCS12/PFX file. That file can be copied to and imported on other Windows systems and/or used by or imported to other types of software like Java (e.g. Tomcat and Jboss/Wildfly), Apache, Nginx, etc.
Note however that the domain name or names, or possibly a range of names matching a (single-level) wildcard, that you can use the cert for is determined when the cert is issued and can't be subsequently changed (except by getting a new cert).
The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?
Certificate Authorities are arranged in a hierarchy. Running -- particularly securing -- a root CA is difficult and expensive. As a result certs for end-entities (like you) are not issued directly by the root, but by a subordinate or intermediate CA. Sometimes there is more than one level of subordinate or intermediate. Thus when your server uses this certificate to prove its identity, in order for the browser or other client to validate (and thus accept) your cert you need to provide a 'chain' of certificates, each one signed by the next, which links your cert to the trusted root. As I said, one intermediate is common; this means your server needs to send its own cert, which is signed by the key in the intermediate, plus the intermediate cert, which is signed by the key in the root. The root needn't actually be sent, because the client already has it in their truststore, but it may be, and it is also desirable to validate the chain yourself before using it and for that you need to have the root even if you don't send it.

Related

Key Usage for CA/Subordinate CA

I had a private key/certificate used for the last 10 years. However, now Apache refuses to start with this private key (it's only 1024bit long) and I want to create a new CA for my lab and explore the subordinate CA as well.
Now, I want to create a new CSR for both the CA and the subordinate CA. I am using Ansible for the creation of the keys/csr/certs, by the way.
Now my questions: I understand that you can limit he usage of a certificate/public key by using the relevant option (key usage and extended_key_usage).
My question is:
Do I need to specify any restriction for the CA/subCA?
If so, which restrictions should I apply?
Thank you
Do I need to specify any restriction for the CA/subCA? If so, which restrictions should I apply?
If it's your lab, you actually don't need/ don't must to specify any KU or EKU (key usage or extended key usage). However - in my opinion it's better if you do it (to be as close to the real env as possible and some frameworks may complain about it)
You may actually check how common CAs are building their certificate chain. What I use:
CA certificate:
KU: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Basic constraint: Subject Type=CA, Path Length Constraint=0
Server / client certificate:
KU : Digital Signature, Key Encipherment
EKU: Server Authentication, Client Authentication
Basic constraint: Subject Type=End Entity
Though it depends what do you want to do with the certificates. There are several nice docs around, such as this one

How to setup ssl with cacert.org

I have a free domain,sayexample.ml, and I hosted my files at byethost.com. I am trying to implement free ssl on my site. I have logged into cacert website. Added and verified my domain. And now I am stuck. I dont know how to set up an ssl certificate from this stage.
A step by step explanation will be quite a lot helpful.
Generate a private key and save it in your file system safely.
Generate a CSR with it.
You can use openSSL for 1 and 2.
Refer : http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
Get the signed server certificate from cacert.org by copying the contents of your CSR to Server certificates -> New. Save it in your file system.
You need to point your Appserver/Webserver to the location where your private key and signed server certificate is stored. Read documentation.
If it is a Apache webserver you can refer: https://techstrum.wordpress.com/2014/11/25/how-to-enable-ssl-for-ohs-oracle-http-sever/
First, you need the CSR (your public key with some information).
To generate it you have to use the tool that your server provide would be easier (such as Apache Tomcat :: using keytool, Linux :: using openssl)
Then, sending your CSR file to the certificate vendor to verify and insert Root certificate.
They will send you back certificate file.
So, you need to use this certificate file for import into your secret key which you get it from the key-pair generate process on the first step.
Finally, setup your key into your server and config some property in web server config file.
These are the concept, for the technical you need to know what platform you used and find the way to use their provided tool.

Two CSR files with same information from different Servers

I have two web servers(IIS) Prod/DR and I am required to install a certificate with same common name on both the servers.
I have generated two CSR files from these two servers with same information (common name, location etc)
We are required to generate a third party signed certificate, but I am confused/ignorant when it asks for CSR. These two CSR files when I compared are different(byte compared).
Should I just upload any 1 of the CSR file and use the cert generated to be installed on both servers? Will both server accept this certificate (after in pending cert request state) generated with same information but has different CSR files?
This question is a better fit for something like server fault, but I'll give it a shot:
A CSR is a unique per private key. You need to pick one CSR, and request it from your CA. Your CA will respond with the full certificate, which can be exported from the machine on which you issued the CSR and imported to the other servers.
If you were to request multiple CSR's be fulfilled, you would get multiple certificates. Instead, you need to complete the process once and copy the returned certificate.
See http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html for step by step instructions.

Is it possible for a keypair to import a certificate without a CSR file?

I have obtained a free Open Source Developer certificate (with Code Signing as only usage) from Certum in reply to a web form instead of a regular CSR file. The Certificate has no installation issues on Windows and forms a trusted chain along with the corresponding intermediate and root CA certificates in any keystore management tool I have tried. No problems so far.
Nevertheless, besides the bright side of becoming somewhat acquainted with the subject after frustrating studying it for several days (my only purpose was to sign jar files for my online solfège school), I haven't been able to import the certificate to any keypair on neither toolkey, KeyStore Explorer, CERTivity, nor OpenSSL, because the public keys don't match, (I think) obviously.
I (probably mis)understand that the public key from a requesting keypair is conveyed to the CA by the CSR file and included back in the certificate reply, but in my case there is no CSR file.
I plainly admit my ignorance, and would just like to know:
If is it even possible (with all security risks involved) the procedure of tailoring a keypair to match an existing such a certificate (an Openssl command, perhaps), and
if, as I'm afraid of, the answer is no, what is such a "CSR-file-orphan" certificate useful for?
Any enlightment will be greatly appreciated.
Jesús Díaz
Certum probably have created the CSR for you if you didn't submit one.
In that case, a (public-private) key pair would have been installed on your computer.
You will probably have to export the key pair from Windows keystore to a file so that you can import it to another keystore.
guide from microsoft
with screenshots
another way
To answer your questions:
since the certificate has been created, you won't be able to create a key pair for it.
it is actually not a CSR orphan certificate
You might want to make another request from Certum and inform them that you would like to provide a CSR

Custom SSL Certificate Authority?

Is there a custom SSL certificate authority I can add to my browser?
We use lots of internal urls like
http://www.somproject.somebranch/ for working on individual branches
It would be cool if there was some service I could add to my browser/OS which would let me use a single cert (or easily generate certs) for non-real domains. Does this exist, or is this just a #firstworldproblem?
The point of a custom CA is that you have to create it yourself (by being the holder of the private key for the CA certificate, in particular). Importing just any available CA certificate into your browser would mean that anyone with its private key could issue certificates recognised by your browser (usually for any site, unless there is a specific policy).
There are a few tools to manage a CA:
OpenSSL's CA.pl: it's a script that comes with OpenSSL. It's quite basic but highly configurable (via openssl.cnf).
TinyCA is a front-end to OpenSSL that helps you manage your certificates with a GUI. It's a bit more manageable than CA.pl.
OSX comes with its own interface in Keychain.app.
There are a number of other tools listed in this Security.SE question: EJBCA, OpenCA and XCA.
Most of the hard work is the administrative part (not so much sysadmin, but paperwork) in general. If it's just for you, EJBCA or OpenCA might be overkill.