Have 256 iDRACs that have never had an SSL cert.
First I tried using a power-shell script to have the iDRACS themselves create the CSR individually,
Issue with that is, older versions of iDRAC will not create Subject Alternate Name for the certs. So Chrome gives an error.
Then had the idea to add all the DRAC host names to a CSR as Subject Alternate Names.
Know how to create the CSR using the MMC snap in, but adding 256 host names manually... So looking for some way that can add them from a text file as it creates the CSR?
Hope that's clearer?
Related
I created a certificate in my server for the hostname xxx.lol.example. I want to know if it is possible to create a sub-certificate for the hostname xxx.lmfao.lol.example thanks to the initial certificate?
You can not create "sub-certificate" out of a given certificate.
You need either to request a new separate certificate from some CA for your second name or you should create a new certificate that covers both names, which means putting the second name in the subjectAlternateName part of the certificate (your CA should help you with that).
If you are your own CA as you claim in comment (not clear from your question), then you can just produce whatever other certificate you need.
This may seem like a duplicate of this and it kind of is but none of the solutions I tried worked for me! Here is the related Question:
Installed SSL certificate in certificate store, but it's not in IIS certificate list
My system is Windows 2016 running IIS 10. We issued a CSR file using IIS using *.mydomain.com (nothing in the Common Name, I think, because that will get named upon receiving GoDaddy's response). Our client went to GoDaddy.com, purchased a Wild Card certificate, and sent me a zip file with a .p7b and a .crt file. I installed the .p7b in the Intermediate Certificate section, per GD instructions. So now in the Certificate is in the Personal folder with info like 'issued to *.mydomain.com' and friendly name being 'gis.mydomain.com'.
But the Certificate does not have Private Key--and I think that's the problem: The Certificate disappears in IIS manager. When I try the certutil -repairstore command I get a prompt for a Card insertion.
Here is a fix I am thinking about: From the Certificate Enrollement Requests part of the console, export to a pfx file, then, using OpenSSL, make a PEM file. Then create a new pfx file to Import to IIS; problem is that the new pfx file creation gives me error "No Certificate Matches Private Key". Here is the command:
pkcs12 -export -in 1d4c26d43a4da203.crt -inkey my.pem -out final.pfx
Please note that Rekeying at GoDaddy may not help: Their .CRT file seems to be generated without the Private Key. Also, DigiCert is unable to find Private Key on the server even though the CSR file was created on the same server.
What are my options?
Thanks!
I fixed this issue by following the steps here:
https://www.namecheap.com/support/knowledgebase/article.aspx/9773/2238/ssl-disappears-from-the-certificate-list-on-windows-server/
Specifically, these steps:
Open Microsoft Management Console (MMC) as an Administrator. To open MMC, press Win+R combination, type in mmc and click OK.
Select Add/Remove Snap-in and choose Certificates and click Add.
Choose Computer account in the Certificates snap-in window, click Next.
Tick Local computer in the Select computer box, then click Finish.
Locate the certificate that was imported when completing the certificate request. The certificate should be in the Personal store. Note that the icon of the certificate next to the domain name does not have a key on it; that means that no private key is assigned to the certificate.
Double-click the certificate and go to Details tab.
In certificate details locate the Serial Number field, click on it and copy its value.
In a command prompt type: certutil -repairstore my Serial_number from the step above. Make sure the serial number of your certificate does not contain any spaces. It should be a single string of symbols.
You can now refresh the list of server certificates in IIS Manager to see the certificate. You may need to close and reopen IIS.
UPDATE
The certificate store name for Web Hosting is webHosting. Use this in place of "my" which is the Personal cert store.
If you have multiple certificates, you only need to run certutil -repairstore for the first one. Others install correctly via the Complete Certificate Request in IIS (ie, they do not disappear).
Nothing worked until I followed GoDaddy's instructions per https://www.godaddy.com/help/rekey-my-certificate-4976 and installed the Re-Keyed Certificate. I don't know what had happened to have caused the failure. I had followed the exact steps earlier but what the client provided did not work first time. My guess is that the CSR file was generated when the server machine was in some pending major Windows Update and after the Update the Private Key stored in the OS was somehow lost/inaccessible.
Oh well, moving on.
There is one more use case under which IIS server certificates gets disappear when we create the Custom CSR from MMC -> Advanced Operations -> Create Custom Request and choose the Enhanced Key Usage purpose as "Client Authentication" instead "Server Authentication" and since we are uploading the certificate to IIS under Server Certificates so it should be for "Server Authentication" to show up or not disappear on IIS -> Server Certificates
Fix -
Delete the certificate from MMC and make sure it is removed after
refreshing
Generate the CSR using MMC Custom Request option and Choose "Server
Authentication" in case of the purpose for key usage while
generating the CSR using the Custom Request Option from MMC
Generate the Cert and signed by CA for the CSR generated in Step-2
Complete the Certificate Request from IIS and certificate should be
available perfectly fine in MMC as well in IIS -> Server Certificate
This should work fine !
At last Fixed!!
Step 1 - Go to your servers IIS
Step 2 - Select your server and choose SSL Certificate from middle panel
Step 3 - From the action panel on the right choose "Create Certificate Request"
Step 4 - Fill in the necessary details (common name = domain name, rest not so important)
Step 5 - after completing the wizard you will be provided with a .CSR file open the file in notepad and CTRL-A CTRL-C.
Step 6 - Go to the product page of your godaddy account from there go to SSL and click manage.
Step 7(optional) - To check if everything's fine with your CSR file, In manage SSL page click "SSL Tools" and from there choose CSR Decoder, you'll be taken to a page where you can paste the CSR and if results are shown you are good move to step 8.
Step 8 - Go back to Step 6, choose your SSL linked to the DOMAIN.
Step 9 - From the SSL Dashboard once you scroll down a bit you'll see the REKEY option, click on it.
Step 10 - Paste the CSR texts in the space provided
Step 11 - Click "Add Change"
Step 12 - Scroll down, click "Submit All Changes"
Step 13 - After the SSL is reissued(5-10 MINS), download the zip files for IIS server.
Step 14 - That's it , you should be able to add the new .CES file into the IIS without it disappearing.
Let me know if this worked for everyone.
You need to convert the certificate to .pfx file and include your private key.
https://www.ssls.com/knowledgebase/how-to-install-an-ssl-on-a-windows-server-when-the-csr-was-generated-elsewhere/
We have a wildcard .pfx file that's of the pkcs 12 convention. We have a vendor that's trying to use it, but it's only working on the whatever.company.com sites (for desktops), and not working on the m.whatever.company.com sites (for mobile). We're assuming this is happening because the wildcard cert is only for *.company.com, and not *.*.company.com.
Do we need to get a new cert created for *.*.company.com or does anyone know of a way to... I don't know... append the additional sub-subdomain to the existing cert? Maybe with keytool and/or OpenSSL .... ?
First, you cannot edit an existing signed certificate without invalidating the signature. And with an invalid signature the certificate will be considered invalid and rejected by the browser. Just imagine if editing a certificate would be possible and the edited certificate accepted by the browser: in this case an attacker could easily modify an existing certificate for its own domain to include any other domain for which he wants to do a man in the middle attack.
Apart from that wildcards like *.*.example.com are not possible, i.e. only a single wildcard is allowed and only in the leftmost label.
I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.
I'm completely new to anything Secure Socket Layer related up until yesterday evening and today. I need to get a self-signed certificate to proceed with an app registration process so that I can implement OAuth in an app I'm writint. I went through a nice tutorial about how to generate certificates here. I'm an ubuntu user, if you didn't click the link to figure that out. I've been trying to generate a self-signed 1024 bit RSA key encoded x.509 certificate in PEM format. After setting up the configuration and doing everything as is on the tutorial (of course with the exception of specifying the environment-related data to my own environment). The commands to generate a new certificate and key after going through the configuration are:
forces SSL to look for configuration file in alternate location (the server configuration file):
export OPENSSL_CONF=~/myCA/exampleserver.cnf
Generate the certificate and key:
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
Following those two commands the following is displayed:
Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'tempkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
I enter my pass phrase and the error I continually get is:
problems making Certificate Request
3074111688:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:109:
3074111688:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:x509name.c:285:name=organizationUnitName
I ran into a similar problem while following the same tutorial that you mentioned. In my case, the error was:
problems making Certificate Request
140098671105696:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2
So I figured out that I've written some string which should have been 2 characters long (maxsize=2), but happened way longer. I returned back to my config file and quickly found that I've wrote the long name of the country, instead of the 2-character code. This solved my problem.
not really familiar with the process but, it appears "invalid field name:x509name.c:285:name=organizationUnitName" means your Organization Unit Name is invalid.
According to digicert.com: The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.
it depends on what is in your conf file, the openssl ca tool looks for sections in the file, those sections look for other sections, some of the section names are mandatory and some of the name/value pairs in sections are mandatory.. it's quite a big configuration space offered by this file
The error you mention comes up when openssl doesnt recognise a name inside a section in different scenarios, e.g. i've seen it when I was adding a custom oid for an end-entity cert, and also when customising contents of a ca cert.
if you post your configuration file and what you expect in the resulting ceritifcate then we can help. Also can you say what you intend to use the certificate for (e.g. secure a client session on a production webservice or something else)
I had the same problem, had C=USA instead of C=US
I had a similar issue. I followed the advice from GitHub using the countryName_default parameter. It seems like this parameter does not exist on my openssh.exe, contrary to the advice on GitHub.
Once I removed any xxx_default parameters from the [ req_distinguished_name ] section of the SSL xxx.conf file, the creation of the certificate succeeded.
This is working on Windows 10.