How to create a sub-certificate out of an existing certificate? - ssl

I created a certificate in my server for the hostname xxx.lol.example. I want to know if it is possible to create a sub-certificate for the hostname xxx.lmfao.lol.example thanks to the initial certificate?

You can not create "sub-certificate" out of a given certificate.
You need either to request a new separate certificate from some CA for your second name or you should create a new certificate that covers both names, which means putting the second name in the subjectAlternateName part of the certificate (your CA should help you with that).
If you are your own CA as you claim in comment (not clear from your question), then you can just produce whatever other certificate you need.

Related

Create JKS from CRT and PEM file

My client send me three files from Go-Daddy (86f8ac00fcd77994.crt, 86f8ac00fcd77994.pem and gd_bundle-g2-g1.crt). I need create a jks keystore from this files. Is it possible? Thanks!
PD: Sorry for my english!
Yes but you don't want to.
Java uses keystore files like JKS, and KeyStore objects in memory, to store two (or three) different kinds of information but many people imprecisely call both of them certificates and don't understand the huge and critical difference. Specifically (and changing the order from the javadoc):
a TrustedCertificate entry contains "[one] certificate ... belonging to another party. .... This type of entry can be used to authenticate other parties."
a PrivateKey entry contains a privatekey PLUS a certificate CHAIN "used by a given entity for self-authentication".
for completeness, some keystores can contain a SecretKey entry, but JKS cannot, and even with those that can this capability is rarely used.
The files you have are all certificates (one in the hex-named files, several in the bundle file), not privatekeys. You can import each of them into a TrustedCert entry, but TrustedCert entries are only used to validate the other end of a communication -- i.e. when you connect to a server, the TrustedCert entries are used to validate that server's cert, and if you accept connection from a client and request client auth (which is not the default and is rare), the TrustedCert entries are used to validate that client's cert. But since this cert was issued by GoDaddy, if it is used correctly (with its chain) by a server or client you communicate with, you don't need any TrustedCert entries because it validates against a root already in Java's default truststore.
If you wanted to use this cert to authenticate 'yourself' (that is, your system) -- for example if you wanted to run a TLS server (possibly but not necessarily an HTTPS web server) identified by this cert -- you would need a PrivateKey entry, not any TrustedCert entries, and you can't create a PrivateKey entry because you don't have the privatekey. The person who obtained this certificate from GoDaddy does have the privatekey, because the certificate request process requires it, so they could e.g. run a server, but they didn't give it to you so you can't.
Thus the answer to the question you asked -- can you put these certs in a JKS -- is yes, you can. But it's a complete waste of time, because the resulting JKS cannot be used for anything and is worthless.

Would a wildcard SSL Certificate work without a sub-domain?

We have to update our SSL certificate for an other year with a new COMODORS certificate.
We've had a old certificate (GeoTrust) with *.domain.ch which is correct from the naming aspect but expired from the date.
Now we've falsely made one with *domain.ch without the first dot. This should be a wildchart certificate for our domain.ch.
Will this work or can this be the problem for server not starting after this SSL certificate update?
No it will not work. This certificate will match against wwwdomain.ch but not www.domain.ch. But, no public CA should issue such a certificate in the first place since you could this way impersonate foo-domain.ch etc, i.e. domains which don't belong to you.
If this certificate is in a pipeline to get issue then it won't get issued. If got issued erroneously then you have to re-issue the certificate from the vendor or the CA as the *domain.ch won't work.
can this be the problem for server not starting after this SSL certificate update?
Server won't start as there is a mismatch in the domain name

How Can We Add SAN to an Existing PCKS 12?

We have a wildcard .pfx file that's of the pkcs 12 convention. We have a vendor that's trying to use it, but it's only working on the whatever.company.com sites (for desktops), and not working on the m.whatever.company.com sites (for mobile). We're assuming this is happening because the wildcard cert is only for *.company.com, and not *.*.company.com.
Do we need to get a new cert created for *.*.company.com or does anyone know of a way to... I don't know... append the additional sub-subdomain to the existing cert? Maybe with keytool and/or OpenSSL .... ?
First, you cannot edit an existing signed certificate without invalidating the signature. And with an invalid signature the certificate will be considered invalid and rejected by the browser. Just imagine if editing a certificate would be possible and the edited certificate accepted by the browser: in this case an attacker could easily modify an existing certificate for its own domain to include any other domain for which he wants to do a man in the middle attack.
Apart from that wildcards like *.*.example.com are not possible, i.e. only a single wildcard is allowed and only in the leftmost label.

Add SSL on mysubdomain.parseapp.com

I've created a subdomain for my parse app and I need to protect the connection while logging and during my session.
Assume that I don't have any public domain name and I will still use just the url of (mysubdomain.parseapp.com) then is all I need to get buy a certificate and get the two files for:
SSL Public Certificate
SSL Private Key
and just upload it to parse through the settings page ? or will I need to do something else ?
Just need a confirmation that my understanding is correct.
Kind Regards,
Robear
The private key would come from the server. A Certificate Authority is only going to give you a domain cert. For example "mysubdomain_parseapp.com_crt" and yes you'll need to upload the domain cert, private key (which is generated during the CSR request), plus the CA's intermediate cert (the CA should advise which one and where to download it).
In order for a CA to issue out a cert. You need to own the root domain or have permission by the owner. In your case you would need to prove that your the owner or have permision to purchase an SSL cert with "parseapp.com"

OpenSSL Wildcard Certificate and hostname Certificate

What CNAME do I need to generate a wildcard certificate and a hostname certificate in one.
Eg. I can generate *.blah.com and also blah.com, but *.blah.com doesn't match blah.com.
I want to know how I can generate a request to match both.
Thanks.
Since, your certificate is *.blah.com, it will not match to blah.com. It will only match to single level sub-domain of blah.com. Not event to a.b.blah.com.
To match certificate both, you can use subjectAltName extension and mention blah.com in its DNS here. Now, it will also match to blah.com.
To see the effect of subjectAltName, open https://kotak.com and https://www.kotak.com. Browser will open both without any complaint. This is because, in subjectAltName, it has also mentioned kotak.com.