As Letsencrypt SSL certificates renew every 90 days, I would like to keep same public key even after renewal. Is it possible, if yes, how?
Found the solution here - https://community.letsencrypt.org/t/prevent-public-key-changin-when-renewing-ssl-certs/25489/6
As of now we can use clients other than cert-bot to renew certificates by keeping same public key.
Related
I'm confused on how Self-signed certificate works.
Our application will connect to a server to get some info via SSL or https. This mean we are the client. The server is asking us to provide the Self-signed certificate. I created a RSA Key pair and a self-signed certificate.. What cert or key will provide to them? The public key and the self-signed certificate? and do we expect certificate from them?
What cert or key will provide to them?
Only the self-signed certificate should be provided. The private key should be kept private (hence the name).
... and do we expect certificate from them?
This depends if they also use self-signed certificates at their end or if a publicly trusted CA has issued the certificate. In the first case they need to provide the certificate, in the latter case your client just needs to trust the common publicly trusted CA (i.e. what the browsers do).
I am working with some XYZ API provider.
What they are asking is the following:
Certificate with 4096 bits public key for encryption (.pem or .cer
format)
SSL certificate for sending callback response on call back URL.
I generated the self-signed SSL certificate using OpenSSL & shared with them along with the private key (I know we shouldn't). They asked me to share a valid public key & SSL certificate.
I even generated a certificate & private key on DigiCert, but couldn't figure out how to generate a public key for SSL Certificate.
Can anyone kindly suggest how to generate Public key & private key for the SSL Certificate?
Kindly also suggest if I can use Comodo or DigiCert to generate a public key for the SSL certificate?
An SSL Certificate is a public key verified and signed by a Certificate Authority. You generate a public/private key pair, then from that generate a Certificate Signing Request (which includes the public key), which you send to the CA. It then signs that public key included in the CSR producing the certificate which it sends back to you. See also here.
It sounds like you already have this though, so you'd need to clarify what you're trying to achieve. It sounds like it may be a client authentication / mutual authentication scenario? If so, it depends on what the service provider requires - certificates for client authentication may need to be signed either by a public authority that the server trusts, or by the server itself.
I have obtained an SSL cert from Lets Encrypt and added it to my SSL endpoint on Heroku, but I'm a bit nervous about simply removing Expedited SSL. Is it safe?
No problem with doing that and switching to a new certificate from differente Certificate Authority (CA) such as LetsEncrypt. I always remove the references to the old certificates.
A practice I suggest is moving the old certificates to new ones by appending the .backup at the end
Based on the documentation this is a correct practice as long as DNS is pointed to the right endpoint.
I removed my old Comodo SSL certificate and it worked fine. Make sure you've updated your DNS Target at your domain registrar to point to the SSL endpoint you got when you added the Let's Encrypt cert. (Usually certified.domain.herokudns.com)
I got this problem for about a week now, My client ask me to renew the SSL certificate which expired already. I followed a lot of tutorials already but nothing help me.
I have this certificates provided:
Private Key
Intermediate Certificate
CSR
Public Certificate
The server is Amazon and uses Apache/HTTPD
I saved the private key as .key file and the rest is .crt
By the way, I setup the ssl.conf because that is where the Virtual Host is located.
I saved my certificates in, /etc/httpd/conf/ssl.cert/
I saved my keys in, /etc/httpd/conf/ssl.key/
and the location of my ssl.conf: /etc/httpd/conf.d/ssl.conf
My questions are:
What's the usual way on renewing SSL Certificates?
What's all I need to renew it?
Can I do it only on the FTP client or I need to go to my AWS page and set it up there?
I am really desperate to get out of this embarrassment. I hope someone would help me do it. Thanks in advance.
You need to create a CSR (certificate signing request) that contains the server's information. (There are many, many guides on how to do this using openssl.) You then purchase a SSL certificate from your certificate issuer of choice and provide them with the CSR. When your order is complete they will issue you a SSL certificate that you can download and install in Apache. If you go to the issuer of the original certificate they will likely have a renew process that will walk you through all of the steps.
What is the proper way of using SSL certificates for private applications? By private I mean that I am the only user, and software is running on my computers.
I want to have a encrypted communication between two of my programs. I want to send passwords between them, so I need to be sure that remote program is not fake/hacked.
As far as I understand I don't need to get paid SSL certificate from the CA, if there is no third party involved.
Is the following correct?
Server has a private key and self-signed SSL certificate.
Client has a copy of server's self-signed certificate (it needs to be well protected).
During the handshake server sends the certificate to client.
client checks if the certificates are the same.
client can start encrypted transmission.
Is there other way?
Server has a private key and self-signed SSL certificate.
Yes
Client has a copy of server's self-signed certificate (it needs to be well protected).
The client has either a copy of the certificate or the certificates public key or the fingerprint of these. Since the certificate is public these information do not need to be protected. Only the private key of the server (residing only in the server side) needs to be protected because using this key one could prove ownership of the certificate.
During the handshake server sends the certificate to client.
Yes.
client checks if the certificates are the same.
Kind of. It might check the certificate or the public key or the fingerprints.
client can start encrypted transmission.
Yes.
I would recommend that you read the OWASP article about certificate and public key pinning. It also contains sample code for various environments.
Client has a copy of server's self-signed certificate (it needs to be well protected).
Clients do not have copy of the server certificate. They get it in SSL handshake
client checks if the certificates are the same.
NO! Clients will have the public certificate of the Certificate Authorities who would have signed the server certificate. They will validate the server cert with the CA cert including things like certificate expiry, CRLs. Not compare for 'sameness'
In your case you are using the self-signed certificates. The clients should be made to ignore the self signed certificate and proceed with SSL handshake.
I would recommend you read through SSL handshake sequence again.