Need to sort out some confusions here as I'm not very clear on this topic.
Current I had purchased a SSL cert from third party, submit to server support and then they have installed the necessary certs in the server. I can see from the Plesk panel that the .key, .crt and -ca.crt is installed.
But actually I have a requirement where the private key need to be in RSA.
So my question is, can I convert the existing .key to RSA and upload to overwrite the existing key? Or I need to tell my vendor to redo the process to generate the key as RSA and then reinstall SSL again?
Related
A wildcard certificate from Godaddy was recently purchased by my organization. While walking through the steps on the Godaddy's site to setup the cert, I typed in the domain name instead of uploading a CSR. Fast forward, this will be for Windows servers and I downloaded the certificate bundle. I see one PEM file and two CRT files. In short, the PEM file is really a Certificate and not the private key. Since I did not upload a CSR and let Godaddy do this, how do I get the private key?
I have a VPS with Apache2.
I have installed SSL before in my websites, but always form freeSSL or ZeroSSL, they give me 3 files:
Private.key
ca_bundle.crt
certificate.crt
I replace them for the old ones and all is peachy (I configured it once and just replace the files on reactivation).
Now I have issued a year long SSL service from Comodo SSL, and they send me a mail with this information:
"Thank you for placing your order. We are pleased to announce that your PositiveSSL Certificate for * has been issued.
Attached to this email you should find a .zip file containing:
Root CA Certificate - AAACertificateServices.crt
Intermediate CA Certificate - USERTrustRSAAAACA.crt
Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - ***.crt
You can also find your PositiveSSL Certificate for ** in text format at the bottom of this email."
And I really have no Idea what to do... I tried Google but can't find any guide, they talk about CSR or other things and I just want to install this and forget about it for a year like I did before for 90 days...
Please help me, I need to have SSL running for my Magento 2 installation to work.
To use a certificate you need the certificate file itself (.crt) AND the key file (.key) ( Extensions may vary but, as you know, on linux it doesn't matter): if you're missing one of these, you're pretty much screwed.
To get a certificate, the following steps are necessary:
a key file needs to be generated
from the key file a CSR is generated
the CSR is signed by a CA (for you it's Comodo) and the result is the certificate file
The key file and the csr can be generate by you (who are requesting the new certificate) or (in this case) by Comodo during the procedure you followed. According to what you wrote, probably, during the procedure you've been asked to provide a key or let them generate one and you picked the 2nd option.
I've never used Comodo so I don't know how their interface works but IMHO you have 2 options: login with your account and look for an area where you can download the certificate and check for the possibility to download the key too OR contact them and ask for support to download the key file.
There is no way to use the certificate file without a key file.
I generated the certificate using an option of my webhosting service (Hostinger) to buy a comodo SSL certificate, as I said the email of Comodo didn't give me the key file BUT, after some hours the comodo ssl service started showing on my webhosting control center and going through some menus I reached a button called "download SSL", that downloaded a ZIP with the same files PLUS the key file. This was very random and nowhere stated, and I found it by coincidence but is solved. Thanks. The other option was to reach Comodo or Hostinger for help.
I received following files from another department in my company which I am supposed to install on my Tomcat 8.5 Webserver in order to activate HTTPS and use TLS/SSL:
csr.pem
ca.pem
intermediate.pem
certificate.crt
Most tutorials I found online guide through the process of creating the keystore, generating a CSR and installing the certificate received afterwards. My company wishes to use it's wildcard certificate, so the certificate and related files exist already.
I tried to generate a new keystore with my own private key & import ca, intermediate & certificate in it, but I'm getting an error which says that the public key doesn't match with my keystore.
I guess, this is because I need to import the private key used to generate the CSR before. But since I don't have it, I want to make sure - is it possible to install the certificate without the private key (respectively generating my own private key) or did they possible forget to send it along?
Wildcard or not, a certificate without its associated private key is useless.
As they are used in asymetrical cryptography, operations need the public key (contained in the certificate) and the private key (stored separately).
And they are generated together, you can not have a certificate and then later on generate a new key and associate with it. A CSR, which later becomes a certificate, includes some information derived from the private key.
I used this blog to get a Letsencrypt certificate for an apache2 server on windows via letsencrypt-win-simple's manual mode. The tool reports success and all files were generated, however, I can't find any documentation on what is what. My apache2 has a temporary self-signed certificate installed with a self-generated private key. I assume the tool created an entirely new private key and certificate signing request and did not use the existing private key to verify my certificate? Sorry for my confusion, but I just found explanations that show how confusing and flexible the formats can be used.
The tool generated the following (- my assumption what the file is):
myurl.com-key.pem - Private key generated to encrypt the certificate signing request (csr) with?
myurl.com-csr.pem - The unsigned csr file?
myurl.com-gen-csr.json - Signed csr file in json to send to the CA?
myurl.com-gen-key.json - Public key to send to the CA?
myurl.com-crt.pem - My certificate?
myurl.com-crt.der - This file is encrypted, but why and what's the difference to myurl.com-crt.pem?
myurl.com-chain.pem - The chain of CAs used to create the certificate?
myurl.com-all.pfx - An encrypted file containing everything? Do I need to generate the files for my apache2 from this via openssl or can I use the others?
ca-CRYPTICODE-crt.pem - Another certificate? Or is this the final result? But what is myurl.com-crt.pem then?
ca-CRYPTICODE-crt.der - Another certificate?
Registration - Probably used for the registration process and not required anymore?
Signer - Probably used for the registration process and not required anymore?
Which files do I need to configure my apache2 with? Which files are private and never shared with anyone?
myurl.com-crt.pem - this is the SSLCertificateFile
myurl.com-key.pem - this is the SSLCertificateKeyFile
ca-CRYPTICODE-crt.pem - this is the SSLCertificateChainFile
These 3 files you should specify in apache virtual host configuration.
myurl.com-key.pem - Private key generated to encrypt the certificate signing request (csr) with?
Private key to sign the CSR and use in association with the eventual certificate.
myurl.com-csr.pem - The unsigned csr file?
myurl.com-gen-csr.json - Signed csr file in json to send to the CA?
Correct.
myurl.com-gen-key.json - Public key to send to the CA?
Don't know what it is but the CA doesn't need your public key: it is already in the CSR.
myurl.com-crt.pem - My certificate?
Correct.
myurl.com-crt.der - This file is encrypted, but why and what's the difference to myurl.com-crt.pem?
No, this is another representation of the .pem file. It isn't encrypted.
myurl.com-chain.pem - The chain of CAs used to create the certificate?
Correct.
myurl.com-all.pfx - An encrypted file containing everything?
Correct.
Do I need to generate the files for my apache2 from this via openssl or can I use the others?
You can use this as a PKCS#12 keystore with Java, or the others with Apache HTTPS.
ca-CRYPTICODE-crt.pem - Another certificate? Or is this the final result?
Looks like another CA certificate. Have a look at it with some PEM utility.
But what is myurl.com-crt.pem then?
Your signed certificate.
ca-CRYPTICODE-crt.der - Another certificate?
DER form of ca-CRYPTICODE-crt.pem.
Registration - Probably used for the registration process and not required anymore?
Signer - Probably used for the registration process and not required anymore?
Pass. Probably used in the Let's Encrypt registration or verification process.
I am attempting to try to install my SSL certificate on a server and I have lost my key file that was generated when I was creating the CSR file for the SSL application. I am fairly certain that this is a unique file and simply creating a new CSR file wont make the key file that I need. Is there anything that I can do to get the same key and CSR file that I had before? I used godaddy to get the certificate if that makes any difference.
No, there's nothing you can do without the original key. Some CAs will reissue a certificate due to a lost key, others you'll be paying again.
yes there is a solution. Go to your godaddy account, ssl certs, and re-key it. Before this you have to create a new key and CSR. When you have the CSR, do what i said above logging to godaddy