I used this blog to get a Letsencrypt certificate for an apache2 server on windows via letsencrypt-win-simple's manual mode. The tool reports success and all files were generated, however, I can't find any documentation on what is what. My apache2 has a temporary self-signed certificate installed with a self-generated private key. I assume the tool created an entirely new private key and certificate signing request and did not use the existing private key to verify my certificate? Sorry for my confusion, but I just found explanations that show how confusing and flexible the formats can be used.
The tool generated the following (- my assumption what the file is):
myurl.com-key.pem - Private key generated to encrypt the certificate signing request (csr) with?
myurl.com-csr.pem - The unsigned csr file?
myurl.com-gen-csr.json - Signed csr file in json to send to the CA?
myurl.com-gen-key.json - Public key to send to the CA?
myurl.com-crt.pem - My certificate?
myurl.com-crt.der - This file is encrypted, but why and what's the difference to myurl.com-crt.pem?
myurl.com-chain.pem - The chain of CAs used to create the certificate?
myurl.com-all.pfx - An encrypted file containing everything? Do I need to generate the files for my apache2 from this via openssl or can I use the others?
ca-CRYPTICODE-crt.pem - Another certificate? Or is this the final result? But what is myurl.com-crt.pem then?
ca-CRYPTICODE-crt.der - Another certificate?
Registration - Probably used for the registration process and not required anymore?
Signer - Probably used for the registration process and not required anymore?
Which files do I need to configure my apache2 with? Which files are private and never shared with anyone?
myurl.com-crt.pem - this is the SSLCertificateFile
myurl.com-key.pem - this is the SSLCertificateKeyFile
ca-CRYPTICODE-crt.pem - this is the SSLCertificateChainFile
These 3 files you should specify in apache virtual host configuration.
myurl.com-key.pem - Private key generated to encrypt the certificate signing request (csr) with?
Private key to sign the CSR and use in association with the eventual certificate.
myurl.com-csr.pem - The unsigned csr file?
myurl.com-gen-csr.json - Signed csr file in json to send to the CA?
Correct.
myurl.com-gen-key.json - Public key to send to the CA?
Don't know what it is but the CA doesn't need your public key: it is already in the CSR.
myurl.com-crt.pem - My certificate?
Correct.
myurl.com-crt.der - This file is encrypted, but why and what's the difference to myurl.com-crt.pem?
No, this is another representation of the .pem file. It isn't encrypted.
myurl.com-chain.pem - The chain of CAs used to create the certificate?
Correct.
myurl.com-all.pfx - An encrypted file containing everything?
Correct.
Do I need to generate the files for my apache2 from this via openssl or can I use the others?
You can use this as a PKCS#12 keystore with Java, or the others with Apache HTTPS.
ca-CRYPTICODE-crt.pem - Another certificate? Or is this the final result?
Looks like another CA certificate. Have a look at it with some PEM utility.
But what is myurl.com-crt.pem then?
Your signed certificate.
ca-CRYPTICODE-crt.der - Another certificate?
DER form of ca-CRYPTICODE-crt.pem.
Registration - Probably used for the registration process and not required anymore?
Signer - Probably used for the registration process and not required anymore?
Pass. Probably used in the Let's Encrypt registration or verification process.
Related
I have a VPS with Apache2.
I have installed SSL before in my websites, but always form freeSSL or ZeroSSL, they give me 3 files:
Private.key
ca_bundle.crt
certificate.crt
I replace them for the old ones and all is peachy (I configured it once and just replace the files on reactivation).
Now I have issued a year long SSL service from Comodo SSL, and they send me a mail with this information:
"Thank you for placing your order. We are pleased to announce that your PositiveSSL Certificate for * has been issued.
Attached to this email you should find a .zip file containing:
Root CA Certificate - AAACertificateServices.crt
Intermediate CA Certificate - USERTrustRSAAAACA.crt
Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - ***.crt
You can also find your PositiveSSL Certificate for ** in text format at the bottom of this email."
And I really have no Idea what to do... I tried Google but can't find any guide, they talk about CSR or other things and I just want to install this and forget about it for a year like I did before for 90 days...
Please help me, I need to have SSL running for my Magento 2 installation to work.
To use a certificate you need the certificate file itself (.crt) AND the key file (.key) ( Extensions may vary but, as you know, on linux it doesn't matter): if you're missing one of these, you're pretty much screwed.
To get a certificate, the following steps are necessary:
a key file needs to be generated
from the key file a CSR is generated
the CSR is signed by a CA (for you it's Comodo) and the result is the certificate file
The key file and the csr can be generate by you (who are requesting the new certificate) or (in this case) by Comodo during the procedure you followed. According to what you wrote, probably, during the procedure you've been asked to provide a key or let them generate one and you picked the 2nd option.
I've never used Comodo so I don't know how their interface works but IMHO you have 2 options: login with your account and look for an area where you can download the certificate and check for the possibility to download the key too OR contact them and ask for support to download the key file.
There is no way to use the certificate file without a key file.
I generated the certificate using an option of my webhosting service (Hostinger) to buy a comodo SSL certificate, as I said the email of Comodo didn't give me the key file BUT, after some hours the comodo ssl service started showing on my webhosting control center and going through some menus I reached a button called "download SSL", that downloaded a ZIP with the same files PLUS the key file. This was very random and nowhere stated, and I found it by coincidence but is solved. Thanks. The other option was to reach Comodo or Hostinger for help.
I'm trying to enable SSL on SOLR with a SAN cert - I ran the keytool.exe to generate the .jks file from the cert file. That process went fine. I copied the .jks file over to the /etc directory, and then I enabled SSL in solr.in.cmd file. Then when I try to access the site, it tell me: "The client and server don't support a common SSL protocol version or cipher suite." Is the issue with the cert, or issue with the way I generated the .jks file? Any help with this would be appreciated.
MORE INFO:
I learned that .cer files only contain the public key, and the private key is on the machine that generated the CSR. However, in this case, the machine that the cert is installed on is probably not the machine that the CSR was generated in. So, given this situation, how do I generate the keystore file to be used in SOLR?
I'm trying to fix an issue related to an expired ca certificate.
I replaced a the certificate located at /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem (with these instructions).
Then restarted puppet-server, but agents still see an expired certificate.
I noticed there is also a value localcacert which points to a slightly different path etc/puppetlabs/puppet/ssl/certs/ca.pem.
I see this little snippet on Puppet documentation:
Where each client stores the CA certificate.
Default: $certdir/ca.pem
I'm confused by this. The description makes it sound like a folder where clients store certificates, yet the value is a single pem file.
Can anyone clarify the difference between these two ca pem files?
If I update one can I just overwrite the other with my new pem?
Can anyone clarify the difference between these two ca pem files?
The cacert setting is relevant only to the master. It specifies the location of the certificate with which the master's hosted CA will sign communications.
The localcacert setting specifies the location of the client's copy of the CA certificate (containing the public key, not the private one). This is what machines will use to verify certificates signed by the CA.
In both cases, you should not read too much into the word "location". These settings designate certificate files, not directories.
I am trying to set an HTTP load balancer with SSL.
I have two files - certificate.pem and unencryptedkey.pem.
But the UI of google asks for three fields:
Public key certificate,
Certificate chain,
Private key
What goes where and where do I get the third one?
I managed to use only 2 but the browser asks for permission and that is wrong.
When you buy the SSL certificate you should get some more files. In my case, I got a .ca file (certificate chain), a .crt file (the certificate), a .csr file (the request), and a .key file (your private key)
You need
public key => the crt file
certificate chain => your ca file(s concatenated)
private key => your .key
My guess is that you have created the certificates, i.e. you haven't purchased them from some certificate authority. With self-signed certificates browser warns you, since certificate validity can't be verified from a certificate authority.
If this is the case, you should do some learning regarding certificates and how they work.
I am trying to create an https endpoint for my azure service. I was given an p7b file that I converted into a cer file. From the cer I was able to convert with a few lines of c# to a pfx.
var cert = new X509Certificate2(#"certpath", "
var bytes = cert.Export(X509ContentType.Pfx, "password");
File.WriteAllBytes(#"certpath\cert.pfx", bytes);
Now when I upload the cert to azure everything seems ok, I copy the thumbprint and try to upgrade with the new thumbprint as part of the end point and I get an error in azure.
Certificate with thumbprint 3FA490D1D4957942CD2ED545F6E823D0008796EA2 associated with HTTPS input endpoint "endpointName" does not contain private key.
How did you convert the .p7b to a .cer? You're problem is that cer files don't contain the private key information, so when you exported it as a pfx, it doesn't have the information that it needs to work with SSL.
The easiest way to convert to a pfx is probably to import the certificate onto your local machine (using certmgr.msc), then export it making sure you select the "Yes, export the private key" option.
EDIT: After doing some more research after GregS' comment, the problem is still the same, you're pfx doesn't have the private key it needs to work with SSL, but the cause is actually that the .p7b file doesn't have a private key to begin with. You need to use a different certificate. There is already a question related to this on server fault.
I had the same problem trying to generate .pfx for Azure. The p7b certificate was generated by Thawte. After some research I was able to make it work.
Generate CSR (certificate request) from IIS. It could be your local IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO9171
Generate the certificate based on the CSR. The CA takes care of this. If you are generating a self-signed certificate you also could do that from ISS. This is important because when you import it (step 3) IIS will verify that the certificate was generated there.
Import the certificate to your local IIS. It must be a .cer file. Just open your p7b file and you will see the certificate chain in there. Export your domain certificate to a .cer file. Then you can use it to import it to IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10664
Export the certificate to .pfx from IIS. At this point the certificate contains an appropriate private key added by IIS. When you export it, IIS will ask you for a password.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10034
I had exactly the same problem as you once and here is the story of that:
Windows Azure, SSL, Self-Signed Certificate and Annoying HTTPS Input Endpoint Does Not Contain Private Key Error
Getting pfx file from SSL certificate from godaddy. Details here in case it helps.