I have two different accounts of aws so the cert present on elb in one account,i want the same cert for different account because we have same dns.
How can i import same cert to different account as well.
When i try to get that cert and upload that cert with cert chain ,cert and private key it says certificate not in pem format. So that means get-server-cert api doesn't return pem format,it it?
Any help would be really appreciated.
Thankyou
When you export a server certificate from IAM, not enough information is returned to allow you to use the certificate elsewhere.
This is by design. It is a security feature.
You need to find the original private key. While you're at it, you can just use the original cert and chain files.
$ aws iam get-server-certificate --server-certificate-name ExampleCertificate
When the preceding command is successful, it returns the certificate, the certificate chain (if one was uploaded), and metadata about the certificate.
Note
You cannot download or retrieve a private key from IAM after you upload it.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#get-server-certificate
Assuming you are already ahead of me, here, and that you do have the original private key, you should be able to use the results from aws get-server-certificate for the cetificate and chain, because they should already be in PEM format, which looks like this:
-----BEGIN CERTIFICATE-----
...multiple lines of base64...
-----END CERTIFICATE-----
The certificate has exactly one such block, and the chain has one or more such blocks.
Your private key, in PEM format, looks similar, but has words other than CERTIFICATE in the boundary markers, such as RSA PRIVATE KEY.
Be sure the number of dashes on the left and right of each boundary marker is exactly 5.
Related
Question: When I use the UI to add a new SSL certificate to a Target HTTPS Proxy, I am expected to enter Certificate, Private Key and Certificate Chain. In the command line, it only asks for Certificate and Private Key. Am I missing something?
A brief summary on certificates
When you sign a certificate request (scr) basically you are signing a public key together with some useful information that links that public key to the domain, organisation or entity that should be the unique owner of the private key.
But you need to sign this public key to make sure you can check no one modified it, but which key whould you use to sign it? If you could use the corresponding private key, then everyone would be able to take ownership of every Domain, therefore you need to sign the certificate making use of the private key of a third trusted entity.
Of course you trust this entity thanks to a certificate that has been signed but an other entity and so on till you find a certificate that is self-signed.
This is the only way to end end a loop that would be infinite otherwise, this self signed certificate identifies a root certificate authority (CA), you have a list of them in your Browser.
You can as well self-sign your own certificate, but since it will be not in the default list in the browser they will see a warning saying that your website is not trustable.
Therefore you should provide a certificate, the chain and the private key to protect your traffic and show your identity, therefore why they ask for different information?
Basically they ask for the same but formatted in different ways:
For App Engine they ask a "PEM encoded X.509 public key certificate" and the key, from the documentation you can notice that the certificate is "your concatenated SSL certificate" therefore is the whole chain
With the gcloud command the certificate and the key is needed, again the certificate is "The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert." again is the whole chain.
From the console you will need to provide the same information but divided, your certificate that is the "Public key certificate", then the chain composed buy intermetiate and root and finally the private key.
However I agree that is misleading and that the same information should be asked always in the same way.
For example for google.com the complete chain is:
-----BEGIN CERTIFICATE-----
MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1
OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu
Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0
Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx
+5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j
gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57
r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV
HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1
dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr
BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i
YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs
12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz
qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB
E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X
fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87
L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl
MqO5tzHpCvX2HzLc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
The first one is the Public key certificate, the second one is the chain since there is not intermediate and it is as well the root certificate.
You can decode the certificate for example here.
The first certificate belongs to Google
The second one to GeoTrust Inc.
I'm trying to fix an issue related to an expired ca certificate.
I replaced a the certificate located at /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem (with these instructions).
Then restarted puppet-server, but agents still see an expired certificate.
I noticed there is also a value localcacert which points to a slightly different path etc/puppetlabs/puppet/ssl/certs/ca.pem.
I see this little snippet on Puppet documentation:
Where each client stores the CA certificate.
Default: $certdir/ca.pem
I'm confused by this. The description makes it sound like a folder where clients store certificates, yet the value is a single pem file.
Can anyone clarify the difference between these two ca pem files?
If I update one can I just overwrite the other with my new pem?
Can anyone clarify the difference between these two ca pem files?
The cacert setting is relevant only to the master. It specifies the location of the certificate with which the master's hosted CA will sign communications.
The localcacert setting specifies the location of the client's copy of the CA certificate (containing the public key, not the private one). This is what machines will use to verify certificates signed by the CA.
In both cases, you should not read too much into the word "location". These settings designate certificate files, not directories.
I'm new to setting up ssl for curl. We were given a .cer file and the admin created a private.key. When we tried to associate the .cer with the private.key, the modulus's don't match. Is there a way to correct this? it would be easier to recreate the private.key with the proper modulus but I'm unsure how to do this without wrecking the openssl configuration.
any assistance would be appreciated!
Tom
Something wrong with the process here. You can't be just 'given' a certificate and then create a private key for it. The process goes like this:
You create a private key.
You create a certificate signing request (CSR).
You submit the CSR to some certificate authority (CA).
They verify your identity and then issue you a signed certificate.
The CSR and the signed certificate both contain the public key corresponding to the private key you first created.
I'm trying to renew my code signing certificate, which is used as a PFX (and password).
Godaddy, our cert provider provides instructions on generating a CSR, however this appears to be outdated for Windows 10.
I called godaddy and they told me to use csrgenerator.com to generate something like:
-----BEGIN CERTIFICATE REQUEST-----
foo
-----END CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
bar
-----END PRIVATE KEY-----
I then pasted the CSR into godaddy's site and they said once the cert is rekeyed, I can download .pem and .spc files.
How am I supposed to create a PFX with password from this? If I understand correctly, I need to generate a CSR from my machine. The godaddy rep assure me that csrgenerator.com is generating a csr for my machine, but I've no idea how it is getting added to my certificates using MMC, much less how am I going to export the cert to a PFX. Even though I have the private key section, I don't see it being applied anywhere.
I know this question was asked several months ago, but I wanted to include a reply in case it helps anyone in the future. (I came across this post when I was trying to accomplish the same thing)
Follow these instructions to create a PFX file from the GoDaddy certificate:
https://www.godaddy.com/help/windows-install-codedriver-signing-certificate-and-create-pfx-file-2698
If you cannot complete these steps because the PFX option is greyed out, then the CSR generated does now allow the private key to be exported. I'm pretty sure the GoDaddy instructions linked in the question above are only for Windows Server. However, I was able to complete the following instructions on Windows 10 to generate a CSR that allowed the private key to be exported: http://www.entrust.net/knowledge-base/technote.cfm?tn=8924
I'm having troubles making my Amazon-servers secure and I need some help here.
I purchased a wildcard cert, and the company sent me lots of different files:
DigiCertCA2.pem
mydomain.pem
TrustedRoot.pem
And all the files in one file as a chain, and also the same files in .crt -format.
Now I'm trying to install these to the Amazon Elastic Load Balancer, which keeps telling me that the key is in wrong format. Amazon asks for these:
Private Key:
Public Key Certificate:
Certificate Chain:
What do I put and where to make this work?
I got it to work! Yay!
Here's what I did for anyone else having hard times with this. :)
Amazon ELB will ask for "Private Key", which is the key that you created the first time you needed to give your certificate issuer the CRS-code. My key was in wrong format, which can be seen by looking at the beginning of the file. I had it like this:
-----BEGIN PRIVATE KEY-----
And it should be like this:
-----BEGIN RSA PRIVATE KEY-----
So I did this to convert it to the right format:
sudo openssl rsa -in mydomain.key -out mydomain_new.key
Then copy-paste the contents of the mydomain_new.key -file, into the "Private Key" -textarea.
Next is the "Public Key Certificate". This is the contents of mydomain.pem -file.
And finally it's turn for the "Certificate Chain". This is the contents of the DigiCertCA2.pem -file.
And that's it. Amazon accepted it beautifully without complaints.