SSL/TLS Configuration on server - ssl

I am working on CentOS 7. I have three blocks in text :
CSR:
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Public key:
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
Private key:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Also, I have archieve with:
mydomain.crt
mydomain.ca-bundle
and
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
As I understand I need to convert CSR,Private Key, Public Key to right format files ?
Than, add :
CSR and Private Key to /etc/nginx.conf
And set it via .conf by names ?
But could anyone help me convert CSR,Private Key and Public Key to right formats ?
Thank you !

You can discard the CSR or keep it for your reference. A CSR (Certificate Signing Request) is a document asking for a certificate, you already have the certificate, so the request is now only of historical interest.
You should put the private key text, including that header and footer, but no blank lines, into a file, let's call that privkey.pem. The private key is very important, you web server software needs to be able to read it in order to function, but nobody else should ever see this file and you should not keep copies of it where they may be stolen.
You also need the mydomain.crt file, and the mydomain.ca-bundle, you should concatenate them together, you can do this (carefully) with a text editor and save the result as fullchain.pem, or if you're comfortable on a Unix command line you can write
cat mydomain.crt mydomain.ca-bundle > fullchain.pem
In your nginx.conf you should find or create a server block, and set parameters as follows, but with the correct full path names.
ssl_certificate /full/path/to/fullchain.pem
ssl_certificate_key /full/path/to/privkey.pem

Related

How do I correctly install certificates to make soap request on windows 10

I need to make a request to a soap service and it is protected with certificates.
I have installed the certificates as far as I am able to tell. However the soap request fails with handshake errors.
I have a bunch of certificate files given to me but I have no idea which ones are which.
So I have as follows (names changed to protect information)
MyCertificationAuthority.pem
MyCert.pem
MyCert2.pem
then I have what looks to be the same things in a different format.
MyCertificationAuthority.p7b
MyCert.p7b
then I have a single file named MyCert.pem but is smaller in file size than the other one of the same name and contains simply
-----BEGIN NEW CERTIFICATE REQUEST----- a lot of characters
-----END NEW CERTIFICATE REQUEST-----
I was told that this was the private key file, however if I check it using
openssl rsa
then it errors.
I have double clicked on the p7b files and installed the certificates in them using the default options and I have those certificates in the Certificate Management app in windows.
3 are in the Third Part Certification Authorities folder
1 ended up in the Other People folder (which I have also copied into the Trusted Root Certification Authorities Folder)
4 have ended up in the Intermediate Certification Authorities Folder
All were installed for local computer rather than current user.
Now I am led to believe I should have a private key file too. However I can not find where this could be.
What am I doing wrong? Where would I normally get the private key file from?
I would have thought the service side has the private key in order to verify that our certificate is valid?
MyCert.pem is as follows (with the actual data removed for privacy reasons)
subject=CN=********************** issuer=CN=************************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----- subject=CN=**************** issuer=CN=*****************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN=********************** issuer=CN=***********************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

vestacp error ssl intermediate chain is not valid

I am facing issue at vestacp: during pass the
SSL Certificate:
-----BEGIN CERTIFICATE-----
b5XsfsteyPAX9uLwiTctWC4TO9UsnjWKx2ZBt8q4WgQ5nrmkXUwv
-----END CERTIFICATE-----
SSL Key:
-----BEGIN RSA PRIVATE KEY-----
OOTW0NwF+ENrko9JHyLGZPOrk1w/+DElPHYZWMRXB/SJIsvehu/lgMpEEGgT
-----END RSA PRIVATE KEY-----
i have already checked my certificate result this link: https://decoder.link/
it show me my certificate is valid.
You should do the following:
In the SSL Certificate field:
Paste the contents of the certificate issued to your domain. In windows you can usually verify this by simply double clicking (or opening) the .crt file. A window will pop-up with information about the certificate. Just check under "Issued to:" and make sure its issued to your domain.
In the SSL Key field
Paste the contents of the key that was created during the generation of the csr. It usually begins with -----BEGIN RSA PRIVATE KEY-----
In the SSL Certificate Authority/Intermediate
Paste the contents of the CA bundle certificate you received from your CA. That is the certificate without your domain name under "Issued to:" as explained in step 1.
Hope this helps someone. You can also read https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/ to understand certificate chains.

X.509 and Private Key Confusion

I have been given a x.509 certifcate and a private key.
The certificate looks like:
-----BEGIN CERTIFICATE-----
MIICdzCCAeCgAwIBAgIGAOH4vsPYMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT
AlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT
GEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0wODEwMzExMjQyNDBaFw0wOTEw
MzExMjQyNDBaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw
LOTS OF LETTERS
SO MANY LETTERS
r8AmrDQ9VfrocQIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww
K9gtkPlKRDCaBDQ2xukycq4bv+EhEQPzPY+VeWGYzizl91K8knpI3VLLiJD0CNkb
UvSoj/wZv0zWf13oMgMyUbrFygpHVmA2uYwi6kFKXy/D2vGXUsrEgFqP6xFvgUA3
JDIblstGT383+IY=
-----END CERTIFICATE-----
and the private key looks like
-----BEGIN PRIVATE KEY-----
Lots of letters here as well
-----END PRIVATE KEY-----
I believe I need this certificate because I must use a plugin called Elastic Fox in order to properly connect to our AWS account. I am confused on how to add this certificate to firefox / how to use the certificate and private key.
I attempted to save both the certificate and private key in one .pem file and import that to FF via: Edit > Preferences > Advanced > View Certificates > Your Certificates > Import, but I was told to enter some password that I do not know/have:
I attempted to save just the private key portion as a .key file in ~/.ssh/id_rsa , but that did not work.
Can someone ELI5 to me how to add this certificate properly and what to do with the private key? Ubuntu 12.04

How do I split a multi-valued p12 certificate into separate certificates

I am attempting to integrate with Apple PNs and I currently have a p12 certificate that has both the Sandbox and Production certs within it. But I have read that Java SSL will only read the first one, and that for JavaPNS (the APN client I am using), says to use separate certs for this reason.
So using something like openssl, how can take my current cert and separate it out into 2 new certs, one for the Sandbox and one for Production.
This has nothing to do with APN, it's just about splitting a p12 cert.
As you previously mentioned you can use OpenSSL to change the p12 format to a PEM format, the PEM format would be accepted but also not secure with a password so make sure you get what you need.
openssl pkcs12 -in yourcertificates.p12 -out certificates.pem -nodes
This will put everything in one file, so you will have to open the PEM file in a text editor and take out the required files.
Certificates are separated by
-----BEGIN CERTIFICATE-----
Content
-----END CERTIFICATE-----
Keys would be separated by
-----BEGIN RSA PRIVATE KEY-----
Content
-----END RSA PRIVATE KEY-----
Please update your question if you need anymore information.

one PEM file with private key and certificate into JKS

I have a JKS keystore in client application and I have been given one PEM file containing both private key and certificate to use for SOAP signature. PEM file looks like this:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
First question is how to import correctly this PEM to JKS?
Second question: given private key isn't password protected, it's possible to add a password to it before importing it to JKS keystore?
Thanks!
If you prefer a GUI solution I would take Portecle. This simple key store management tool allows to create a JKS and then import cert and private key.
I am not sure if you can import cert and key from the same combined PEM file as you have it but may be the command "Import Key pair" of Portecle works with such a file.
If not you can simply split the PEM file directly after the -----END RSA PRIVATE KEY----- line into two PEM files and import them separately.
After importing, when you save the JKS Portecle will ask you for a password.