I'm new to setting up ssl for curl. We were given a .cer file and the admin created a private.key. When we tried to associate the .cer with the private.key, the modulus's don't match. Is there a way to correct this? it would be easier to recreate the private.key with the proper modulus but I'm unsure how to do this without wrecking the openssl configuration.
any assistance would be appreciated!
Tom
Something wrong with the process here. You can't be just 'given' a certificate and then create a private key for it. The process goes like this:
You create a private key.
You create a certificate signing request (CSR).
You submit the CSR to some certificate authority (CA).
They verify your identity and then issue you a signed certificate.
The CSR and the signed certificate both contain the public key corresponding to the private key you first created.
Related
I'm trying to install an SSL Certificate on my website, I bought the certificate online but they didn't give me a private key file, I got a pem file instead. Is their any way I can generate the private key file from the pem file?
I'm using a Mac and tried OpenSSL to generate the key file:
openssl rsa -in myfile.pem -out private.key
But this gave me the following error:
unable to load Private Key
4781944428:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY
Any help is greatly appreciated!
Usually the private key is generated on your web server through the web server software or else using openssl.
When you buy a certificate online from a certificate authority, you generate a certificate request, and send it to the authority. The cert request doesn't have the private key, only a signature from the private key, so that's why you can't extract it from the pem file they sent you back.
You need to look at the software you used to generate the certificate request. If you didn't do this, and the company you bought the cert didn't require it, they may be a hosting provider who has the private keys.
I received following files from another department in my company which I am supposed to install on my Tomcat 8.5 Webserver in order to activate HTTPS and use TLS/SSL:
csr.pem
ca.pem
intermediate.pem
certificate.crt
Most tutorials I found online guide through the process of creating the keystore, generating a CSR and installing the certificate received afterwards. My company wishes to use it's wildcard certificate, so the certificate and related files exist already.
I tried to generate a new keystore with my own private key & import ca, intermediate & certificate in it, but I'm getting an error which says that the public key doesn't match with my keystore.
I guess, this is because I need to import the private key used to generate the CSR before. But since I don't have it, I want to make sure - is it possible to install the certificate without the private key (respectively generating my own private key) or did they possible forget to send it along?
Wildcard or not, a certificate without its associated private key is useless.
As they are used in asymetrical cryptography, operations need the public key (contained in the certificate) and the private key (stored separately).
And they are generated together, you can not have a certificate and then later on generate a new key and associate with it. A CSR, which later becomes a certificate, includes some information derived from the private key.
I'm a newbie in computer security and I have a basic question whose answer I've not been able to find out.
I have a private key whose validity period has expired. Using that key I'd previously generated a .csr and sent it to a CA and they'd given me a certificate that's still valid.
My question is, can I (using keytool or whatever...) modify the private key's expiration date in order to use it with my certificate (.cer). Could I regenerate a private key to be used with this certificate?
Thank you,
No.
The validity period is in the certificate, not the private key. Certificates cannot be modified, and the only entities that can generate valid certificates are the certificate authorities.
You will have to pay for a new certificate. Certificate expiration is a safety measure, but also a way to get recurring customers.
keytool -genkeypair does more than generating a key pair: it generates a pair of public and private key, and wraps the public key into a self-signed X.509 certificate generated on the spot with the various options given (-dname, -validity, ...). It puts them together into the alias you choose (a private key entry will associate a private key and a certificate, or a certificate chain of length 1, to be precise).
Those options affect this self-signed X.509 certificate, not the key pair itself.
Normally, if you don't want to use a self-signed certificate, you produce a CSR based on this public key and the characteristics of this self-signed X.509 certificate (the structure of a CSR is in fact very similar to that of a self-signed certificate, but it doesn't have issuer or validity dates). That CSR is then used by your CA to issue an X.509 certificate (this time, signed by that CA).
You are meant to import it again into that alias, to be able to use the certificate with its private key. If your self-signed certificate (or an older certificate matching this private key) has expired, re-import the certificate that is still valid.
In fact, if there are intermediate certificates, you should not only import that certificate, but the certificate chain (see this question and this question).
If your .cer file is in DER format (binary) and not PEM format (base64-encoding of the DER format), you can convert it into PEM using openssl x509 -inform DER -in mycert.cer -outform PEM -out mycert.crt and use the result to build the chain and import it.
Amazon Cloudfront is giving me errors, either my private key doesn't match my public key certificate or my public key certificate cannot be parsed as it's invalid.
Using Godaddy for my SSL certificate middle man/provider, I got a:
.pem whoose contents beings with "-----BEGIN RSA PRIVATE KEY-----"
(I'm assuming that's my private key)
Inside Godaddy I am able to download some certs for the SSL, they are:
.crt (type = Security Certificate)
.p7b (type = PKCS #7 Certificate)
Is one of the above my public key? Or is there another way I am supposed to get my public key?
I have encountered this issue before with bad CSR Request.
According to GoDaddy:
To install a digital certificate, you must first generate and submit a Certificate Signing Request (CSR) to the Certification Authority (CA). The CSR contains your certificate-application information, including your public key. Use your Web server software to generate the CSR, which will also create your public/private key pair used for encrypting and decrypting secure transactions.
http://support.godaddy.com/help/article/5343/generating-a-certificate-signing-request
It also states: NOTE: When generating your CSR, specify a key size of 2048 or higher.
The key size is sometimes the culprit. Hope it helps.
I'm confused about something in the SSL renewal process using WHM/cPanel for an existing Comodo Extended Validation cert.
We have been issued a replacement certificate by Comodo without - I believe - every submitting a CSR for them. I say "I believe" because there are 3 people with access to WHM for this server, but I'm assured that no one has been fiddling in the last year.
Does this sound possible? CAN a cert be supplied without a CSR if it's a replacement? I will attempt to get hold of Comodo but being a weekend, and seeing that the old cert runs out in a day I thought I'd consult the stackHiveMind :)
More info:
As a test, I've tried to install the new cert and 'fetch' the existing private key, but when I try to submit that I get the following error:
SSL install aborted due to error: Modulus mismatch, key file does not match certificate. Please use the correct key file
In some cases, yes, you can. Assuming you have an RSA private key in PEM format, this will extract the public key (it won't generate a certificate):
openssl rsa -in key.pem -pubout -out pubkey.pem
This will create a new CSR with the public key, obtained from the private key file.
openssl req -new -key key.pem -out host.csr
Note that, strictly speaking, a CA doesn't need you to submit a CSR to issue a certificate. All it needs is the public key (to which it will have access through your existing cert). It could potentially attach any Subject DN and attribute and issue it as a certificate without any need to contact you. Of course such practices might be incompatible with their policies, but technically, it's possible. The CSR is merely a convenient format for you to send a public key to request a certificate, and submit the name and attributes you would like (which you all sign together).
SSL install aborted due to error: Modulus mismatch, key file does not
match certificate. Please use the correct key file
Provided you've done the certificate operations properly, this could indicate that the new certificate you've been issued has been issued against a different key-pair than yours. This could indicate foul play, because someone else could have issued a CSR with their own key-pair and have had this certificate issued to them (which could be quite worrying since you're talking of an EV cert too, which is supposed to have additional protections against this.)
I would suggest checking with your colleagues if any have requested a new certificate or contacting your CA to find out why you've received a new certificate. Renewing the certificate using the previous public key might be part of their existing package. If it's using the same public key, it's not a problem, although it's better practice to change the key material, i.e. submit a CSR coming from a new key-pair, when renewing a certificate.