This is my first time setting up HTTPS (2016. Scary, I know) and I am having trouble migrating a certificate from a server running CPanel.
There seems to be no Export button so I assume I can create myself an SSL certificate simply by copying the different keys I have:
Unfortunately I dont know how the file should be saved (I assume as *.domain.com.crt as mentioned in DigitalOcean. Yet I see they need other certificates (such as intermediate cert). Anothe unfortunality is that the site was hosted and run by an external manager so I dont have root access to export the ssl certificate using CLI.
How can I get around this?
Do I have to buy a new certificate?
Thanks
Copying an SSL from server to server is, sadly, no easy matter. The SSL was generated from a CSR specific to the server itself, so it is very likely the SSL certificate itself is not valid on the new server.
If the SSL was self-signed, you can just make a new one on the new server using this command:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
If it was a SSL you paid for, contact the SSL provider to work with them to regenerate it for the new server.
Alternatively, you can use cert-bot to make a whole new SSL on the new server pretty quickly.
Related
the scenario is the following:
I created a selfsigned SAN certificate bundling different intranet-domains, hosted on different machines and OS. The certificate is working as expected when being used by apache-services on CentOS and nginx-services on Docker, but when I tried using the same certificate for a domain being hosted on a Microsoft IIS, I get a 502 Bad Gateway error.
From my understanding, even a faulty certificate should not trigger a 502 error, should it? And seeing as all other domains on different scenarios work just fine, I presume I did something wrong.
So this is my process for creating and exporting the certificate to IIS:
openssl req -x509 -newkey rsa:2048 -nodes -keyout cert.key -out cert-crt -days 365 -config san.cnf
san.cnf is a config describing the different domains I need etc. After creating certificate and private key, I export a .pfx version of the certificate with the following command:
openssl pkcs 12 -export -out cert.pfx -inkey cert.key -in cert.crt
I then import said .pfx file to IIS using the import function in the server certificate feature menu and configure the https:// binding of the domain to use this certificate. After restarting the webservice, I get 502 Bad gateway errors when trying to access the page.
Is there anything I am missing?
Thx in advance for any hints, I suspect it's plain stupidity on my part once again :D
Which kind of web service did you create? For the WCF service, please enable HTTP activation in the Window features.
For the usage of the SAN certificate, we need to configure a binding for every domain name accordingly in the web site binding module.
Like the below figure.
Particularly, there is no need to tick the below option since this kind of certificate support Subject Alternative Name. These bindings use the same certificate.
At last, I suggest you bind another certificate to verify whether the certificate caused this issue.
Feel free to let me know if the problem persists.
I have set up a LAMP server with phpmyadmin. I have apache2 configured (through the Headers mod) to only allow SSL connections, but this is keeping me from accessing phpmyadmin on the LAN. When I setup a subdomain and LetsEncrypt cert I have no problem accessing phpmyadmin (phpmyadmin.example.com), but if I try to access it from the LAN or on the server itself, I can't do so securely, so I can't log in.
Well, on the actual server I can just jam https://localhost/phpmyadmin into the browser and accept the insecure connection warning, but that doesn't work when using a different computer on the LAN (https://server-name/phpmyadmin). I'm not crazy about having phpmyadmin accessible to the outside, even with password protection.
Is there a way to establish a secure connection on a LAN, or do I need some way to exempt the /phpmyadmin folder from the SSL requirement? Can this be done for LAN connections only?
You have to access the URL using the same hostname which was provided as CN or SAN during certificate generation.
Since you want to access the application locally using localhost and any CA will not sign your certificate which has CN value localhost, you need to live with slef sign certificate generated against localhost and import to your keystore.
Command to generate self-signed certificate against localhost:
openssl req -x509 -out localhost.crt -keyout localhost.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
Here is an article on the same.
I am generating a simple self-signed certificate via a simple PowerShell script leveraging openssl and then use the pfx certificate in a simple ASP.NET Core 2.0 application for enabling HTTPS)
function New-SelfSignedCertificate([string] $BaseName = 'localhost', $CommonName = 'localhost', [UInt16] $DayCount, [string] $Pass = 'somepassword')
{
&openssl req -new -x509 -newkey rsa:2048 -keyout "$BaseName.key" -out "$BaseName.cer" -days "$DayCount" -subj /CN="$CommonName" -passout "pass:$Pass"
&openssl pkcs12 -export -password "pass:$Pass" -passin "pass:$Pass" -out "$BaseName.pfx" -inkey "$BaseName.key" -in "$BaseName.cer"
Remove-Item -Path "$BaseName.key"
Remove-Item -Path "$BaseName.cer"
Remove-Item -Path '.rnd'
}
The problem of my certificate is that it triggers a lot of warnings on every browser: Chrome, Opera, Firefox (e.g. SEC_ERROR_UNKNOWN_ISSUER), IE11 (e.g. DLG_FLAGS_INVALID_CA) and Edge (DLG_FLAGS_INVALID_CA and DLG_FLAGS_SEC_CERT_CN_INVALID), is there anything I can do at the generation to avoid those warnings? (i.e. besides adding manually the certificate to the Trusted Root category)
Seems the issuer cannot be identified, I mean how can the certificate can be judged in way that the browser would say without a user intervention: "ok you can go to the Trusted Root Certificate Authorities."? (i.e. looking for convenience during development stage).
is there anything I can do at the generation to avoid those warnings? (i.e. besides adding manually the certificate to the Trusted Root category)
Either you don't understand the concept behind trusting a certificate or I don't understand your problem. The main idea behind the certificate validation is that the browser will detect if some hacker is diverting or intercepting your connection in order to impersonate some trusted site or to sniff sensitive (encrypted) data during a man in the middle attack.
If anybody could automatically add a CA or a certificate as trusted to the browser, i.e. without any notice to the user, then anybody could create a certificate for an arbitrary web site (like paypal.com, google.com..) and use this inside such an attack without the browser being able to detect the attack.
I mean how can the certificate can be judged in way that the browser would say without a user intervention: "ok you can go to the Trusted Root Certificate Authorities."?
This can not be set in any way by the certificate itself. Only the user or administrator or the developer of the system/browser can decide if a new CA should be considered trusted.
I need to know the proper way to setup the MobileFirst Application Center to use SSL (due to the requirement for supporting iOS v9 devices).
MobileFirst is v7.1 running on WebSphere Application Server ND v8.5.5.0.
I have reviewed the instructions from here:
https://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.installconfig.doc/appcenter/c_ac_ssl_config.html
I was then navigated to here:
https://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.installconfig.doc/admin/c_ssl_config.html%23c_ssl_config?lang=en
As advised, I created a self-signed certificate, like so:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt -reqexts v3_req -extensions v3_ca
The above two pages imply that all I need to do is to create a self-signed CA certificate and upload it to the AppCenter console.
Whilst this will allow the App Center Client to distribute the certificate for installation on the devices, I do not see how the "server-side" should be setup?
On the first link above, there is a sub-link to 'setting up SSL for WAS Full Profile', but, those instructions are for using a "proper" certificate and not a self-signed CA certificate.
Am I missing something obvious here? Creating the self-signed CA certificate and distributing it to the client device seems like only 1/2 a job. I don't understand how, when using the Application Center Client, I enter the [user/pwd hostname/9443/applicationcenter] details and it will connect and authenticate using SSL to the Application Center.
Are there any straight forward instructions (or advice) that explain what the proper process is to setup Application Center for SSL to allow for iOS v9 devices to securely connect to the Application Center?
WAS does not care if the certificate you are using is self-signed or not. So the instructions in the first link you referenced are still applicable (except that, if you already have this certificate, you don't need to create a certificate signing request, so step #1 in the doc isn't necessary).
There is a blog post here that discusses how to configure your server to work with iOS 9 App Transport Security. This is not specific to Application Center.
I'm using amazon web service.
I'm using linux instance
I'm using GoDaddy SSL.
I'm following this steps:
http://jafty.com/blog/installing-godaddy-ssl-certificate-on-amazon-ec2/
I'm stuck at this point:
Generating a Certificate Signing Request (CSR) - Apache 2.x
Enter the following at the command prompt:openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
what I did was
openssl req -new -newkey rsa:2048 -nodes -keyout 180.21.80.1.key -out 180.21.80.1.csr
I used the public IP address of my t1 instance.
I have generated a key and CSR files.
180.21.80.1.key
180.21.80.1.csr
like this. Now its ready to copy and paste in go daddy.
my question is:
Is what I'm doing correct?
Do I have to create a name for my IP address, like domains?
Is it okay if I make mistakes? It's editable, right?
With reference to the link you mentioned try following steps
Ensure that you have installed mod_ssl and it is running.
Upload your certificates on Instance say /home/ec2-user/ssl
Edit /etc/httpd/conf.d/ssl.conf
Find below lines and replace accordingly (Verify the filename and
path are correct)
SSLCertificateFile /home/ec2-user/ssl/certs/site.com.crt
SSLCertificateKeyFile /home/ec2-user/ssl/keys/site.key
SSLCACertificateFile /home/ec2-user/ssl/ssl_files/gd_bundle.crt
Restart Apache
That looks right. Generally people don't use ip addresses as names of certs and csr's, they use hostnames, but I don't see why it wouldn't work. Also it's SUPER easy to add it to an ELB(aws load balancer) as opposed to configuring apache for it, so if you have your server(s) hidden behind an ELB, or you think you will add more servers at a later point it can be a little more convenient.