Amazon Elastic Load Balancer SSL certificate installing How To - ssl

I'm having troubles making my Amazon-servers secure and I need some help here.
I purchased a wildcard cert, and the company sent me lots of different files:
DigiCertCA2.pem
mydomain.pem
TrustedRoot.pem
And all the files in one file as a chain, and also the same files in .crt -format.
Now I'm trying to install these to the Amazon Elastic Load Balancer, which keeps telling me that the key is in wrong format. Amazon asks for these:
Private Key:
Public Key Certificate:
Certificate Chain:
What do I put and where to make this work?

I got it to work! Yay!
Here's what I did for anyone else having hard times with this. :)
Amazon ELB will ask for "Private Key", which is the key that you created the first time you needed to give your certificate issuer the CRS-code. My key was in wrong format, which can be seen by looking at the beginning of the file. I had it like this:
-----BEGIN PRIVATE KEY-----
And it should be like this:
-----BEGIN RSA PRIVATE KEY-----
So I did this to convert it to the right format:
sudo openssl rsa -in mydomain.key -out mydomain_new.key
Then copy-paste the contents of the mydomain_new.key -file, into the "Private Key" -textarea.
Next is the "Public Key Certificate". This is the contents of mydomain.pem -file.
And finally it's turn for the "Certificate Chain". This is the contents of the DigiCertCA2.pem -file.
And that's it. Amazon accepted it beautifully without complaints.

Related

Generate Private Key From PEM File

I'm trying to install an SSL Certificate on my website, I bought the certificate online but they didn't give me a private key file, I got a pem file instead. Is their any way I can generate the private key file from the pem file?
I'm using a Mac and tried OpenSSL to generate the key file:
openssl rsa -in myfile.pem -out private.key
But this gave me the following error:
unable to load Private Key
4781944428:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY
Any help is greatly appreciated!
Usually the private key is generated on your web server through the web server software or else using openssl.
When you buy a certificate online from a certificate authority, you generate a certificate request, and send it to the authority. The cert request doesn't have the private key, only a signature from the private key, so that's why you can't extract it from the pem file they sent you back.
You need to look at the software you used to generate the certificate request. If you didn't do this, and the company you bought the cert didn't require it, they may be a hosting provider who has the private keys.

How to import aws elb cert from one account to another?

I have two different accounts of aws so the cert present on elb in one account,i want the same cert for different account because we have same dns.
How can i import same cert to different account as well.
When i try to get that cert and upload that cert with cert chain ,cert and private key it says certificate not in pem format. So that means get-server-cert api doesn't return pem format,it it?
Any help would be really appreciated.
Thankyou
When you export a server certificate from IAM, not enough information is returned to allow you to use the certificate elsewhere.
This is by design. It is a security feature.
You need to find the original private key. While you're at it, you can just use the original cert and chain files.
$ aws iam get-server-certificate --server-certificate-name ExampleCertificate
When the preceding command is successful, it returns the certificate, the certificate chain (if one was uploaded), and metadata about the certificate.
Note
You cannot download or retrieve a private key from IAM after you upload it.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html#get-server-certificate
Assuming you are already ahead of me, here, and that you do have the original private key, you should be able to use the results from aws get-server-certificate for the cetificate and chain, because they should already be in PEM format, which looks like this:
-----BEGIN CERTIFICATE-----
...multiple lines of base64...
-----END CERTIFICATE-----
The certificate has exactly one such block, and the chain has one or more such blocks.
Your private key, in PEM format, looks similar, but has words other than CERTIFICATE in the boundary markers, such as RSA PRIVATE KEY.
Be sure the number of dashes on the left and right of each boundary marker is exactly 5.

java.lng.Exception: `Input not an X.509 certificate` when importing .pem certificate

I have created a self-signed certificate with makecert, exported it with private key to .pfx file and imported on the server. Then I copied one on the client and tried importing it using keytool. Got an error Input is not an X.509 certificate.
So I converted .pfx certificate to .pem using openssl and tried again - same result.
I did some research and found that I might need to convert it to .der, but it still might not work. Apparently keytool only supports single certificate PEM files. Even though mine is a single certificate, PEM file contains private key information:
-----BEGIN PRIVATE KEY----
-----END PRIVATE KEY------
----BEGIN CERTIFICATE-----
----END CERTIFICATE-------
So I am not sure what should be my next step to ensure import will work when done with keytool on the client.
Can anyone shed some light on this issue?

How to create a code signing certificate in PFX/password format with csrgenerator.com?

I'm trying to renew my code signing certificate, which is used as a PFX (and password).
Godaddy, our cert provider provides instructions on generating a CSR, however this appears to be outdated for Windows 10.
I called godaddy and they told me to use csrgenerator.com to generate something like:
-----BEGIN CERTIFICATE REQUEST-----
foo
-----END CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
bar
-----END PRIVATE KEY-----
I then pasted the CSR into godaddy's site and they said once the cert is rekeyed, I can download .pem and .spc files.
How am I supposed to create a PFX with password from this? If I understand correctly, I need to generate a CSR from my machine. The godaddy rep assure me that csrgenerator.com is generating a csr for my machine, but I've no idea how it is getting added to my certificates using MMC, much less how am I going to export the cert to a PFX. Even though I have the private key section, I don't see it being applied anywhere.
I know this question was asked several months ago, but I wanted to include a reply in case it helps anyone in the future. (I came across this post when I was trying to accomplish the same thing)
Follow these instructions to create a PFX file from the GoDaddy certificate:
https://www.godaddy.com/help/windows-install-codedriver-signing-certificate-and-create-pfx-file-2698
If you cannot complete these steps because the PFX option is greyed out, then the CSR generated does now allow the private key to be exported. I'm pretty sure the GoDaddy instructions linked in the question above are only for Windows Server. However, I was able to complete the following instructions on Windows 10 to generate a CSR that allowed the private key to be exported: http://www.entrust.net/knowledge-base/technote.cfm?tn=8924

"Public key certificate and private key doesn't match" when using Godaddy issued certificate [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I'm trying to install a GoDaddy SSL certificate on a new load balancer I'm setting up on Amazon AWS. I originally created the certificate at Godaddy using the keytool program for direct installation on a Glassfish 3.1 server (Amazon linux ami). I had no problems getting that setup directly on the server. I now need to move the certificate from the web server to the new load balancer. Amazon requires the private key and certs to be in PEM format, so I used the "rekey" tool at GoDaddy to create new certs. When I load those in the load balancer setup screen on AWS Mgmt Console, I get the error message: "Public Key Certificate and Private Key doesn't match."
Here is how I'm creating the keys:
$ openssl genrsa -des3 -out private.key 2048
$ openssl req -new -key private.key -out apps.mydomain.com.csr
I then submit the .csr file to GoDaddy during the "rekey" process. Once the rekey is complete, I download the 2 newly created certs (apps.mydomain.com.crt & gd_bundle.crt). I download them selecting (Apache) as the type of server (I've also tried "other" and "Cpanel" but the all look to be the same).
At this point, I remove the encryption from the private.key file by using the following command:
$ openssl rsa -in private.key -out private.pem
At this point, I go back into the AWS Mgmt console, create the load balancer, add the secure server redirect and put the contents of the following files in the respective fields on the screen where it asks to setup the ssl certificate:
private.pem --> Private Key
apps.mydomain.com.crt --> Public Key Certificate
gd_bundle.crt --> Certificate Chain
When I click the "continue button" I get the error "Error: Public Key Certificate and Private Key doesn't match."
-Is there a way that I can test that I'm getting a valid error message from Amazon? It seems odd to me that the keys wouldn't match when I'm following GoDaddy's instructions pretty closely.
I've tried creating the private.key file without RSA encryption prior to creating the .csr and that doesn't seem to make any difference.
I'm also assuming that the .crt files I'm downloading from GoDaddy are in .PEM format, but I'm not sure how to verify this.
Any ideas?
For me, it was an easy two-step:
Convert the private key to PEM:
openssl rsa -in yourdomain.key -outform PEM
Convert the certificate and certificate bundle to PEM:
openssl x509 -inform PEM -in yourdomain.crt
openssl x509 -inform PEM -in bundle.crt
Just for the record and anyone else who is trying to figure it out:
yourdomain.key
-> terminal command: sudo openssl rsa -in yourdomain.key -outform PEM -out yourdomain.pem
-> private key
yourdomain.crt
-> public key
gd_bundle.crt
-> certificate chain
and you're good to go :)
Looks like the issue was the way in which I was copying the contents of the key and certs into the AWS Management console. I was using an Ubuntu desktop running in Virtual Box on a Windows 7 desktop; copy and pasting the values from a gedit screen into the browser running on the Windows box. Once I opened the key and cert files on the same box as the web browser (Windows in this case) the certs went through just fine. I'm guessing some parts of the file aren't making it over correctly when using the shared clip board between Virtual Box client and host. Case closed.
We found an alternate solution to this problem. We were having the same symptoms with the same error.
Then we tried reentering the pem codes one more time, but this time we made sure to hit enter one time and make sure the cursor was on a blank line at the end of each window. Then we saved it.
IT WORKED.
This solved our problem, so it might solve it for others.
One little gotcha. I'm using a Windows box (Win 7 Pro) and when I used the windows port of OpenSSL, the outputted files had Unix style end-of-line characters (LF).
I had to convert the file to Windows style (CRLF) for the uploading of the private key.
I can suggest you with an alternative solution and an information to you folks.
Generally all certificates are of PEM file format. You can just open a notepad or any text editor and drag the files which you received in .crt file format. Which is normally called as .PEM file.If the certificate loaded in your keytool you can export the certificate as a pfx file from keytool. Then you can separate the pfx file from the private key from the pfx file. Because the pfx file is the combination of your certificate and the private key.So you can get separately the private key file and use it on your amazon aws.
I suspect there may be another way to install the certificate. May be you can contact the certificate authority and is there any way to get your certificate to be reissued.