I've installed a SSL certificate on my Website, but the intermediate.crt isn't working.
Any SSL Checker (e.g. GeoTrust Checker) told me, that an intermediate key is missing.
On the website a SSL certificate was already in use, only the switch from SHA1 to SHA2 is new.
I use this structure:
-----BEGIN CERTIFICATE-----
(Secondary Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Primary Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----
Who has an idea to solve this problem?
I solve it.
It was the wrong reference to the intermediate
Related
I have 4 certificate files like this:
1.certum_certificate.crt
2.certum_certificate.pem
3.Intermediate_CA2.cer
4.Intermediate_CA.cer
5.Root_CA.cer
I put these files content by this order in a bundle file and i figured out that my SSL chain is incomplete.
how should i arrange them in bundle file?
Just concatenate the three parts into a single file like this (fullchain.pem) :
-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgISA/UUyBjJ71fucZuvpiLsdfsfsdfsdfd
...
hoFWWJt3/SeBKn+ci03RRvZsdfdsfsdfw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinsdfsfsdfsdfdsfsdfsd
....
nLRbwHqsdqD7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBsdfSDFSDFVSDVzfsdffvqdsfgsT664ScbvsfGDGSDV
...
Dfvp7OOGAN6dEOM4+SDFSDZET+DFGDFQSD45Bddfghqsqf6Bsff
-----END CERTIFICATE-----
The order must be backwards. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it :
Original issuer —> Intermediate issuer 1 —> Final Root issuer which is a root certificate authority and can be trusted.
It's possible to have several intermediates : ...—> Intermediate issuer 1 —> Intermediate issuer 2 —>...
I'm trying to install Comodo Essential SSL via Vestacp here's that I did. I opened www_example_com.crt and copied the digest and pasted it into SSL Certificate box then opened www_example_com.key used to generate the ssl at the beginning which starts with -----BEGIN PRIVATE KEY----- and pasted the digest into SSL Key box then copied the digest of the other 3 files in this order into one file and copied the whole digest and pasted it into SSL Certificate Authority / Intermediate box but I get SSL intermediate chain is not valid
AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt
SectigoRSADomainValidationSecureServerCA.crt
Final digest looks like this
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I checked the certificate and the key and have no issue using https://www.sslshopper.com/certificate-key-matcher.html
I restored a back up so the key file doesn't exist on the server now does it matter? It's the first time I try to install SSL so please assist. Thanks in advance.
The Authority digest must be the content of these files in this order
SectigoRSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt
I am trying to install a new SSL certificate into Traefik. My certificate is signed by a third party (Setigo), and was provided to me with the chain:
-----BEGIN CERTIFICATE-----
[[SNIP - Root CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - MyServer Cert]]
-----END CERTIFICATE-----
The last certificate in the chain matches the individual certificate. When I pass that certificate and coresponding key to Traefik, I get the following error:
failed to load X509 key pair: tls: private key does not match public key
Researching online, I have found these commands to verify the public keys/modulus for the cert and private key
openssl rsa -modulus -noout -in myserver.key | openssl md5
openssl x509 -modulus -noout -in myserver.crt | openssl md5
When I run this against the chained cert the results do not match. When I run it against the individual cert it matches.
I can not use the individual cert, as it is not signed by a trusted root, so I get the following error when using OpenSSL s_client:
openssl s_client -connect myserver:443 -showcerts
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
I'm wracking my brain here, what am I missing???
Your chain is wrong. You need to reverse it and drop the root CA certificate.
The server is thinking the root CA is the main certificate and it's trying to load the private key against the root ca certificate which it why you are seeing the message.
Also there is no need for the root CA as this should always be in the clients CA list, so you are sending the CA certificate to the client and the client will just ignore it.
i.e.
-----BEGIN CERTIFICATE-----
[[SNIP - MyServer Cert]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----
I want to have ssl certificate on my IIS server, so I get on my Mail letter from reg.ru with:
You certificate is presented below: (original language: Ваш сертификат предоставлен ниже)
-----BEGIN CERTIFICATE-----
[values]
-----END CERTIFICATE-----
Root certificate (original language: Корневой сертификат)
-----BEGIN CERTIFICATE-----
[values]
-----END CERTIFICATE-----
Intermediate certificate (original language: Промежуточный сертификат)
-----BEGIN CERTIFICATE-----
[values]
-----END CERTIFICATE-----
Request for a certificate (original language: Запрос на получение сертификата)
-----BEGIN CERTIFICATE REQUEST-----
[values]
-----END CERTIFICATE REQUEST-----
Save the private key on the local computer (original language:Сохраните приватный ключ на локальном компьютере.)
-----BEGIN RSA PRIVATE KEY-----
[values]
-----END RSA PRIVATE KEY-----
But my IIS requires .cer file, what have I to do to get .cer file?
Oh, I find a solution
go here
https://www.sslshopper.com/ssl-converter.html
create pfx file from first certificate, private key, Intermediate certificate and root sertificate
click import in iis server sertificates page and select this file.
(Maybe my problem because of service reg.ru)
My company is wanting to utilize two different types of SSL certificates for our website: one that is using RSA, and one that is ECDSA. The reason is because external services that utilize our site are using code that is very old, so we need to have both for compatibility.
EDIT: We're using Apache 2.4, and both certificates are from the same authority. As such, the Root CAs below are the same, but the intermediates are different because of the RSA/ECDSA difference.
Our Apache config would be as follows:
### RSA cert
SSLCertificateFile /etc/ssl/certs/website_com_rsa.crt
SSLCertificateKeyFile /etc/ssl/private/website_com_rsa.key
### ECDSA cert for compatibility
SSLCertificateFile /etc/ssl/certs/website_com_ecdsa.crt
SSLCertificateKeyFile /etc/ssl/private/website_com_ecdsa.key
### RSA/ECDSA cert bundle
SSLCertificateChainFile /etc/ssl/certs/website_com.ca-bundle
The part I'm not sure about is the CA bundle. My questions are:
Can I use two different SSLCertificateChainFile directives, one for each type (RSA and ECDSA)?
If I can't, then how to combine CA bundles from two different certificate bundles into one file? Say I had two CA bundles files that have the order like so:
RSA Bundle
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
ECDSA Bundle
-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<ecdsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
In what order should they be combined?
From the Apache 2.4 docs for SSLCertificateChainFile, it looks like you would provide the separate chains in the files configured with SSLCertificateFile, i.e. combining the server certificate with its corresponding certificate chain, in the same file.
For example, your /etc/ssl/certs/website_com_rsa.crt might contain multiple certificate, from the server cert up through the root:
-----BEGIN CERTIFICATE-----
...
<website-com-rsa>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-1>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<rsa-intermediate-2>
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
<root-ca>
...
-----END CERTIFICATE-----
And similarly for your /etc/ssl/certs/website_com_ecdsa.crt file. This would mean not using SSLCertificateChainFile.
Hope this helps!