I have a free domain,sayexample.ml, and I hosted my files at byethost.com. I am trying to implement free ssl on my site. I have logged into cacert website. Added and verified my domain. And now I am stuck. I dont know how to set up an ssl certificate from this stage.
A step by step explanation will be quite a lot helpful.
Generate a private key and save it in your file system safely.
Generate a CSR with it.
You can use openSSL for 1 and 2.
Refer : http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
Get the signed server certificate from cacert.org by copying the contents of your CSR to Server certificates -> New. Save it in your file system.
You need to point your Appserver/Webserver to the location where your private key and signed server certificate is stored. Read documentation.
If it is a Apache webserver you can refer: https://techstrum.wordpress.com/2014/11/25/how-to-enable-ssl-for-ohs-oracle-http-sever/
First, you need the CSR (your public key with some information).
To generate it you have to use the tool that your server provide would be easier (such as Apache Tomcat :: using keytool, Linux :: using openssl)
Then, sending your CSR file to the certificate vendor to verify and insert Root certificate.
They will send you back certificate file.
So, you need to use this certificate file for import into your secret key which you get it from the key-pair generate process on the first step.
Finally, setup your key into your server and config some property in web server config file.
These are the concept, for the technical you need to know what platform you used and find the way to use their provided tool.
Related
I'm in the process of connecting to an external server and am making a CSR to receive some certificates from them, and I have some questions regarding this.
Some tutorials state that you should save the private key as this will be used during installation of the certificate. However when using the Windows certificate manager (certmgr.msc) I think it generates the private key under the hood, and the resulting CSR-file does not contain any private key. So in that case I won't have access to any private key at all, unless I can export it from the certificate I receive later? I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store? If that's the case, does the private key have any use besides generating the public key?
I was also wondering about the location the certificate can be used. It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?
Last question: The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?
Appreciate any insight or guiding to this process. There are a tons of guides out there, but many of them seem to contradict each other in some way or another.
(certmgr.msc) I think [] generates the private key under the hood,
Correct. You generate the key and CSR, send the latter to the CA, and (we hope!) get back a cert containing your publickey and identity (for SSL/TLS your identity is your domain name or names), plus any needed chain certs (usually one intermediate and a root, but this can vary). You import the cert to certmgr, which matches it up with the existing, stored but hidden privatekey to produce a pair of cert+privatekey which is now visible and usable.
To use this in a Windows program, like IIS, you also need the chain cert(s), see below, in your store -- for these just the cert(s) not the privatekey(s), which you don't have and can't get. If you use an established public CA like Comodo, GoDaddy, LetsEncrypt their root is usually already in your store, and if you use a CA run by your employer their root may well be already in your store for other reasons such as email; if not you should add it. The intermediate(s?) may or may not already be in your store and if not you should add it(them).
I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store?
It is needed, but you don't provide it, because it's already there.
It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?
Initially, it is usable only on the system where the CSR and privatekey were generated. But using certmgr you can export the combination of the certificate and privatekey, and optionally the cert chain (which export wizard calls 'path'), to a PKCS12/PFX file. That file can be copied to and imported on other Windows systems and/or used by or imported to other types of software like Java (e.g. Tomcat and Jboss/Wildfly), Apache, Nginx, etc.
Note however that the domain name or names, or possibly a range of names matching a (single-level) wildcard, that you can use the cert for is determined when the cert is issued and can't be subsequently changed (except by getting a new cert).
The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?
Certificate Authorities are arranged in a hierarchy. Running -- particularly securing -- a root CA is difficult and expensive. As a result certs for end-entities (like you) are not issued directly by the root, but by a subordinate or intermediate CA. Sometimes there is more than one level of subordinate or intermediate. Thus when your server uses this certificate to prove its identity, in order for the browser or other client to validate (and thus accept) your cert you need to provide a 'chain' of certificates, each one signed by the next, which links your cert to the trusted root. As I said, one intermediate is common; this means your server needs to send its own cert, which is signed by the key in the intermediate, plus the intermediate cert, which is signed by the key in the root. The root needn't actually be sent, because the client already has it in their truststore, but it may be, and it is also desirable to validate the chain yourself before using it and for that you need to have the root even if you don't send it.
I am trying to run certutil -repairstore and keep getting prompted for a smart card. This is a VM on AWS and a smart card is not an option. Any thoughts on how to bypass the smart card and get the repair to complete are appreciated
One of the other answers touched on it, but I wanted to add some context/detail as well as I spent a lot of time searching for the root of this problem. Killing the smart card-related services did not work, nor did disabling the related policy with gpedit.
When you run certutil with the -repairstore option, Windows runs through its list of CSPs (Configuration Service Providers), one of which is the "Microsoft Smart Card Key Storage Provider" - that's the one that causes the prompt to enter your smart card. As the above answer stated, the most likely cause is that you are attempting to install a certificate file (.crt, .cer, .pem, etc.) that does not have a corresponding key on the VM, so Windows is cycling through the various CSPs looking for a valid key but cannot find one. There are two possible solutions to this problem:
You should generate your CSR (Certificate Signing Request) through IIS > Server Certificates > Create Certificate Request. This will ensure that the key is generated locally and the appropriate key store is aware of it. Use that CSR to get your certificate from GoDaddy or whoever your provider is, then you should be able to go to IIS > Server Certificates > Complete Certificate Request to install the certificate and avoid certutil altogether.
If you still can't get it to work and are sure the key was generated locally, the -csp option for certutil will allow you to specify which CSP to use when validating the certificate thereby eliminating the need for Windows to try the smart card CSP. You can get the installed CSPs on your system by running certutil -csplist - the "Provider Name" value is what you pass to certutil. For example, certutil -csp "Microsoft Software Key Storage Provider" -repairstore ... would force certutil to validate against the Microsoft Software Key Storage Provider. Make sure you use quotes since there are spaces in the names.
Make sure you make the original certificate request on the same windows server where the domain is hosted. Then complete the request with the p7b provided by the ssl supplier and you won't have any problems.
This question might be a bit old but I came across this error with another cause:
I have mutliple servers trying to import the certificate.
However, the cert request was generated from one server. In that case, I imported to the original server which create the request and export everything from the mmc (including private key) and re-import the pfx file to the over servers.
Try to add -silent to the command
We are developing a local server app (written in nodejs for now), used by our web site to manipulate local files and folders (browse, upload, download...).
Basically, the customer installs the nodejs app, which starts a local server listening on 127.0.0.1.
Then, when (for instance) a list of local folders is needed on the web site, a JS script queries the local server, which returns the local folders, and they are displayed on the web site.
The problem is when the web site is configured in HTTPS, the web site's JS refuses to communicate with the HTTP-non-S nodejs app.
We are exploring various options :
using self-signed certificates deployed with the app, and trusting them on the machine during install, but I feel there will be a LOT of times when it won't work
using "proper" certificates for local.example.com, with a DNS entry where local.example.com points to 127.0.0.1, but it seems that distributing private keys to the general public is prohibited by the CGU of most (if not all) certificate authorities.
Now I thought of maybe another mean. Can a "packaged" HTTPS server (written in any language, I don't care), "living" inside an exe file, which is signed with a proper SSL certificate, use the certificate of the app?
I'm not sure if I'm making any sense, I don't know certificates very well...
Thanks!
We ended up adding a self-signed root CA using certutil :
certutil.exe -user -addstore Root "mycert\rootca.cer"
Since we're adding a root CA, it generates a warning popup that the user has to accept, but it has been deemed acceptable by the powers that be.
There is a "check config" screen that can try to add the certificate again if it hasn't been properly added the first time.
There is a case when the group policies (GPO) prevent trusting self-signed certificates. In this case, certutil has a return code of 0 (the certificate is added) but the root CA is not trusted, so the local server does not work. So, after install, we have to check that the certificate is trusted using:
certutil.exe -user -verifystore Root xxx
(xxx being the certificate serial number). This command does exit with error if the certificate is untrusted either, so we parse the output for CERT_TRUST_IS_UNTRUSTED_ROOT or 0x800b0109.
I have obtained a free Open Source Developer certificate (with Code Signing as only usage) from Certum in reply to a web form instead of a regular CSR file. The Certificate has no installation issues on Windows and forms a trusted chain along with the corresponding intermediate and root CA certificates in any keystore management tool I have tried. No problems so far.
Nevertheless, besides the bright side of becoming somewhat acquainted with the subject after frustrating studying it for several days (my only purpose was to sign jar files for my online solfège school), I haven't been able to import the certificate to any keypair on neither toolkey, KeyStore Explorer, CERTivity, nor OpenSSL, because the public keys don't match, (I think) obviously.
I (probably mis)understand that the public key from a requesting keypair is conveyed to the CA by the CSR file and included back in the certificate reply, but in my case there is no CSR file.
I plainly admit my ignorance, and would just like to know:
If is it even possible (with all security risks involved) the procedure of tailoring a keypair to match an existing such a certificate (an Openssl command, perhaps), and
if, as I'm afraid of, the answer is no, what is such a "CSR-file-orphan" certificate useful for?
Any enlightment will be greatly appreciated.
Jesús Díaz
Certum probably have created the CSR for you if you didn't submit one.
In that case, a (public-private) key pair would have been installed on your computer.
You will probably have to export the key pair from Windows keystore to a file so that you can import it to another keystore.
guide from microsoft
with screenshots
another way
To answer your questions:
since the certificate has been created, you won't be able to create a key pair for it.
it is actually not a CSR orphan certificate
You might want to make another request from Certum and inform them that you would like to provide a CSR
Im trying to use client ssl certificate in JMeter to authenticate on website. The problem is that when i try to import it in SSL Manager, im not getting any message for password, anything. In configuration i've written:
user.classpath=/home/m/Downloads/jre-1.7.0_09/usr/java/jre1.7.0_09/lib/
ssl.provider=com.sun.net.ssl.internal.ssl.Provider
I've added user.classpath because jsse.jar stands there, but i think its not necessary. What am i doing wrong?
To test Client Certificates, use this:
Keystore Configuration
Steps are:
Create your certificates either with Java keytool utility or through your PKI
If created by PKI, import your keys in Java Key Store by converting them to a format acceptable by JKS
Then reference the keystore file through the 2 JVM properties :
-Djavax.net.ssl.keyStore=path_to_keystore
-Djavax.net.ssl.keyStorePassword=password_of_keystore
You use either HTTPClient 3.1 or 4 implementations for HTTP Request
To make JMeter use more than one certificate you need to ensure that:
https.use.cached.ssl.context=false
is set in jmeter.properties or user.properties