I have two web servers(IIS) Prod/DR and I am required to install a certificate with same common name on both the servers.
I have generated two CSR files from these two servers with same information (common name, location etc)
We are required to generate a third party signed certificate, but I am confused/ignorant when it asks for CSR. These two CSR files when I compared are different(byte compared).
Should I just upload any 1 of the CSR file and use the cert generated to be installed on both servers? Will both server accept this certificate (after in pending cert request state) generated with same information but has different CSR files?
This question is a better fit for something like server fault, but I'll give it a shot:
A CSR is a unique per private key. You need to pick one CSR, and request it from your CA. Your CA will respond with the full certificate, which can be exported from the machine on which you issued the CSR and imported to the other servers.
If you were to request multiple CSR's be fulfilled, you would get multiple certificates. Instead, you need to complete the process once and copy the returned certificate.
See http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html for step by step instructions.
Related
I'm in the process of connecting to an external server and am making a CSR to receive some certificates from them, and I have some questions regarding this.
Some tutorials state that you should save the private key as this will be used during installation of the certificate. However when using the Windows certificate manager (certmgr.msc) I think it generates the private key under the hood, and the resulting CSR-file does not contain any private key. So in that case I won't have access to any private key at all, unless I can export it from the certificate I receive later? I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store? If that's the case, does the private key have any use besides generating the public key?
I was also wondering about the location the certificate can be used. It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?
Last question: The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?
Appreciate any insight or guiding to this process. There are a tons of guides out there, but many of them seem to contradict each other in some way or another.
(certmgr.msc) I think [] generates the private key under the hood,
Correct. You generate the key and CSR, send the latter to the CA, and (we hope!) get back a cert containing your publickey and identity (for SSL/TLS your identity is your domain name or names), plus any needed chain certs (usually one intermediate and a root, but this can vary). You import the cert to certmgr, which matches it up with the existing, stored but hidden privatekey to produce a pair of cert+privatekey which is now visible and usable.
To use this in a Windows program, like IIS, you also need the chain cert(s), see below, in your store -- for these just the cert(s) not the privatekey(s), which you don't have and can't get. If you use an established public CA like Comodo, GoDaddy, LetsEncrypt their root is usually already in your store, and if you use a CA run by your employer their root may well be already in your store for other reasons such as email; if not you should add it. The intermediate(s?) may or may not already be in your store and if not you should add it(them).
I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store?
It is needed, but you don't provide it, because it's already there.
It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?
Initially, it is usable only on the system where the CSR and privatekey were generated. But using certmgr you can export the combination of the certificate and privatekey, and optionally the cert chain (which export wizard calls 'path'), to a PKCS12/PFX file. That file can be copied to and imported on other Windows systems and/or used by or imported to other types of software like Java (e.g. Tomcat and Jboss/Wildfly), Apache, Nginx, etc.
Note however that the domain name or names, or possibly a range of names matching a (single-level) wildcard, that you can use the cert for is determined when the cert is issued and can't be subsequently changed (except by getting a new cert).
The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?
Certificate Authorities are arranged in a hierarchy. Running -- particularly securing -- a root CA is difficult and expensive. As a result certs for end-entities (like you) are not issued directly by the root, but by a subordinate or intermediate CA. Sometimes there is more than one level of subordinate or intermediate. Thus when your server uses this certificate to prove its identity, in order for the browser or other client to validate (and thus accept) your cert you need to provide a 'chain' of certificates, each one signed by the next, which links your cert to the trusted root. As I said, one intermediate is common; this means your server needs to send its own cert, which is signed by the key in the intermediate, plus the intermediate cert, which is signed by the key in the root. The root needn't actually be sent, because the client already has it in their truststore, but it may be, and it is also desirable to validate the chain yourself before using it and for that you need to have the root even if you don't send it.
I have a free domain,sayexample.ml, and I hosted my files at byethost.com. I am trying to implement free ssl on my site. I have logged into cacert website. Added and verified my domain. And now I am stuck. I dont know how to set up an ssl certificate from this stage.
A step by step explanation will be quite a lot helpful.
Generate a private key and save it in your file system safely.
Generate a CSR with it.
You can use openSSL for 1 and 2.
Refer : http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
Get the signed server certificate from cacert.org by copying the contents of your CSR to Server certificates -> New. Save it in your file system.
You need to point your Appserver/Webserver to the location where your private key and signed server certificate is stored. Read documentation.
If it is a Apache webserver you can refer: https://techstrum.wordpress.com/2014/11/25/how-to-enable-ssl-for-ohs-oracle-http-sever/
First, you need the CSR (your public key with some information).
To generate it you have to use the tool that your server provide would be easier (such as Apache Tomcat :: using keytool, Linux :: using openssl)
Then, sending your CSR file to the certificate vendor to verify and insert Root certificate.
They will send you back certificate file.
So, you need to use this certificate file for import into your secret key which you get it from the key-pair generate process on the first step.
Finally, setup your key into your server and config some property in web server config file.
These are the concept, for the technical you need to know what platform you used and find the way to use their provided tool.
I'm trying to setup ssl on modulus.io but the guide says to bundle four files:
http://help.modulus.io/customer/portal/articles/1701165-ssl-setup-guide
The problem is rapid ssl only gives me two and they aren't named anything like those.
They only give me a web certificate, intermediate CA and then link to some bundled CA.
Anyone else do this in the past that can link me in the right direction?
You will need to bundle all the provided certs in a specific order. The order depends on the SSL provider. The Modulus guide is showing Namecheap. The likely order based on the info you provided is:
Domain specific cert - usually has your domain name in the filename.
The intermediate CA.
The contents of the bundled CA.
Simply concatenate all of these into a single file and provide that to Modulus. You can then use ssl-checker to verify the certificate chain is complete and in the right order.
Disclaimer: I'm a Modulus employee
I have obtained a free Open Source Developer certificate (with Code Signing as only usage) from Certum in reply to a web form instead of a regular CSR file. The Certificate has no installation issues on Windows and forms a trusted chain along with the corresponding intermediate and root CA certificates in any keystore management tool I have tried. No problems so far.
Nevertheless, besides the bright side of becoming somewhat acquainted with the subject after frustrating studying it for several days (my only purpose was to sign jar files for my online solfège school), I haven't been able to import the certificate to any keypair on neither toolkey, KeyStore Explorer, CERTivity, nor OpenSSL, because the public keys don't match, (I think) obviously.
I (probably mis)understand that the public key from a requesting keypair is conveyed to the CA by the CSR file and included back in the certificate reply, but in my case there is no CSR file.
I plainly admit my ignorance, and would just like to know:
If is it even possible (with all security risks involved) the procedure of tailoring a keypair to match an existing such a certificate (an Openssl command, perhaps), and
if, as I'm afraid of, the answer is no, what is such a "CSR-file-orphan" certificate useful for?
Any enlightment will be greatly appreciated.
Jesús Díaz
Certum probably have created the CSR for you if you didn't submit one.
In that case, a (public-private) key pair would have been installed on your computer.
You will probably have to export the key pair from Windows keystore to a file so that you can import it to another keystore.
guide from microsoft
with screenshots
another way
To answer your questions:
since the certificate has been created, you won't be able to create a key pair for it.
it is actually not a CSR orphan certificate
You might want to make another request from Certum and inform them that you would like to provide a CSR
I use Windows XP SP3. I resell digital signature certificates. I get the clients data, key them into a portal and download the dsc onto my machine. I use Internet Options and export the certificate to a pfx file with a password and send it off to the client. Since, this is being done over and over again, during export to pfx, inadvertently the wrong certificate is selected. Once the pfx file is generated, is there any way of knowing the common name in the pfx file without having to reinstall the certificate. I have looked into openssl, but not sure if it can be achieved by a batch file as a password has to be physically entered. Ideally, after exporting say 10 pfx files, I would like to run a batch file which would display only the common names. Once I confirm that the names are correct (I have exported correctly), I can delete the certificates from the store.
You should write your own application, that will perform batch processing of PFX files.
The pseudo code using CryptoAPI are as follows.,
Read the pfx files from disk one by one using PFXImportCertStore. You will get the certificate store context.
Acquire the certificate context PCCERT_CONTEXT phPfxCertCtx = CertEnumCertificatesInStore
Get the subject name. phPfxCertCtx->pCertInfo->Subject
You can have a predefined list of subjects to compare the subject names that are read now.
Close the context and certificate store, CertCloseStore with CERT_CLOSE_STORE_FORCE_FLAG.