I want to generate the CSR file for requesting SSL (wildcard) certificate. This certificate and private key will be used on multiple machines with both Apache and Nginx.
RapitSSL states the following commands for the different setups:
Nginx
$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Apache Mod SSL
$ openssl genrsa -des3 -out <private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
Is there a way to generate a CSR that works with both Apache and Nginx?
Apache Mod SSL
$ openssl genrsa -des3 -out < private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
These two are obviously the exact same command, with a different way of writing the example name. They just generate the key pair, you'd need an additional req command to generate a CSR too.
genrsa generates a key pair, and req generates a CSR. However, req can perform both operations at once when using -newkey.
See OpenSSL req example documentation:
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out req.pem
The same but just using req:
openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
How to generate CSR for SSL that works with Nginx & Apache ...
Is there a way to generate a CSR that works with both Apache and Nginx?
A quick answer to the questions to clarify things... Nginx and Apache don't consume CSRs. They use certificates and private keys.
Perhaps you meant to say something about a self-signed certificate? If so, add the -x509 option to the openssl req command. That creates a self signed certificate rather than a signing request.
There's a lot more to self-signed certificates (and server certificates in general). See, for example, How to create a self-signed certificate with openssl?
Related
I have a basic nginx home server setup which i use Client certificates to allow outside access. I have followed this guide to get everything setup which works as expected:
https://gist.github.com/rkaramandi/20a04a41536f3d7e6d2f26b0b9605ab6
in summary:
openssl genrsa -aes256 -out ca.privkey 4096
openssl req -new -x509 -days 365 -key ca.privkey -out ca.crt
openssl genrsa -aes256 -out bobs-ipad.privkey 4096
openssl req -new -out bobs-ipad.csr -key bobs-ipad.privkey
openssl x509 -req -days 365 -in bobs-ipad.csr -CA ca.crt -CAkey ca.privkey -set_serial 100 -out bobs-ipad.crt
openssl pkcs12 -export -clcerts -in bobs-ipad.crt -inkey bobs-ipad.privkey -out bobs-ipad.p12
Also openssl pkcs12 -in bobs-ipad.p12 -out bobs-ipad.pem -nodes to generate a pem file as well.
And in nginx config:
ssl_client_certificate <path>/ca.crt;
# ssl_crl <path>/ca.crl;
ssl_verify_client optional;
...
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
I am able to access the server from outside and only signed certificates on the client machine allow access.
However if one of the signed certificates were to be compromised i'd have to re-generate the CA and re-distribute the new signed client certificates. I understand that a CRL file can be used to revoke certificates using ssl_crl <path to crl>; in the nginx config but i am not sure to generate this using the guide i followed.
A command like this can be used openssl ca -gencrl -keyfile ca.privkey -cert ca.crt -out ca.crl
But this relies on a configuration file with an index of the certificates i believe?
Is there anyway of using a command like the above to input a (or list of) pem or p12 client certificate(s) -in bobs-ipad.pem that i want to revoke?
If not perhaps i need to start again and have a config with index file to then -revoke the certificates and re-generate the crl file.
Thanks in advance,
Richard
It doesn't seem like this is possible. I have found some other guides to get this working with a configuration file (and generating a new CA): https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
https://www.djouxtech.net/posts/nginx-client-certificate-authentication/
Hello I am trying to create root certificate authority for my own MITM proxy. Based on other tutorial I have used following command.
Generate a private key
openssl genrsa -out cert.key 2048
Generate a certificate
openssl req -new -nodes -x509 -key cert.key -days 365 -out cert.crt
Now the problem is when i try to add to keychain it shows Self Signed Root CA. What i have found is other MITM proxy like proxyman generates cert that shows Root Certificate Authority. Here is screenshot which illustrate my point.
I know i can make certificate that shows Root Certificate Authority from Keychain Access > Certificate Assistant > Create a Certificate Authority.
However my goal is to create certificate programmatically so I can generate certificate for other user easily.
Thanks
After several searching i found following command works. I don't know why it works it would be helpful.
openssl req -x509 -new -nodes -key cert.key -subj "/CN=HELLO" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf
It seem adding something related to v3_req fixes the issue.
Be sure to use latest version of openssl. I used homebrew to install openssl
I first followed the instructions on AWS's documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html#generate-key-submit-csr
openssl genrsa -out mykey-private-key-file.pem 2048
openssl ecparam -name prime256v1 -out mykey-private-key-file.pem -genkey
openssl req -sha512 -new -key mykey-private-key-file.pem -out mykey-csr.pem
But when we tried to submit our CSR, then it complained, so then I followed the instructions on rapidssl:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985
openssl genrsa -des3 -out mykey-private-key-file.pem 2048
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
We got our approval response with the x.509 Web Server Certificate and Intermediate CA.
When I copy the mykey-private-key-file.pem into the "Private Key" field on the EC2 Management Console, then it complains that:
"Error creating certificate
Unable to parse key; the body is encrypted."
I don't really know what I'm doing. I tried converting the private key like they suggest here: https://www.geekpete.com/blog/converting-ssl-pem-format-aws/ but then it doesn't match. Does this mean I have to go through the process all over again?
Since it took me a while to figure this out as well, I thought I would post my process here (in hopes that it saves someone some time).
This process assumes you already know how to request a certificate from your favorite certificate issuer.
You can just to a find-and-replace on "yourDomain" and then run the commands at a bash prompt. OSX or pretty much any flavor of Linux should do just fine.
# to generate a certificate request
openssl req -new -newkey rsa:2048 -nodes -keyout yourDomain.key -out yourDomain.csr
# Sumbit the CSR. When the CRT file comes back...
# Open the cert in a text editor...
# create a new file
vi yourDomain.crt
# press 'i' to start insert mode
# paste the contents of the CRT file you received
# prese ESC, then 'wq', then enter. This saves the file and exits VIM
# convert the CRT you just wrote to disk into the PEM format expected by ELB
openssl x509 -in yourDomain.crt -out yourDomain.pem -outform PEM
# convert the private key to PEM format expected by ELB
openssl rsa -in yourDomain.key -outform PEM -out yourDomain.pem.key
# display the contents of the private key file and certificate file so you can paste them into the dialog when setting up the listener on the ELB
cat yourDomain.pem.key
cat yourDomain.pem
Actually it was because of the copy and paste from my email. Even though I copied it into a text editor first. Totally lame error message.
But I did have to to run this step from the geekpete link.
openssl rsa -in yourwebsite_private.key -out pem-yourwebsite_private.key
I would like to get SSL running on my subdomain api.rofulus.com
I checked out https://modulus.io/codex/projects/ssl
I created a certificate and key with:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csrls
I registered me on namecheap an bought a positiveSSL
https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
I uploaded the content of the server file to namecheap and I received 3 files:
api_rofulus_com.crt
PositiveSSLCA2.crt
AddTrustExternalCARoot.crt
But for custom SSL I need content of a key file. But my myserver.key is empty. So where or how can I get the key?
Thanks for help!
By using this command you have created certificate request server.csr:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
To see the contents of the request you can use:
openssl req -noout -text -in server.csr
Then you have uploaded server.csr to namecheap and got your certificates.
If your private key (myserver.key) is empty then i think you somehow corrupted it. You can reissue you certificate with the new key and certificate request. Drop a line to namecheap support, i think they can resolve this situation.
Does anyone have a handy script to generate SSL certificates such that it generates the CA certificate and the server certificate. More importantly, create it in a way that I can import the CA certificate into my trusted root list (of my windows system) so that the browser does not flag the site as untrusted.
I used the following script to do it but I am not able to persuade my browser to trust the certificate.
I'd greatly appreciate any help here.
# Generate a private key
openssl genrsa -des3 -out server.key 1024
# Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
# Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
# Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Regards,
Kashyap
Your script is only generating one certificate, a self-signed certificate. Usually, the self-signed certificate is called the Root certificate. This can be used as a CA certificate, but often an intermediate CA certificate is created and signed by the Root private key. This intermediate CA certificate is then used to sign Server certificates. So you have this hierarchy:
Root -> CA -> Server
The CA and Root cert can go into the trusted certificate list. Then a browser that trusts that list will also trust any certificate signed by the CA or Root entities.
You don't have to have this hierarchy...you can use the Root certificate as the CA and skip the middle cert. You can also just use 1 self-signed certificate as the Root/Server certificate. See this article (Trusting self-signed certificates).
But assuming you do have this hierarchy, here are some OpenSSL commands to generate the necessary keys and certificates:
# 1. Create Root private key
openssl genrsa -out root.key 2048
# 2. Create self-signed Root certificate
openssl req -new -key root.key -x509 -out root.crt -days 5000 -sha256
# 3. Create CA private key
openssl genrsa -out ca.key 2048
# 4. Create CA CSR
openssl req -new -key ca.key -out ca.csr -days 5000
# 5. Sign and create CA certificate
openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -out ca.crt -set_serial 2 -days 5000 -sha256
# 6. Create Server private key
openssl genrsa -out server.key 2048
# 7. Create Server CSR
openssl req -new -key server.key -out server.csr -days 5000
# 8. Sign and create Server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -set_serial 3 -days 5000 -sha256
Change the key bits, # of valid days, serial numbers, and add V3 extensions as you see fit.
Also remember that different browsers have different lists that they trust. Chrome and IE use the Windows default list. Firefox has its own list.
Do you have a trusted CA certificate?
You are generating a self-signed certificate which is always considered as untrusted by browsers.