Hi all - I am trying to figure out how to add a wild card certificate given to me for a CentOS installation. I have a script that sets up HTTPS so I am a little familiar with things - but they provided me two files: name_ee.crt name_i1.crt
I'm not sure how to apply that to the /etc/httpd/conf.d/ssl.conf file? Anyone done that before ?
My initial searches were not helpful. Thanks,
Jerry
Am 15.06.2018 um 20:37 schrieb Jerry Geis jerry.geis@gmail.com:
Hi all - I am trying to figure out how to add a wild card certificate given to me for a CentOS installation. I have a script that sets up HTTPS so I am a little familiar with things - but they provided me two files: name_ee.crt name_i1.crt
I'm not sure how to apply that to the /etc/httpd/conf.d/ssl.conf file? Anyone done that before ?
My initial searches were not helpful. Thanks,
And where’s the private key?
Can you post the lines in the files that start with five (or so) dashes („-„)?
And where’s the private key? Can you post the lines in the files that start with five (or so) dashes („-„)?
They are all just ----- BEGIN CERTIFICATE ---- and everything else is encrypted of course.
They did not give a private key - I presumed with a wild card it was not needed? again -never done this so just guessing.
Thanks
Jerry
Am 15.06.2018 um 21:07 schrieb Jerry Geis jerry.geis@gmail.com:
They are all just ----- BEGIN CERTIFICATE ---- and everything else is encrypted of course.
No, it’s not.
You can look at it with
openssl x509 -text -in file.crt -noout
They did not give a private key - I presumed with a wild card it was not needed? again -never done this so just guessing.
No. The certificate itself is what gets sent to every browser. It’s not secret or encrypted.
You need a certificate, the corresponding private key and in almost all instances the intermediate certificate (or certificates, depending on how many sub-CAs below the Root-CA it was issued from).
Normally (well, for certain definitions of normal), you generate the private key yourself and generate a CSR, a certificate signing request from that key. The key is just 2048 bytes of random data.
The CSR is what get’s signed by the CA’s private key and contains all the information in the certificate that you can view by clicking on the lock-icon in the browser.
I usually do this like below
bla=the_domain.toplevel openssl req -newkey rsa:2048 -nodes -out $bla.csr -keyout $bla.key -sha256
(for wildcard, I usually call the files „star.domain.toplevel“)
And then you can send the CSR to whoever has it signed, or in our case, I log into my managed PKI console and submit it myself for my supervisor to confirm it and then I download the certificate.
This is done because the private key should in theory never leave the system it was generated on, to ensure its secrecy.
Sending a private key by email is NOT secure.
On 06/15/2018 02:37 PM, Jerry Geis wrote:
Hi all - I am trying to figure out how to add a wild card certificate given to me for a CentOS installation. I have a script that sets up HTTPS so I am a little familiar with things - but they provided me two files: name_ee.crt name_i1.crt
||| |Hi Jerry,
One is the public SSL certificate file itself and the other is probably the intermediate CA file. You also need the private key from whoever created the CSR for your wildcard certificate to be validated. Without the private key, the wildcard certificate is worthless.
For Apache in /etc/httpd/conf.d/ssl.conf ... it would look like something like this:
| SSLCertificateFile /path/to/name_ee.rt| | SSLCertificateKeyFile /path/to/privatekey.key| | SSLCertificateChainFile /path/to/name)il.crt || ||Scott| ||||||
On 2018-06-15, Jerry Geis jerry.geis@gmail.com wrote:
Hi all - I am trying to figure out how to add a wild card certificate given to me for a CentOS installation.
You've already got the cert so it's not totally relevant, but in the future you can consider using Let's Encrypt. They won't distribute wildcard certs but unless you have lots of subdomains you can simply request a cert for every domain you need.
LE has packages for CentOS which can plug in to Apache automatically, so configuration is quite straightforward.
--keith
On 06/15/2018 06:11 PM, Keith Keller via CentOS wrote:
You've already got the cert so it's not totally relevant, but in the future you can consider using Let's Encrypt. They won't distribute wildcard certs but unless you have lots of subdomains you can simply request a cert for every domain you need.
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support...
Wildcard support is new, but it's available! :)
On 2018-06-16, Gordon Messmer via CentOS centos@centos.org wrote:
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support...
Wildcard support is new, but it's available! :)
Cool! I had read about wildcard support being planned a few months ago but totally forgot about it.
--keith
Am 17.06.2018 um 00:24 schrieb Keith Keller via CentOS centos@centos.org:
On 2018-06-16, Gordon Messmer via CentOS centos@centos.org wrote:
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support...
Wildcard support is new, but it's available! :)
Cool! I had read about wildcard support being planned a few months ago but totally forgot about it.
AFAIK, it’s only available with the DNS-challege.
You must have authority over your DNS and use one of the supported providers (or build your own).
-
Gordon Messmer -
Jerry Geis -
Keith Keller -
Rainer Duffner -
Scott Gennari