Hi all,
This topic is one that I am ignorant on and appreciate any guidance.
My scenario;
I have a wild card SSL installed on one of my CentOS boxes.
As I understand it, this server was used as a sort of master when originally generating and receiving the wild card SSL cert (got the cert from GoDaddy BTW).
So, now I must export some file(s) from that server so that I can import it/them to another server.
Were do I begin?
I did manage to generate a .cer from a pem belonging to my master server via;
openssl x509 in ca.pem -inform PEM -out somefile.crt.cer -outform DER
But I honestly do not under stand what I did here and have a feeling this is incomplete as aren't public and private key involved some how?
I have my ca.csr (my request file), ca.key (my private key) and ca.pem (my public key) files in hand and ready. A backup has been made for testing.
Thanks in advance for any info.
- aurf
2012/10/23 aurfalien aurfalien@gmail.com:
Hi all,
This topic is one that I am ignorant on and appreciate any guidance.
My scenario;
I have a wild card SSL installed on one of my CentOS boxes.
As I understand it, this server was used as a sort of master when originally generating and receiving the wild card SSL cert (got the cert from GoDaddy BTW).
So, now I must export some file(s) from that server so that I can import it/them to another server.
Were do I begin?
I did manage to generate a .cer from a pem belonging to my master server via;
openssl x509 in ca.pem -inform PEM -out somefile.crt.cer -outform DER
But I honestly do not under stand what I did here and have a feeling this is incomplete as aren't public and private key involved some how?
I have my ca.csr (my request file), ca.key (my private key) and ca.pem (my public key) files in hand and ready. A backup has been made for testing.
Looks like you are a bit lost in ssl-forest. just copy your privatekey and signed cert file to another box and configure apache. that is all that is needed. no need to do any kind of conversions, just copy files from original box.
-- Eero
On Oct 23, 2012, at 1:22 PM, Eero Volotinen wrote:
2012/10/23 aurfalien aurfalien@gmail.com:
Hi all,
This topic is one that I am ignorant on and appreciate any guidance.
My scenario;
I have a wild card SSL installed on one of my CentOS boxes.
As I understand it, this server was used as a sort of master when originally generating and receiving the wild card SSL cert (got the cert from GoDaddy BTW).
So, now I must export some file(s) from that server so that I can import it/them to another server.
Were do I begin?
I did manage to generate a .cer from a pem belonging to my master server via;
openssl x509 in ca.pem -inform PEM -out somefile.crt.cer -outform DER
But I honestly do not under stand what I did here and have a feeling this is incomplete as aren't public and private key involved some how?
I have my ca.csr (my request file), ca.key (my private key) and ca.pem (my public key) files in hand and ready. A backup has been made for testing.
Looks like you are a bit lost in ssl-forest.
Ain't that the truth.
just copy your privatekey and signed cert file to another box and configure apache. that is all that is needed.
Wow, so simple that its complicated :)
Many thanks.
- aurf
aurfalien wrote:
On Oct 23, 2012, at 1:22 PM, Eero Volotinen wrote:
2012/10/23 aurfalien aurfalien@gmail.com:
<snip>
My scenario;
I have a wild card SSL installed on one of my CentOS boxes.
As I understand it, this server was used as a sort of master when originally generating and receiving the wild card SSL cert (got the cert from GoDaddy BTW).
So, now I must export some file(s) from that server so that I can import it/them to another server.
<snip>
But I honestly do not under stand what I did here and have a feeling this is incomplete as aren't public and private key involved some how?
I have my ca.csr (my request file), ca.key (my private key) and ca.pem (my public key) files in hand and ready. A backup has been made for testing.
Looks like you are a bit lost in ssl-forest.
Ain't that the truth.
just copy your privatekey and signed cert file to another box and configure apache. that is all that is needed.
Wow, so simple that its complicated :)
Did you generate the new files with the correct name of the new server? If not, people browsing there will see complaints that the key doesn't match the server name.
mark
On Oct 23, 2012, at 2:48 PM, m.roth@5-cent.us wrote:
aurfalien wrote:
On Oct 23, 2012, at 1:22 PM, Eero Volotinen wrote:
2012/10/23 aurfalien aurfalien@gmail.com:
<snip> >>> My scenario; >>> >>> I have a wild card SSL installed on one of my CentOS boxes. >>> >>> As I understand it, this server was used as a sort of master when >>> originally generating and receiving the wild card SSL cert (got the >>> cert from GoDaddy BTW). >>> >>> So, now I must export some file(s) from that server so that I can >>> import it/them to another server. <snip> >>> But I honestly do not under stand what I did here and have a feeling >>> this is incomplete as aren't public and private key involved some how? >>> >>> I have my ca.csr (my request file), ca.key (my private key) and ca.pem >>> (my public key) files in hand and ready. A backup has been made for >>> testing. >> >> Looks like you are a bit lost in ssl-forest. > > Ain't that the truth. > >> just copy your privatekey >> and signed cert file to another box and configure apache. that is all >> that is needed. > > Wow, so simple that its complicated :) > Did you generate the new files with the correct name of the new server? If not, people browsing there will see complaints that the key doesn't match the server name.
Well actually no.
I thought one just had to copy the files over.
So how do I generate the proper files for using on other servers?
- aurf
On Oct 23, 2012, at 2:48 PM, m.roth@5-cent.us wrote:
aurfalien wrote:
On Oct 23, 2012, at 1:22 PM, Eero Volotinen wrote:
2012/10/23 aurfalien aurfalien@gmail.com:
<snip> >>> My scenario; >>> >>> I have a wild card SSL installed on one of my CentOS boxes. >>> >>> As I understand it, this server was used as a sort of master when >>> originally generating and receiving the wild card SSL cert (got the >>> cert from GoDaddy BTW). >>> >>> So, now I must export some file(s) from that server so that I can >>> import it/them to another server. <snip> >>> But I honestly do not under stand what I did here and have a feeling >>> this is incomplete as aren't public and private key involved some how? >>> >>> I have my ca.csr (my request file), ca.key (my private key) and ca.pem >>> (my public key) files in hand and ready. A backup has been made for >>> testing. >> >> Looks like you are a bit lost in ssl-forest. > > Ain't that the truth. > >> just copy your privatekey >> and signed cert file to another box and configure apache. that is all >> that is needed. > > Wow, so simple that its complicated :) > Did you generate the new files with the correct name of the new server? If not, people browsing there will see complaints that the key doesn't match the server name.
This is a wild card SSL by the way.
When looking at the keys I see;
Subject: /O=*.domain.com/OU=Domain Control Validated/CN=*.domain.com Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=######## Validation Days: start date - end date Subject Alternative Name: *.domain.com, domain.com I don't see any ref to the servers name that its running on.
I removed the serial, domain name and dates.
- aurf
On Oct 23, 2012, at 3:19 PM, John R Pierce wrote:
On 10/23/12 3:09 PM, aurfalien wrote:
I don't see any ref to the servers name that its running on.
the subject, and subject alternative names.
Yes, but they all say either *.domain.com or domain.com
But not servername.domain.com
So it appears as if I do not need to export them?
- aurf
On Oct 23, 2012, at 3:19 PM, John R Pierce wrote:
On 10/23/12 3:09 PM, aurfalien wrote:
I don't see any ref to the servers name that its running on.
the subject, and subject alternative names.
BTW, sorry for the mis information, but my certificate file are actually;
commercial.csr and commercial.key
Sorry for the mis information.
The ca files are self signed files of come kind and not my actual used cert files.
- aurf
In article 0DFC5E1E-DFC7-4F90-A79E-B3CFB341CAF2@gmail.com, aurfalien aurfalien@gmail.com wrote:
On Oct 23, 2012, at 3:19 PM, John R Pierce wrote:
On 10/23/12 3:09 PM, aurfalien wrote:
I don't see any ref to the servers name that its running on.
the subject, and subject alternative names.
BTW, sorry for the mis information, but my certificate file are actually;
commercial.csr and commercial.key
Sorry for the mis information.
The ca files are self signed files of come kind and not my actual used cert files.
Hi Aurf,
Since you have an existing working server, you have a good starting point. As the certificates are wildcard for *.domain.com (for example), you can use them unchanged on any server that has a name within domain.com.
Firstly you need to copy the certificate, the private key and any intermediate certificate bundle (such as gd_bundle.crt) from the old server to the new one. On CentOS5, the certificate and bundle go in /etc/pki/tls/certs, and the key goes in /etc/pki/tls/private. On CentOS4, the directories were actually /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key respectively.
Then you also need to update the Apache configuration to use the certificates. This will either be in /etc/httpd/conf.d/ssl.conf (most likely), or else in /etc/httpd/conf/httpd.conf itself. Just search for the certificate, key and bundle filenames to find the relevant directives and edit the matching file on the new server to include the same directives. They will probably look something like this:
SSLCertificateFile /etc/pki/tls/certs/commercial.crt SSLCertificateKeyFile /etc/pki/tls/private/commercial.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
By the way, in your posting above, you said commercial.csr - this would be the original Certificate Signing Request. You need the actual signed certificate, which would be in commercial.crt.
But in any case, look for those SSLCertificate directives and they will point you to the actual files that need copying over.
Hope this helps!
Tony
On Oct 23, 2012, at 3:19 PM, John R Pierce wrote:
On 10/23/12 3:09 PM, aurfalien wrote:
I don't see any ref to the servers name that its running on.
the subject, and subject alternative names.
So it appears that I must export something to be used on my other servers.
When I simply copy both my public and private keys to a diff server and visit it via a browser, I get;
Connection Untrusted
I choose tech details and see;
The certificate is only valid for the following names;
*.domain.com , domain.com
So how would I export for use on a server whose name is srvA?
- aurf
On 10/24/2012 12:32 PM, aurfalien wrote:
On Oct 23, 2012, at 3:19 PM, John R Pierce wrote:
On 10/23/12 3:09 PM, aurfalien wrote:
I don't see any ref to the servers name that its running on.
the subject, and subject alternative names.
So it appears that I must export something to be used on my other servers.
When I simply copy both my public and private keys to a diff server and visit it via a browser, I get;
Connection Untrusted
I choose tech details and see;
The certificate is only valid for the following names;
*.domain.com , domain.com
So how would I export for use on a server whose name is srvA?
So what is the domain name of the new server??
- aurf
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
From: aurfalien aurfalien@gmail.com
I have a wild card SSL installed on one of my CentOS boxes. As I understand it, this server was used as a sort of master when originally generating and receiving the wild card SSL cert (got the cert from GoDaddy BTW). So, now I must export some file(s) from that server so that I can import it/them to another server.
Copy the files to something like /etc/ssl/certs/ and configure apache. Use something like:
<VirtualHost aaa.bbb.ccc.ddd:443> DocumentRoot /X/Y/Z ServerName abc.yourdomain.com SSLEngine on SSLCertificateFile /etc/ssl/certs/wildcard.yourdomain.com.crt SSLCertificateKeyFile /etc/ssl/certs/wildcard.yourdomain.com.key SSLCertificateChainFile /etc/ssl/certs/wildcard.yourdomain.com.ca-bundle < /VirtualHost>
The .crt is the certificate returned by the registrar. The .key is the key you created and used to generate the certificate request. The .ca-bundle is the registrar root and intermediate certificates.
On Oct 24, 2012, at 8:41 AM, John Doe wrote:
From: aurfalien aurfalien@gmail.com
I have a wild card SSL installed on one of my CentOS boxes. As I understand it, this server was used as a sort of master when originally generating and receiving the wild card SSL cert (got the cert from GoDaddy BTW). So, now I must export some file(s) from that server so that I can import it/them to another server.
Copy the files to something like /etc/ssl/certs/ and configure apache. Use something like:
<VirtualHost aaa.bbb.ccc.ddd:443> DocumentRoot /X/Y/Z ServerName abc.yourdomain.com SSLEngine on SSLCertificateFile /etc/ssl/certs/wildcard.yourdomain.com.crt SSLCertificateKeyFile /etc/ssl/certs/wildcard.yourdomain.com.key SSLCertificateChainFile /etc/ssl/certs/wildcard.yourdomain.com.ca-bundle < /VirtualHost>
The .crt is the certificate returned by the registrar. The .key is the key you created and used to generate the certificate request. The .ca-bundle is the registrar root and intermediate certificates.
Hi all,
Working now.
I was missing the chain file so all is well.
No need to export/import etc...
So wildcards in the subdomain really do work.
Thanks very much.
- aurf
-
aurfalien -
Eero Volotinen -
John Doe -
John R Pierce -
m.roth@5-cent.us -
Rob Kampen -
tony@softins.co.uk