[CentOS] wildcard certificate

Fri Jun 15 19:24:49 UTC 2018
Rainer Duffner <rainer at ultra-secure.de>

> Am 15.06.2018 um 21:07 schrieb Jerry Geis <jerry.geis at gmail.com>:
> They are all just ----- BEGIN CERTIFICATE ----   and everything else is
> encrypted of course.

No, it’s not.

You can look at it with

openssl x509 -text -in file.crt -noout

> They did not give a private key - I presumed with a wild card it was not
> needed? again -never done this so just guessing.

No. The certificate itself is what gets sent to every browser. It’s not secret or encrypted.

You need a certificate, the corresponding private key and in almost all instances the intermediate certificate (or certificates, depending on how many sub-CAs below the Root-CA it was issued from).

Normally (well, for certain definitions of normal), you generate the private key yourself and generate a CSR, a certificate signing request from that key.
The key is just 2048 bytes of random data.

The CSR is what get’s signed by the CA’s private key and contains all the information in the certificate that you can view by clicking on the lock-icon in the browser.

I usually do this like below

openssl req -newkey rsa:2048 -nodes -out $bla.csr -keyout $bla.key -sha256

(for wildcard, I usually call the files „star.domain.toplevel“)

And then you can send the CSR to whoever has it signed, or in our case, I log into my managed PKI console and submit it myself for my supervisor to confirm it and then I download the certificate.

This is done because  the private key should in theory never leave the system it was generated on, to ensure its secrecy.

Sending a private key by email is NOT secure.