RSSAll Entries in the "SSL" Category

Generate SSL key and CSR with OpenSSL

It is really easy to generate SSL key and CSR using OpenSSL, and the next several steps will guide you trough the process.

If you are on Linux server, OpenSSL can be downloaded from here: OpenSSL source – or you can use your package management software like YUM install or apt-get. For Windows users, you can use: Win32OpenSSL.

Once you have OpenSSL installed, we can generate SSL certificate key

The following will appear:

The above command will generate SSL key using ‘-rand’ option with few big files for sources and 2048 encryption. The reason of using some big files with ‘-rand’ option is because there are no absolute random generation with computers – but that is different story. Recently the minimum allowed encryption by the SSL issuers is 2048 bits so make sure you will generate your key with this number or with 4096 bit SSL key.

There is another command which can be used :

After executing it, the output will be:

When you generate SSL key with this command will require password, which is good when the key is transported, but once set on a Web Server it will ask for a password every time it is restarted. If you have chosen this method, the next command will remove the SSL key password.

If you open the SSL key file it should be similar to this one:

Now to generate CSR from a key use OpenSSL with this options:

You will be asked few questions for the certificate:

When you are ready with the CSR information, and you open the CSR file, it should look similar to this:

Now provide the CSR to a certificate issuer and wait for the SSL approval message.

Most SSL issuers have service that relies upon the Subscriber or the Subscriber’s authorized administrator to approve all certificate requests for all hosts in the domain. It is important that you will select a correct authorized administrator email. By selecting an authorized administrator, you warrant to the certificate issuer that the individual is authorized to approve the request. The request for SSL server certificate will not be processed beyond this point if you select an incorrect email address.
This part is important and it is a part of the SSL certificate issue process. Its purpose is to avoid someone else to have a certificate issued for your domain.

Be peppered with the following allowed e-mails:
Registered Domain Contacts – This is when the SSL issuer has successfully obtained domain contacts for this domain from the domain registrar. This will be the

Alternate Approval Email Addresses can be used, but you must make sure that such e-mail account has been set up and is available before you provide the CSR, or the approval email will not be delivered.

Level 2 Domain Addresses as bellow are allowed:

Level 3 Domain Addresses as bellow are allowed:

Once you have received and approve the SSL certificate, it will be sent to you and you can install it on your web server.

Tags

Extract certificates from P7B

P7B extract to certificatesThis will be quick tutorial about how to convert P7B to certificate. Actually we will extract certificates from PKCS #7 file using OpenSSL.
Here I have to mention one issue which is really often met and it is with the beginning and the end of the certificate provided. It depends on the OpenSSL version, but for now if the beginning and the end of the certificate are like:
—–BEGIN PKCS #7 SIGNED DATA—-
and
—–END PKCS #7 SIGNED DATA—–
will lead to the following error when you try to extract the SSL certificates:
error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: PKCS7 .
Let’s examine P7B certificate to see how to avoid such error.

 

Your certificate could be much longer as digits, but I put […] to shorten the listing on mine. Anyway if your certificate has the same beginning and end, you should change it to:

I have changed:
—–BEGIN PKCS #7 SIGNED DATA—-
and
—–END PKCS #7 SIGNED DATA—–
to
—–BEGIN PKCS7—–
and
—–END PKCS7—–
in order to accommodate the OpenSSL “Expecting: PKCS7

Now we can run the OpenSSL command which will extract PKCS7 certificates from the P7B file .
Note: this command works for both Linux and Windows machines with installed OpenSSL.

The output which prints the stored in the p7b file certificates will be similar to this one:

All this certificates will be stored into the pem.cer file as per the example. The first one is the certificate itself and the following two are CAs signing the certificate.

Another useful option is if you want to merge SSL certificate and key into PFX file

Tags

Compare SSL certificate and key matches with OpenSSL

This tutorial will show you how to compare SSL certificate and key matches using Open SSL. The original example is from ‘SSL/TLS Strong Encryption: FAQ’ where is answered the question: How do I verify that a private key matches its Certificate?
Sometimes clients that I am working it, request their certificates in order to move a site to different server.
For example when a customer’s business is grown up and he is moving their site from Shared Hosting to Dedicated Hosting. Then it appears that the last guy who used to install the certificate and forgot to leave it in the server certificate repository. Or just a key is left without actual date and the certificate has to be extracted for example from PFX file as in Extract SSL certificate and key from PFX file.

Anyway in case you have a situation and you are not sure whether certificate and key match, whit the next command using OpenSLL you can find out.
Open SSL can be downloaded and installed from a Linux server repository, or the source can be taken from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.
To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers provided after the execution of the OpenSSL command:

Tags

Renew Windows SSL certificate when no key available

This tutorial along with Extract SSL certificate and key from PFX file will help you to migrate renew Windows SSL certificate when no certificate key is available.

Here a key factor is how your certificate was installed. In Migrate (move) SSL certificate from Windows to Linux we discussed how you will not be able to export a certificate if ‘Mark this key as exportable‘ option is not checked during the certificate installation.
Well I hope your case is not the one I described, otherwise the only options are to ask the certificate authority for the key, or to purchase new certificate.

In order to have your Windows SSL renewed, there are three steps that must be accomplished:

1. The existing Windows SSL certificate must be exported. If you are not aware of the process, please read Export PFX file in Windows from IIS or Active Directory .

2. The exported PFX certificate must be separated to SSL certificate and key: This is the first tutorial I mentioned: Extract SSL certificate and key from PFX file

3. And the final part will be to merge the new certificate with the exported key, which you can read how, can be done in: Merge SSL certificate and key in PFX file.

Once the certificate is merged in PFX file, login to the Windows server where you have to set it for the domain.

Depending on the server configuration you have to put the certificate into the active directory Certificate repository.

Tags

Merge SSL certificate and key in PFX file

This tutorial will show you how to merge SSL certificate and key in PFX file. This is useful in case when you are migrate SSL certificate from Linux to Windows server, or if you Renew Windows SSL certificate when no key available.

For that purpose I am going to use tool called Open SSL that you may install from the Linux server repository, or take the source from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions.

Often I am using it also to create self-signed certificates for Linux and also for Windows – when again I have to merge the certificate and the key.

Tags

Extract SSL certificate and key from PFX file

In this tutorial I will show you how to extract SSL certificate and key from PFX file and also how to remove a password from a private SSL key.
If you have landed on this tutorial and do not have PFX certificate file please visit: Migrate (move) SSL certificate from Windows to Linux.

The certificate extraction can be done with a tool called Open SSL that you may install from the Linux server repository, or take the source from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.

Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:

Tags

Migrate (move) SSL certificate from Windows to Linux

Often, people who are not familiar with hosting servers, to be enticed by sales agents to buy new SLL certificates, because \"It is not possible to be migrated from Windows to Linux\".
With this tutorial I will show you how to move existing SSL certificate from Windows to Linux server.

Here I have to say that this tutorial will work, only if the certificate was installed with this option checked: ‘Mark this key as exportable. This will allow you to back up or transport your keys at a later time.’ Check the screen-shoot bellow to see what I mean:

Tags