This relates mainly to older servers since CAs now require 2048 bit keys and I kept running into a default of 1024 I couldn't change.
This is ripped from another blog (thanks rrustean.blogspot.com)
snip
cretate a file called c:\cert.inf with the following content:
[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048
Now run the following:
certreq -new cert.inf outfile.req
Now just cut and paste the contents of outfile.req into the geotrust QuickSSL Premium Enrollment page and away you go.
snip
But that only goes half way.
To complete things for me loading a certificate into IIS I had to change the cert.inf file..
[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048
Exportable = TRUE
The certificate is created under the current user and you need to export it and import to the machine account to access it in IIS.
Import the cert from the provider into your current user. Now you should be able to export it with it's private key and import it into the local machine account where IIS etc can see it.
Showing posts with label certificates. Show all posts
Showing posts with label certificates. Show all posts
Thursday, 16 January 2014
Tuesday, 10 September 2013
Cisco IOS certificate handling
This is primarily for sslvpn type stuff first off.
I use startssl.com for certs etc. They great, they're free for the common stuff and browsers recognise them. All in all they rock. Thanks startssl.com
Importing the cert so I can use it on the router. Seems simple but there are some gotchas.
StartSSL give you a private key..
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,32C45D65DFE1A50C983B5F75F341764D
yeahrightlikeimgoingtogiveyoumykey
-----END RSA PRIVATE KEY-----
and a public key
-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDC+X4MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
...
bZB1pUEw1HLbbuN66szP7jyua2YWbKm+Q2kdi9lOGFado4n1ka3Evc7N6e9gvKrk
ADc=
-----END CERTIFICATE-----
First gotcha all they guides i've seen are old and say
crypto ca import
Most new IOS use instead
crypto pki
Second big gotcha is the IOS doesn't do AES. So see in the private key, 3rd line it has AES we need to convert that.
It's easy if you have a Mac or a Linux box. With windows you need to install openssl.
Save your private key on your Desktop as oldkey.pem, open the terminal and type
openssl rsa -in Desktop\oldkey.pem -out Desktop\newkey.pem -des3
Open the newkey.pem file and your public key and download the CA certificate for your provider. They'll have a link in FAQs etc.
Log into the router, enable etc and go to config t.
To be continued
I use startssl.com for certs etc. They great, they're free for the common stuff and browsers recognise them. All in all they rock. Thanks startssl.com
Importing the cert so I can use it on the router. Seems simple but there are some gotchas.
StartSSL give you a private key..
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,32C45D65DFE1A50C983B5F75F341764D
yeahrightlikeimgoingtogiveyoumykey
-----END RSA PRIVATE KEY-----
and a public key
-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDC+X4MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
...
bZB1pUEw1HLbbuN66szP7jyua2YWbKm+Q2kdi9lOGFado4n1ka3Evc7N6e9gvKrk
ADc=
-----END CERTIFICATE-----
First gotcha all they guides i've seen are old and say
crypto ca import
Most new IOS use instead
crypto pki
Second big gotcha is the IOS doesn't do AES. So see in the private key, 3rd line it has AES we need to convert that.
It's easy if you have a Mac or a Linux box. With windows you need to install openssl.
Save your private key on your Desktop as oldkey.pem, open the terminal and type
openssl rsa -in Desktop\oldkey.pem -out Desktop\newkey.pem -des3
Open the newkey.pem file and your public key and download the CA certificate for your provider. They'll have a link in FAQs etc.
Log into the router, enable etc and go to config t.
To be continued
Monday, 22 September 2008
OSX server (Postfix) and certificates...
Well, we got a certificate from Thawte for this site and it worked fine for https and imaps but kept failing for smtps.
The log kept saying can't read the .crt file in /etc/certificates/.
Not a permissions problem. So I tried converting the file to pem etc but still no joy.
In the end the problem was the .key file which is des encrypted. So to get OSX server to work with smtps (and possible other postfix installs) you need to leave the key exposed and remove the passkey and encryption.
openssl rsa -infile file.key -outfile outfile.key
will remove the des encryption but you need to make the permissions tight, tight, tight on that file.
Hope this saves someone some time...
Subscribe to:
Posts (Atom)