Security

Hello,

 

I am new to this and my company has ordered a wildcard certificate (by godaddy.com) for our domain and subdomain name. Now I want to use it for my CP server but I am bit lost on how to do it.

 

I have my domain name cert and an intermediate cert, the private key saved on a txt and the password. So what do I need to do ?

 

On CPPM, I can see that I can import a Server Certificate and asks me for a Certificate File, Private Key File and Password. Any one can give some tips, thanks

 

Regards

 

Dimitri

What are you going to use the Cert for

SSL
.1x

Windows has an issue with trusting wildcard certs for 802.1x

The cert is for SSL.

 

Thanks

 

Dimitri

1. Make sure you import the Root and any Intermediate certs into the trust list

2. Combine the Wildcard cert with the Root and Intermediate if you can

    a. Some device do not trust godaddy intermediate certs so it help to combine the full trust chain.

    b. Digicert has an easy to understand how-to " http://www.digicert.com/ssl-support/pem-ssl-creation.htm "

3. Then you just import the newly created .pem file to CPPM

 

 

 

 

 

Creating a .pem with the Entire SSL Certificate Trust Chain

1. Log in to download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt) from within your DigiCert Customer Account.
2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:
   1. The Primary Certificate - your_domain_name.crt
   2. The Intermediate Certificate - DigiCertCA.crt
   3. The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: your_domain_name.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: DigiCertCA.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate: TrustedRoot.crt) 
-----END CERTIFICATE-----

Save the combined file as your_domain_name.pem. Your .pem file is now ready for use.

Creating a .pem with the Server and Intermediate Certificates

1. Log in to download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt) from within your DigiCert Customer Account.
2. With a text editor (such as wordpad), copy and paste the entire body of each certificate into one text file in the following order:
   1. The Primary Certificate - your_domain_name.crt
   2. The Intermediate Certificate - DigiCertCA.crt

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: your_domain_name.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: DigiCertCA.crt) 
-----END CERTIFICATE-----

Save the combined file as your_domain_name.pem. Your .pem file should be ready for use.

 

Ref- http://www.digicert.com/ssl-support/pem-ssl-creation.htm

 

EDIT: meh, that'll teach me doing tons of stuff at the same time. just see above for tarnolds explanation :)

 

Just import the certificate: /tips > Administration > Certificates - Server Certificate.

 

Make sure your Certificate includes the server certificate itself and all of the chain upwards to the CA.

For this just edit the server cert in a txt editor and then copy/paste all intermediate and other CA's under your server cert. It should look something like the cert chain for *.google.be below:

 

 

-----BEGIN CERTIFICATE-----
MIIEezCCA2OgAwIBAgIIRhUxDWF8j10wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMwODE0MjIwMTU3WhcNMTQwODE0MjIwMTU3
WjBlMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEUMBIGA1UEAwwLKi5n
b29nbGUuYmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCe0oJbEOu
0JXsO6eHcll+PnvUehRCzFWNoKMsE6Kyzef1GshzMRk5a3R00OemcT8l90xW/A0l
ErE/yk8Fcb9HuIYEmHXqmmqMO+uekIpkrrH7Lp/w2fbjzouRFfrxJ8I8Y1IpEMa9
c+XI8vPG2Kz+sxwqNIl7zjRXwhAvGa05N6JnxvCgv1YXhQZxnhSyj3Xl+irQLUHZ
VRcX8thKyvKxnVVsl0fK82kVhz1PYevzqwYGbPLxzCz6VlQmNXfjp7tvbNGB70N8
RaTeNpo4TI/az9pUPDzNVCz9d5IeGLfUI0hDWUMxKA43LmtVXsFfbcPjH1f0qrXx
J970aPuHwUMxAgMBAAGjggFJMIIBRTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwIQYDVR0RBBowGIILKi5nb29nbGUuYmWCCWdvb2dsZS5iZTBoBggrBgEF
BQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFH
Mi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29j
c3AwHQYDVR0OBBYEFA0opURLlQjZlxLP6O348xy9tvFsMAwGA1UdEwEB/wQCMAAw
HwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wFwYDVR0gBBAwDjAMBgor
BgEEAdZ5AgUBMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNv
bS9HSUFHMi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAJqTgZ4VhHpbjsdBKNTU6I7o
EGebjy5BggfMUCEyImvCkArGm9xWAZGOx3rZ6rCRxR+jw9wfTXnpGxnsQr+7atmr
zcvBg0poExYlib6eKfXvvbXCazTDLuU7l/IDQjW2O5LZ5AjV6ojZimcyzII2ihe0
K03ULes2L8Qz9aenfPP7or7HE0A9qlUJHBmyuHvnC+dX9N54aVT8IuhjXN6y6OK6
v6yMglY5OuXdvN65DDeq9bUQCNUDlc0kIofQndyUNzVJkvkFnw7IQjXlyOQzaXvd
mwMU+d0GQx7HAf5ozJ/g+w16ejiiWzoqxTpBh8WfrpnWxadHcner7/Drvh4k6Co=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

 

Then include your private key file and the password and you should be golden.

 

Ok, the thing is that I have mydomain.crt file and a list of Go Daddy Certificate Chain .crt files. So I can't copy paste the entire body of the cert into a txt editor.

Just right click on the file and open with wordpad or change the .cer to .txt

edit: grrr, late again

 

boxcar: don't see why you can't copy past the stuff? All the certificates in your chain (other than your private key) should be public and provided by your certificate authority.

Can you clarify further why you can't just open every certificate in a txt editor and combine them in a new certificate-chain? You can open the .crt files in a txt-editor or open them and select the Copy to File button from the Details tab.

 

I am so dumb, I haven't tried right click and choosed an other programm to open it.

 

Another quick question : do I need to add the certificate on my IAPs ?

So I have created mycertificate.pem and copy paste my rsa private key (the one I get when I have done my CSR) into a .key but I have this error : Private Key File does not match the Certificate

 

Any idea ?

Double and triple check the password. :) also make sure the sever cert is the first in the list when you created the pem file

Ok thanks. But I don't have any password. I have generated my CSR with this site : https://csrgenerator.com/ and I have a RSA PRIVATE KEY only.

 

CPPM requires you to enter a password.

You maybe able to reset the password on the pkey, but with you being new to Certs I would recommend to just do a new CSR.

Generate it with CPPM and make sure you download both .csr and .pkey Have Godaddy reissue the cert. They usually give you a couple day buffer to redo it, but you might have to call into their support to reissue you the cert token.

The problem is that I can't do a CSR with CPPM because I can't have a CN with *.mydomain.ch.

 

Thanks

 

Dimitri

Its been a while since Ive done this. Give this a try

 

You will need to install OpenSSL

 

 

> openssl pkcs12 -export -inkey <yourServerPrivateKeyFile> -in <yourServerCertificateFile> -certfile<intermediateCAFilename> -certfile <rootCAFilename> -out <newCertifcateFile>.pfx

 

You might have to export it out as a .pem

 

Thanks but where do I need to install it ?

You need to install OpenSSL on your PC. On windows I use

http://code.google.com/p/openssl-for-windows/

Thanks, I'll try and give feedback.

 

Dimitri

Seems to work, thanks for the help :)

Make sure that when you combined the certs that they are in the right order and they are the correct certs.

You don't have to always combine the certs its just recommended because not all device trust the full chain


Server cert
Intermediate (there might be more than one intermediate)
Root CA

Open the original cert they sent you and look at the last tab and it should show you the full chain