 |
VOOZH | about |
|
VOOZH | about |
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Software Engineer @ DigitalOcean. Former SeΓ±or Technical Writer (I no longer update articles or respond to comments). Expertise in areas including Ubuntu, PostgreSQL, MySQL, and more.
Building future-ready infrastructure with Linux, Cloud, and DevOps. Full Stack Developer & System Administrator. Technical Writer @ DigitalOcean | GitHub Contributor | Passionate about Docker, PostgreSQL, and Open Source | Exploring NLP & AI-TensorFlow | Nailed over 50+ deployments across production environments.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Great summary, was recently looking for exactly something like that. Thank you for the write up.
I recently stumbled across https://shaaaaaaaaaaaaa.com/ summarizing the soon to come retirement of SHA-1.
It may be of use also for this tutorial to add the option
-sha256
to create the CSR.
I did that for a recent request from StartSSL and they offered a certificate accommodating the more secure requirements (passing also A+ on ssllabs.com)
Since you especially describe how to generate CSR for obtaining a certificate, it may be worth adding the option in order to be more future proof.
Best regards Sebastian
Great Summary. I want to know how can I add a key usage extension to a certificate. Specifically to make it act as a local-CA to sign other certificates?
I need to copy paste the Certificate Signing Request (CSR) how do i get a hold of it?
Too good. I was very happy after going through the articles. It helped me a lot. Especially the verification part.
Someone else created a csr request, and we got the final mail from CA which gave the X509 Certificates and intermediates only certificates. Now I am not sure that whether I am supposed to generate another private key based on the certificate, it would be great if you can explain about this part.
Thanks
The command provided in section βGenerate a CSR from an Existing Certificate and Private Keyβ generates a file with the plaintext csr and encoded version:
Certificate Request:
Data:
...
-----BEGIN CERTIFICATE REQUEST-----
MIICozCCAYsCAQAwXjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVk
Is there any option to output only the encoded version?
Great article. Learnt a lot. Thanks for sharing.
Abbas
Mitchell - Fantastic post! Just one slight correction:
openssl verify -verbose -CAFile ca.crt domain.crt
The option uses a lowercase βfβ, as in:
-CAfile
Thanks for this wonderful article, DO has always been of great article.
I am facing an issue with my SSL certificate installation, if you could help me.
I bought a Rapid SSL and used the below command to generate the .csr and .key files:
sudo openssl req -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.csr
I answered all questions which this command asked. I then provided the .csr to name.com and successfully generated the server/intermediate certificates. I then followed the steps mentioned at https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO17664 and installed this certificate at my nginx server. I was able to open the HTTPS version of my site as well.
Now, to try something else, I run the command (sudo openssl reqβ¦ ) again with different answers this time and regenerated a new server.key file. Unfortunately, I didnβt save the first server.key file. Post modification of nginx .conf file, when I tried to restart the server, I got the below error:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Seeing this error, I realized I have overwritten the server.key file. I tried to generate the key again with same answers I gave for the first time but still the key mismatch error is coming.
My nginx server is still running and I am able to access the HTTPS version of the site but my life is in trouble without the private key. I have gone through the below links but still stuck:
I confirmed by running the below commands that my certificate (issued by name.com) and private keys donβt match:
openssl x509 -noout -modulus -in server_orig.cert | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
Is there anything which I can do to find out the private key since Nginx is still up and running? In case not, should I get the certificate re-issued by Geotrust?
Any help would be deeply appreciated.
Thanks!
It will be very useful to explain creation of self-signed local CA pairs, signing CSR and install this CA certt on clients.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
