Hi all - I am trying to figure out how to add a wild card certificate given to me for a CentOS installation. I have a script that sets up HTTPS so I am a little familiar with things - but they provided me two files: name_ee.crt name_i1.crt I'm not sure how to apply that to the /etc/httpd/conf.d/ssl.conf file? Anyone done that before ? My initial searches were not helpful. Thanks, Jerry
> Am 15.06.2018 um 20:37 schrieb Jerry Geis <jerry.geis at gmail.com>: > > Hi all - I am trying to figure out how to add a wild card certificate given > to me for a CentOS installation. I have a script that sets up HTTPS so I > am a little familiar with things - but they provided me two files: > name_ee.crt > name_i1.crt > > I'm not sure how to apply that to the /etc/httpd/conf.d/ssl.conf file? > Anyone done that before ? > > My initial searches were not helpful. Thanks,And where?s the private key? Can you post the lines in the files that start with five (or so) dashes (?-?)?
>And where?s the private key? >Can you post the lines in the files that start with five (or so) dashes (?-?)?They are all just ----- BEGIN CERTIFICATE ---- and everything else is encrypted of course. They did not give a private key - I presumed with a wild card it was not needed? again -never done this so just guessing. Thanks Jerry
On 06/15/2018 02:37 PM, Jerry Geis wrote:> Hi all - I am trying to figure out how to add a wild card certificate given > to me for a CentOS installation. I have a script that sets up HTTPS so I > am a little familiar with things - but they provided me two files: > name_ee.crt > name_i1.crt >||| |Hi Jerry, One is the public SSL certificate file itself and the other is probably the intermediate CA file. You also need the private key from whoever created the CSR for your wildcard certificate to be validated. Without the private key, the wildcard certificate is worthless. For Apache in /etc/httpd/conf.d/ssl.conf ... it would look like something like this: |?? SSLCertificateFile /path/to/name_ee.rt| |?? ?SSLCertificateKeyFile /path/to/privatekey.key| |?? ?SSLCertificateChainFile /path/to/name)il.crt || ||Scott| ||||||
> Am 15.06.2018 um 21:07 schrieb Jerry Geis <jerry.geis at gmail.com>: > > They are all just ----- BEGIN CERTIFICATE ---- and everything else is > encrypted of course. >No, it?s not. You can look at it with openssl x509 -text -in file.crt -noout> They did not give a private key - I presumed with a wild card it was not > needed? again -never done this so just guessing.No. The certificate itself is what gets sent to every browser. It?s not secret or encrypted. You need a certificate, the corresponding private key and in almost all instances the intermediate certificate (or certificates, depending on how many sub-CAs below the Root-CA it was issued from). Normally (well, for certain definitions of normal), you generate the private key yourself and generate a CSR, a certificate signing request from that key. The key is just 2048 bytes of random data. The CSR is what get?s signed by the CA?s private key and contains all the information in the certificate that you can view by clicking on the lock-icon in the browser. I usually do this like below bla=the_domain.toplevel openssl req -newkey rsa:2048 -nodes -out $bla.csr -keyout $bla.key -sha256 (for wildcard, I usually call the files ?star.domain.toplevel?) And then you can send the CSR to whoever has it signed, or in our case, I log into my managed PKI console and submit it myself for my supervisor to confirm it and then I download the certificate. This is done because the private key should in theory never leave the system it was generated on, to ensure its secrecy. Sending a private key by email is NOT secure.
On 2018-06-15, Jerry Geis <jerry.geis at gmail.com> wrote:> Hi all - I am trying to figure out how to add a wild card certificate given > to me for a CentOS installation.You've already got the cert so it's not totally relevant, but in the future you can consider using Let's Encrypt. They won't distribute wildcard certs but unless you have lots of subdomains you can simply request a cert for every domain you need. LE has packages for CentOS which can plug in to Apache automatically, so configuration is quite straightforward. --keith -- kkeller at wombat.san-francisco.ca.us
On 06/15/2018 06:11 PM, Keith Keller via CentOS wrote:> You've already got the cert so it's not totally relevant, but in the > future you can consider using Let's Encrypt. They won't distribute > wildcard certs but unless you have lots of subdomains you can simply > request a cert for every domain you need.https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579 Wildcard support is new, but it's available!? :)