HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Moving an SSL cert from another server (http://www.howtoforge.com/forums/showthread.php?t=54030)

msp 3rd September 2011 13:49

Moving an SSL cert from another server
 
Hi there

I previously hosted some websites with a shared host (i.e. 3rd party provider) using IIS on Windows, now I've moved them to my own VPS with ISPConfig installed (i.e. I'm the provider). I'm using "The Perfect Server - Debian Squeeze" installation.

Although I previously used a shared hosting environment, my provider had purchased an SSL certificate for one of my domains (using RapidSSL) and installed it to my site. The certificate was for a domain name as opposed to an IP address.

He has now kindly sent me the certificate file (.pfx) and a separate password which he said is used for installing the certificate. I've checked this certificate and password by installing it on my personal computer (Windows) in the personal certificate store, to verify the password worked okay.

I tried to export the certificate from my personal store in a different format so that I could paste the certificate text into the SSL tab for a site in ISPConfig ... but when I visit the site over https, I get

SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.


How do I get this certificate into one of my sites in ISPConfig?

Thanks

mentes 3rd September 2011 17:27

You can convert your certificate using

Code:

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
More info at https://www.sslshopper.com/ssl-converter.html

msp 3rd September 2011 17:42

Thanks for that. So now I have a file which reads something like the below.

- Which sections of the below do I paste in to which fields of the SSL tab for my site in ISPConfig?

- Do I include the ---Begin Certificate--- and ---End Certificate--- lines as well?

- Should I be using the "Create Certificate" option, or "Save Certificate"?

- What about entries for state / locality / OU fields? Can these be anything?

Thanks!


Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: [random 70 character code here]
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
[13 lines of random code here]
...
...
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: [mydomainnamehere.com]
subject=/serialNumber=[34 character code]=GB/O=www.mydomain.com/OU=[morecode]/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=www.mydomain.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
[20 lines of code]
...
...

-----END CERTIFICATE-----

mentes 3rd September 2011 23:32

Create a certificate in ISPConfig using "Create Certificate" and replace these files with your previus certificate.

/var/www/domain.com/ssl/domain.com.key
/var/www/domain.com/ssl/domain.com.csr
/var/www/domain.com/ssl/domain.com.crt

Then paste the content of domain.com.crt and domain.com.csr in ISPConfig and use "Save Certificate"

* All is explained step by step with screenshoots in ISPConfig 3 Manual

msp 4th September 2011 20:16

Thanks.

I downloaded the ISPConfig 3 Manual just now, and read the section about "how do I import an existing SSL certificate into a website that was created later in ISPConfig".

However I have one more problem.

I wasn't given a CSR file by my previous ISP. (The certificate request.) Just a .pfx file.

What should I do? Will I need this csr file?

mentes 4th September 2011 20:57

Well, .csr has the owner information, like domain, organization, location, ...

I think if you use the same information for generate both certificates (self-signed on ISPConfig and CA signed) you get the same .csr

This means you can use your ISPConfig signed with your CA signed

msp 4th September 2011 22:52

Hey

Just to report back a success in case anyone else can benefit from this.

So I generated a certificate request using ISPConfig and entered the same details found in the certificate issued by the trusted CA (Equifax) into the ISPConfig SSL tab.

Actually, my imported certificate had multiple OU entries, and ISPConfig doesn't have the option to input more than one, so I simply entered the first one in the chain of OUs from my certificate.

Then I selected "create certificate" and save.

Using the advice given on the first response to this thread, I converted my PKCS12 certificate into a CER (plain text) using the -nodes switch. This gave me a plain text file with sections for the private RSA key and the certificate. At the top of this file was also the OU and Company name found on the certificate issued by the Trusted CA.

I then replaced the private and public keys into the corresponding certificate files (these are in the SSL folder for a given site created in ISPConfig) but LEFT the CSR (certificate request) file as-is.

Then went back into the SSL tab for the given site in ISPConfig, and pasted-in the certificate text, but LEFT the CSR (cert request) as is there. Then select "save certificate" and save.

Suddenly I was able to browse to the https:// version of my site.

NB Google Chrome did give me a certificate error, and to fix this I had to tell ISPConfig about the public IP address of my server using the menu: ISPConfig > System > Server IP Addresses. I had previously not done this. (I'm using an external name server, I think this is why I didn't have to do that previously.)

After doing this, I found my site on https:// worked with no certificate errors - FIXED.

I found I didn't need to then go back into Sites and set the IP address for the given site. I think the reason for that is specific to the fact I'm not using my server as an NS. (?) However I did this anyway, and it broke my site... I selected the wildcard again, and it worked again... but that's another story.

Hope the above helps someone.


All times are GMT +2. The time now is 08:34.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.