Moving an SSL cert from another server

Discussion in 'Installation/Configuration' started by msp, Sep 3, 2011.

  1. msp

    msp New Member

    Hi there

    I previously hosted some websites with a shared host (i.e. 3rd party provider) using IIS on Windows, now I've moved them to my own VPS with ISPConfig installed (i.e. I'm the provider). I'm using "The Perfect Server - Debian Squeeze" installation.

    Although I previously used a shared hosting environment, my provider had purchased an SSL certificate for one of my domains (using RapidSSL) and installed it to my site. The certificate was for a domain name as opposed to an IP address.

    He has now kindly sent me the certificate file (.pfx) and a separate password which he said is used for installing the certificate. I've checked this certificate and password by installing it on my personal computer (Windows) in the personal certificate store, to verify the password worked okay.

    I tried to export the certificate from my personal store in a different format so that I could paste the certificate text into the SSL tab for a site in ISPConfig ... but when I visit the site over https, I get

    SSL connection error
    Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
    Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.


    How do I get this certificate into one of my sites in ISPConfig?

    Thanks
     
  2. mentes

    mentes New Member

  3. msp

    msp New Member

    Thanks for that. So now I have a file which reads something like the below.

    - Which sections of the below do I paste in to which fields of the SSL tab for my site in ISPConfig?

    - Do I include the ---Begin Certificate--- and ---End Certificate--- lines as well?

    - Should I be using the "Create Certificate" option, or "Save Certificate"?

    - What about entries for state / locality / OU fields? Can these be anything?

    Thanks!


    Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: [random 70 character code here]
    Key Attributes
    X509v3 Key Usage: 10
    -----BEGIN RSA PRIVATE KEY-----
    [13 lines of random code here]
    ...
    ...
    -----END RSA PRIVATE KEY-----
    Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: [mydomainnamehere.com]
    subject=/serialNumber=[34 character code]=GB/O=www.mydomain.com/OU=[morecode]/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=www.mydomain.com
    issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    -----BEGIN CERTIFICATE-----
    [20 lines of code]
    ...
    ...

    -----END CERTIFICATE-----
     
  4. mentes

    mentes New Member

    Create a certificate in ISPConfig using "Create Certificate" and replace these files with your previus certificate.

    /var/www/domain.com/ssl/domain.com.key
    /var/www/domain.com/ssl/domain.com.csr
    /var/www/domain.com/ssl/domain.com.crt

    Then paste the content of domain.com.crt and domain.com.csr in ISPConfig and use "Save Certificate"

    * All is explained step by step with screenshoots in ISPConfig 3 Manual
     
  5. msp

    msp New Member

    Thanks.

    I downloaded the ISPConfig 3 Manual just now, and read the section about "how do I import an existing SSL certificate into a website that was created later in ISPConfig".

    However I have one more problem.

    I wasn't given a CSR file by my previous ISP. (The certificate request.) Just a .pfx file.

    What should I do? Will I need this csr file?
     
  6. mentes

    mentes New Member

    Well, .csr has the owner information, like domain, organization, location, ...

    I think if you use the same information for generate both certificates (self-signed on ISPConfig and CA signed) you get the same .csr

    This means you can use your ISPConfig signed with your CA signed
     
  7. msp

    msp New Member

    Hey

    Just to report back a success in case anyone else can benefit from this.

    So I generated a certificate request using ISPConfig and entered the same details found in the certificate issued by the trusted CA (Equifax) into the ISPConfig SSL tab.

    Actually, my imported certificate had multiple OU entries, and ISPConfig doesn't have the option to input more than one, so I simply entered the first one in the chain of OUs from my certificate.

    Then I selected "create certificate" and save.

    Using the advice given on the first response to this thread, I converted my PKCS12 certificate into a CER (plain text) using the -nodes switch. This gave me a plain text file with sections for the private RSA key and the certificate. At the top of this file was also the OU and Company name found on the certificate issued by the Trusted CA.

    I then replaced the private and public keys into the corresponding certificate files (these are in the SSL folder for a given site created in ISPConfig) but LEFT the CSR (certificate request) file as-is.

    Then went back into the SSL tab for the given site in ISPConfig, and pasted-in the certificate text, but LEFT the CSR (cert request) as is there. Then select "save certificate" and save.

    Suddenly I was able to browse to the https:// version of my site.

    NB Google Chrome did give me a certificate error, and to fix this I had to tell ISPConfig about the public IP address of my server using the menu: ISPConfig > System > Server IP Addresses. I had previously not done this. (I'm using an external name server, I think this is why I didn't have to do that previously.)

    After doing this, I found my site on https:// worked with no certificate errors - FIXED.

    I found I didn't need to then go back into Sites and set the IP address for the given site. I think the reason for that is specific to the fact I'm not using my server as an NS. (?) However I did this anyway, and it broke my site... I selected the wildcard again, and it worked again... but that's another story.

    Hope the above helps someone.
     

Share This Page