My web host is shutting down - as they have been bought out. I am having difficulty getting my SSL certificate from them.. I am on my 3rd attempt and I have managed to get 2 files.. one I believe is the initial CSR, the Other is my Private Key .KEY file (although the Hosting Provider has been giving me them and claiming they are .crt - they are not) - that would be my actual Certificate!
I have my CSR file which is headed by -----BEGIN CERTIFICATE REQUEST-----, I have my Private KEY file which is headed by -----BEGIN RSA PRIVATE KEY-----
Is there any way fro me to use both of these components to produce my .crt file - I am not sure if my hosting provider (what is left of their support team ) knows the difference between these three files. Of course I am certainly learning myself. I had just purchased that cert from them about 4 months ago and I need it.
So is there any way I can use my two files .CSR and .KEY to generate
my .crt file ?
There is no way to re-create your certificate from the private key and certificate signing request (CSR), unless the certificate was self-signed. However, if the website is still up you can simply connect to the website with various tools and retrieve the certificate that way. Make sure you also retrieve any intermediate certificates as well, although these can almost certainly be obtained from your certificate authority (CA) website as well.
How can we setup an SSL for azure service fabrics website domain, since the server is going to run on 10 nodes. When i buying the certificate it is asking for CSR file. Where can i generate the CSR file since website is running on 10 nodes. How can i generate the CSR file regarding azure service fabrics website
I know about azure key vault where we will upload the the certificate and install on the nodes, but before doing that how can we generate CSR and get the Certificate from the providers like Symantec/Geotrust/godaddy
Can any one guide me for process of generating the CSR regarding azure service fabrics since it going to run on 10 nodes?
TLS certificates help create an encrypted channel between a browser and a web server while also authenticating the identity of the website that owns the cert. Your certificate is issued for one or more domain names, not nodes. You can use it on any number of nodes as long as the domain name the cert is issued for matches the site you are serving.
Most cert vendors provide tools to generate Certificate Signing Requests. An OpenSSL approach to the problem looks like this:
openssl req -new -sha256 -key domain.com.key -out domain.com.csr
I have tried an online version, but that turned out to not be exportable.
can't get openssl to work on my only (windows) comp for some reason.
I can't find a linke to download IIS full - which presumably has an IIS manager with it. I can only get iisexpress to run.
How do i generate a CSR that I can export to a .pfx (using a private key) so that I can upload said .pfx to azure?
Thanks!
You don't have to download IIS from internet. It's already in your PC. You can turn it on by: Control Panel -> Programs and Features > Turn Windows features on or off. Check Internet Information Services to proceed installation:
Install IIS on you PC
Once you done CSR creation, you can submit it to certification provider so that you will get a pfx.
Install IIS
Create CSR
Copy Txt and paste it into your certificate request
Complete the SSL certificate order
Compete the domain ownership verification by the supplier of the SSL
Supplier will email you a link to download PFX (if you are lucky), or they will email you a bunch of text starting with '---BEGIN CERTIFICATE--'
Paste that into a new text file, save as: cert.cer
Import that into your certificate store
Export the certificate as a PFX, choose a password (keep it somewhere safe)
I need to create a csr file to give it to someone.
The csr file is for a SSL certificate for a azure web app.
When I google I find inconsistent information about where to generate the csr file.
Some sources say: I have to create the csr file on the server the web app is running.
In my case the server on azure is unknown. I can not run anything there...
Or is it ok to create the csr on my local pc with all company data + the subject filled out with the custom domain?
openssl is installed in the console, you can generate the files there. You will have to specify all of the settings necessary in the original command to openssl because it is supposed to prompt you with questions but it doesn't work at present. So something like this:
openssl req -new -newkey rsa:2048 -nodes -out yoursite_com.csr -keyout yoursite_com.key -subj "/C=US/ST=California/L=San Francisco/O=Your Site Inc./OU=Engineering/CN=yoursite.com"
once you have your csr you can't open it from the console, you actually have to use Kudu (click on Advanced Tools) to open the file and copy the contents.
You're able to create a cer-file with the help of the Certreq.exe or OpenSSL tool.
For more details, please have a look at the official documentation how to enable HTTPS for an app in Azure App Service.
Others have provided valuable insights on those facts:
That you can (and in case of Azure Web App, basically have to) generate the CSR on a different machine, than the target server (the one, which will be using the certificate).
Tools, which you can use to generate the CSR (e.g. openssl, DigiCert utility).
An alternative way to obtain certificate for Azure Web App (Azure App Certificate Service).
Maybe I'm missing something, but I do not see an answers on:
Why would you want (or even should) generate the CSR on the target machine?
Why don't you actually have to?
My approach to answering those two questions I would start with the fact, that generating CSR is actually a process, that produces two artifacts, where the obvious part - the request for certificate - is probably the less important one for this matter. The more important one, which also actually has to come first, is the RSA key pair being generated, where the public part of the pair is used in the CSR request, and the private one is the crucial part of the whole goal of using the certificates.
Although the key pair is usually being generated using entropy data based on the hardware, so specific to the machine you are using, the outcome (the key pair) may be used anywhere, as the key values are only mathematically bound to each other. The CSR content is based on the public key and the subject of the requested certificate, so again, there's nothing in there, which can't be used elsewhere. This explains why there's no technical limitation on actually generating the CSR (and keys) on a different machine/service, than the one, which will actually be using it, so the question number 2 is addressed.
The answer to the question number 1 comes from the crucial feature of the private key, which is being generated in the process. This crucial feature is that it should remain private. The ideal being only the sole user of the certificate identity being able to use it. That "user" would be the target service (the web server). When you generate the key elsewhere, you are responsible for protecting it on that environment and in transit to the target. This is often an unnecessary risk. The suggested solution is often to generate the key in the target certificate/key store, with private key protection, which prevents the private key from being extracted (exported) from the store. Even the target service (web server) will actually not be able to extract/read it (but will be able to use it). As the key pair is generated in the CSR creation process, this means that this process should be executed where that store is, and by that store features. This should answer this question. As a side note, the DigiCert tool as well as the IIS manager UI are using the Windows cert stores, which do add a protection layer for the private key, but they do mark the key as exportable, which allows key extraction. The OpenSSL tool (on Windows) generates the key outside of the Windows cert stores (as files), so you can easily access it, which is not that secure.
I've found this article: https://www.namecheap.com/support/knowledgebase/article.aspx/9854//how-to-generate-a-csr-code-on-a-windowsbased-server-without-iis-manager, which mentions 3 additional ways/tools for generating the CSR, where the first one (using Certificates snap-in in Microsoft Management Console) actually does allow you to mark the private key as not exportable.
Of course, in your case, the ability to take (e.g. export) the private key is crucial, as you have to generate the CSR elsewhere, as the Azure Web App cert store has currently no feature allowing generation of the CSR.
Instead of doing it manually, an option is to search through the extra services for "App Certificate Service" which will provide you with a wizard for buying an SSL certificate and then binding it to your application. It's much simpler and quicker than generating a CSR by hand, and it's a lot less confusing as well. The documentation was verbose and wasn't really clear on whether or not we're supposed to remote into the server and generate the CSR there, etc, so I highly suggest doing it via the App Certificate Service.
For example, do it in the command line with ssl in your local machine:
create csr:
openssl req -new -newkey rsa:2048 -nodes -keyout yourprivate.key -out yourdomainname.csr
here you already have generated the crt and bundle file:
next step to create pfx: openssl pkcs12 -export -out certificate.pfx -inkey yourprivate.key -in nameofyourcertfile.crt -certfile nameofyourtcacertfile.ca-bundle
after you can upload your certificate.pfx file into Azure App Services and bind to your custom domain
You have to buy a certificate and setup for your naked and www domain, because Azure currently only provide free, managed certificate for www domain.
I need to create a Web Role in Azure with an https endpoint with a real SSL certificate (not self-signed). So I need my own domain, which I have, and have pointed it at my "me.cloudapp.net" URL via a CNAME in my hoster's DNS.
I have purchased a certificate for that domain also. I need to upload that into my Azure portal for the web role, but I can't - Azure gives me an error when I try.
The certificate came in the form of 2 zip files (I'm new to buying certs). One zip has 3 .crt files, and the other has 1 .cer file. Azure requires a .cer or .pfx, so I tried the .cer. It fails with the error "The certificate is not valid, or the password is incorrect."
There is a .crt file in the zip folder that has 3 files that has the same name as the .cer file. If I change the extension of this .crt file to .cer, it will upload, but when I try to publish my deployment, I get the error
"Certificate with thumbprint 3329398FB72BFCC7EF89C90B950D722C6047C2A1 associated with HTTPS input endpoint EndpointForThat does not contain private key. The long running operation tracking ID was: 010a29856c1948f39e71620446223b4e.".
You have to first complete the certificate request process on the machine from which you initiated the request. The process for doing this varies by technology stack. Here is a page from Comodo on how to install certificates on various platforms.
After you have completed the request on the machine that initiated it, then you can export the certificate. That new file is what you need to upload to Azure.
For HTTPS endpoint you need to upload a PFX file.
PFX file is combination of Private Key + Public key.
What you have now is
.cer - public key
.crt - private key
You need to combine the .crt file that matches the name of .cer file into a single .pxf file.
Check this SO question and its answers to get it done.