I bought a Digicert SSL Certificate and need help


#1

Hi,

This is my first time venturing into the world of SSL certs and I am experimenting on my home network.
I want to use it for the VPN, Web Admin, and Captive Portal.

The information on this forum all refers to self-signed certificates but I am not sure how to implement the purchased certificate.

I am confused what to enter in the “Private” and “Local Public key sections” of the Certificate Manager.

Any help is greatly appreciated,

Thanks!

Rogier


#2

Did you check here?


I am aware this is still about self signed certificates. I was just wondering where you generated the csr from and what domain address you used?


#3

Hi HCG,

I created the CSR with my Synology Disk Station for my domain name mac-expert.biz

Smiles across the wires,

Rogier


#4

Ok.
So like in the article can you make a copy of your private key that you generated when you created the CSR, open it on a device alike Windows notepad and cut and paste it into the private key area for the appropriate https connection. Then likewise open the file sent back by the CSR and cut and paste that into the public area. You may come across two issues.

  1. The the signed certificate that was sent back to you may not be in the correct format. You may have to run it through a converter first. See https://helpdesk.ssls.com/hc/en-us/articles/204093372-What-are-certificate-formats-and-what-is-the-difference-between-them-?mobile_site=true.
  2. where the public certificate has been signed by a public authority ,rather than an internal ca , you may find it may not include the intermediate certificate. Open the signed certificate and see if it does. If not the Public signing authority will provide you with the intermediate certificate. See as example.
    https://uk.godaddy.com/help/what-is-an-intermediate-certificate-868
    You would then need to concatenate your certificate with the intermediate certificate before you can copy and paste it into the public area for the connection question.see
    https://www.google.co.uk/url?sa=t&source=web&rct=j&url=https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm&ved=2ahUKEwi13cqP6eXcAhUkDMAKHfQgCT0QFjAAegQIAhAB&usg=AOvVaw0yRaYTLjNOyNA9Inqcd-Gd&cshid=1534018753667

#5

Hi HCG,

Thank you very much for all your advice!

I read it and tried to understand it all but I am running into some very basic questions.

When I want to add my own certificate I am facing the basic questions:

Private Key (pem encoded)

  • Is this the csr that I created when I applied for the SSL by Digicert?
  • Does it matter it has been generated on my Synology NAS?

Local Public Key Certificate (pem encoded):
Is this the "server.csr that was provided to me by Digicert?

  • List item

I opened both csr’s with text edit and copied them in these fields but I receive the error that its not a matching pair.

Thank you so much for your advice!

Rogier


#6

Hello Rogier,

Have a look at https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file as this explains differences .csr and .pem and .key files extensions.

In essence:

csr - This is a Certificate Signing Request.

pem - This is a container format that may include just the public certificate or may include an entire certificate chain including public key, private key, and root certificates.

key - This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.

I looked at https://www.synology.com/en-uk/knowledgebase/DSM/tutorial/General/How_to_enable_HTTPS_and_create_a_certificate_signing_request_on_your_Synology_NAS to see how you might have used it in this process.

So in the section “To create a certificate signing request (CSR):” part 4 you will have filled in your detail and lets assume you did not password protect the keys. Now in step 6 you should have 2 files. The “server.csr” you submit to Digicert and the private key “server.key”.

Let assume the “server.key” is base64 format. If you open you server.key in notepad its should look a bit like below. Copy and paste all of this into the “private key” section. Never give this key to anyone.

-----BEGIN FOO BAR KEY-----

MIIBgjAcBgoqhkiG9w0BDAEDMA4ECKZesfWLQOiDAgID6ASCAWBu7izm8N4V

2puRO/Mdt+Y8ceywxiC0cE57nrbmvaTSvBwTg9b/xyd8YC6QK7lrhC9Njgp/

-----END FOO BAR KEY-----

So when you used the “server.csr” with Digicert they should have sent you back a file like yourdomainname.crt. If you open this in notepad you will see similar base64 layout. Copy and paste all this into “Local Public Key Certificate”. If the file just has the signed key and the connection does not work, you may need to follow the process at https://www.digicert.com/ssl-support/pem-ssl-creation.htm to add in the intermediate and root certificates.

Note from what you told me earlier that this cert will only work for yourdomainname.com not connections like www.yourdomainname.com or ftp.yourdomainname.com. For that you need to buy the more expensive wildcard certificate.

Also if you open say a https browser connection and you get an untrusted message this means the connection process cannot verify the whole certificate chain.

If you want have a look at my short blog post - http://www.supportict.co.uk/ssloverview/


#7

Thanks for all your time!

This is way above my head… Guess I will be using this certificate to sign my emails and will have to outsource the network security to Sonicwall or Sophos…:exploding_head: