Generating a CSR for GoDaddy

borgmember
borgmember used Ask the Experts™
on
Hi,

I have a JEOS web server. I need to make a csr for go daddy so I can get an ssl cert made. I will then need to import that to install the cert. I thought I had apache1 but when I use the locate command it only turns up apache2 directories. All of the guides say to use openssl, but I do not have that. Please recommed a site or give directions on how to do this.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Where is your web server running? Which OS?

If it's linux you can install the openssl module for apache using your linux package manager.

Author

Commented:
It is JEOS Ubuntu Linux. I tried:

root@deskpro:/# apt-get install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  ca-certificates openssl-doc
The following NEW packages will be installed:
  openssl
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 385kB of archives.
After this operation, 819kB of additional disk space will be used.
Err http://us.archive.ubuntu.com hardy-updates/main openssl 0.9.8g-4ubuntu3.8
  404 Not Found [IP: 91.189.88.30 80]
Err http://security.ubuntu.com hardy-security/main openssl 0.9.8g-4ubuntu3.8
  404 Not Found [IP: 91.189.88.31 80]
Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.8_i386.deb  404 Not Found [IP: 91.189.88.31 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

Doesnt look like it worked. Any more ideas?
First try running the 'apt-get update' and 'apt-get update --fix-missing' like the command suggested.

If that doesn't work you can try this guide here:
https://help.ubuntu.com/community/OpenSSL

I've only set up openssl on fedora and I just used the package manager. Sorry I can't be of much more help.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
Not matter what guide I try I get invalid csr from godaddy. Heres is the commands I used. The verify command even works but godaddy will not take it.

openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

You may wish to verify the signature, and information contained in the certificate request. Verify the signature with this command:

openssl req -in myreq.pem -noout -verify -key mykey.pem

and verify the information with this command:
openssl req -in myreq.pem -noout -text
ParanormasticCryptographic Engineer

Commented:
Generate the keyset first:
openssl genrsa -aes256 -out YourSite.domain.com.key 2048

The create the CSR file to submit to godaddy:
openssl req -new -sha1 -key YourSite.domain.com.key -out YourSite.domain.com.csr

You can replace .key and .csr with .pem if you like.  Open the .csr file with a basic text editor to copy contents to godaddy's site for the request file box.

Author

Commented:
I was able to follow the steps and have it make the files. However I still get "Invalid csr entered" when trying to get the cert from godaddy. Any more ideas? I might need to call them and see if they can help. When I did all of this for the Windows server I had no problems.
ParanormasticCryptographic Engineer

Commented:
You are entering the entire contents without changing anything right?  From -----Begin Certificate Request------ to the end ----- including the dashes?  Its coming from the .csr file, yes?

GoDaddy supports 2048 certs, although I'm not positive that all of their products do.  Maybe try changing to a 1024 instead and try that?  

This is for a public address, like site.domain.com, right?  Not for server1 with no dns suffix?  I think godaddy has issues with internal names and I think I heard a rumbling once if you're using an IP address for the subject name although technically that should be fine if it is a public IP that you own.

Otherwise I'm at a loss.

Author

Commented:
Yes, the file is being copied exactly as it is. I recently did with with a Windows box and godaddy so I am sure my technique on the website is good. Godaddy require 2048 or better so I cant change that. I am trying to make the certificate for a subdomain such as software.domain.com maybe that is the issue?

The servers actual inside name is just one word though, I dont know if that matters.
ParanormasticCryptographic Engineer

Commented:
If it is for a site in a subdomain it would be for server1.sub.domain.com or for wildcard *.sub.domain.com

software.domain.com would be valid only as a site name.

Either way, that shouldn't affect the CSR submission, but you might not like the cert that you get back.

You are opening with notepad, not wordpad or MS Word, yes?  If not, try notepad - for this stuff it works the best.

You can check your CSR to make sure it turns out right before submitting too:
openssl req -in YourSite.domain.com.csr -text

If it looks (somewhat) readable then it should be good - if it ends up being all on the right with hex on the left that's bad.  A good example for a start to it would be:
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=YourState, L=YourCity
N=Server1.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):

Author

Commented:
I was using the edit utility built into winscp. But then I tried notepad and get the same problem. When I use your check command I set something very similiar to what you typed but it is many pages long. I am going to submit a godaddy request and reference this site, I will post back what I find out. Thanks

Author

Commented:
Heres is the response I got back from godaddy.

1.      cd /usr/bin/ (/your path to openssl/)

      Enter a passphrase when prompted to.

2.      openssl genrsa -des3 -out <name of your certificate>.key 2048


3.      openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr

NOTE: If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., "*.coolexample.com" or "www*.coolexample.com"). This will secure all subdomains of the Common Name.
---------------

On my other server I found a certificate website for windows that asked me things like the domain names, etc then it made the syntax command to enter into exchange, then exchange made the .csr which godaddy took. I am unsure what domain the webserver is requesting as it does not ask anywhere. Where it says "note" above I dont know how to enter that information. The server will be accessed internally by IP, and externally on the web by a dns entry pointing to server.mydomain.com

Could that be my problem?
Cryptographic Engineer
Commented:
>> I am unsure what domain the webserver is requesting as it does not ask anywhere.
on a windows box you can do 'certutil -dump filename.csr' and look at the subject name, or you can use the openssl command I posted earlier.  The output of the CSR will be a couple screens long normally, yes, I just gave the beginning few lines as a correct example output.

>> The server will be accessed internally by IP, and externally on the web by a dns entry pointing to server.mydomain.com
GoDaddy isn't going to like having an internal IP address, last I was aware.  You may need to go to another vendor to use an internal IP address in your cert - you might try Comodo I think they do if memory serves, but don't quote me.  You may be better off using an internally issued certificate if you have your own CA set up and issue that to the internal IP address - since they will be on different IP addresses it is fine to have multiple certs on the same box.  You could also use a self-signed certificate if you do not already have your own CA, however I recommend against using self-signed certificates in production environments - you will need to deploy this as a root certificate via GPO or however you wish within your environment if you choose to do so.

You need to have whatever name you are using to access the server by (in this case, the IP address would be a "name" for internal access) must be contained within the certificate.  For a commercial certificate look for a UC cert (aka multi-domain, SAN) and call to see if the vendor will allow for using internal IP addresses along with a publicly verifiable name.

Author

Commented:
I was able to get it Thanks
Just experienced IDENTICAL issue.

GoDaddy indicates cert must be 2048 instead of 1024 and it will work fine.

Checking with Clearswift to determine if 2048 is good for TLS (their documentation specifically states 1024).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial