Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to generate a CSR using OpenSSL?

Posted on 2014-01-14
10
Medium Priority
?
1,070 Views
Last Modified: 2014-01-18
Good evening,

We have an appliance for a product called StorageCraft called ShadowControl CMD. It's responsible for monitoring the status of our backups and is running Ubuntu. Every time we log into the browser interface the check the status of the backups we are told that the certificate is not from a trusted source. Whenever I have requested a certificate for a server such as this the process has been pretty straight forward when generating the CSR - but not in this case. I searched the entire appliance interface and only found a section under "Security" that allows us to upload a certificate, but I can't get a certificate through a service like GoDaddy without a CSR.

I opened a support request with their support and got the following response:

"Hello,
You would use some other server at that site to run openSSL to generate all of your needed information.  Then you just upload the resulting files to the appliance. There isn't anything you would need from the server itself.
Thank you,"


I have no idea where to start and would be grateful if anybody reading this post can provide any guidance.

Thank you in advance!
0
Comment
Question by:Poly11
  • 5
  • 4
10 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39781163
On the server generate a key
openssl genrsa -des3 -out <keyfile_name>.key 2048
(enter passphrase when asked)

Then you can generate a CSR
openssl req -new -key <keyfile_name>.key -out <certificate_name>.csr
(enter the info at the various prompts)

Remove the passphrase from the key
cp <keyfile_name>.key <keyfile_name>.key.old
openssl rsa -in <keyfile_name>.key.old -out <keyfile_name>.key


Change the relevant file names above as you see fit.

Now goto whoever you use for SSL certs and give them the CSR file and you will get the SSL cert (and chain if necessary) to install on the server.

https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04/

edit.
This is through a shell window.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39782056
if it allows you to upload a PFX (aka pkcs #12 file) then you may find it easier to request a CSR via the xca tool - its the gui swiss army knife of SSL certificates, and much easier to get up and running than the command line openssl tool.
0
 

Author Comment

by:Poly11
ID: 39782349
Thank you all for your posts. I will reply back once I have access to the server. This appliance was built with a pre-configured Ubuntu installation and we do not have access to the server. We only have access to the application that automatically starts up when it's powered-on.

I've tried the default "Ubuntu" user name with no password and had no luck. I have reached out to StorageCraft to see how we should be able to access the server. Once I have this info I will try your recommendations.

Thanks again.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 39782370
you can build the CSR with either openssl or xca without having access to the server, but you *do* need to verify if you can upload a secret key, or if you have to generate against a secret key already created on the server.
0
 

Author Comment

by:Poly11
ID: 39782771
Hi DaveHowe,

Thanks for the response, but I have no clue how to use openssl and Google searches produced little for me. Maybe I'm an idiot (which is the case here when it comes to issues like this) or I'm just not searching for the right items.

If you have a link that explains the process you describe that would be awesome.

Thx
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39782807
Well, I would suggest you use the XCA tool I linked earlier instead - there is a manual here but the TLDR version is..
1) install, select "new" to create a new keystore and set a password;

2) go to the CSR tab and select new request;

3) on the source tab, select the https_server template from the pulldown

4) on the subject tab, enter the details for the certificate (common name is the address of the server) and use the "Generate key" button to create a key (2048 bit)

5) hit OK, right click your new CSR, and export >> clipboard

6) paste into the CA page when prompted
0
 

Author Comment

by:Poly11
ID: 39782826
Thanks, but is there any way I can remove the passphrase? The cert cannot have a passphrase with the appliance.
0
 

Author Comment

by:Poly11
ID: 39782849
OK, I tried this without entering a password and pasted the CSR and get this:

Invalid CSR submitted. Please re-create your CSR and submit your request again.

I'll investigate further and post back later. Thank you again.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 39782872
the passphrase is only used for the keystore - its to protect it as the secret key is quite valuable. however, while the certificate (which is what you get BACK from the CA when you send a CSR) will not have a password, the secret key often does; you can export that separately from the XCA keystore, with or without a password (although pfx files always have a password if you export one of those)

XCA is a full featured CA in its own right - useful if you need that, but if all you need is to generate a few CSRs, it can do that too :)

For the CSR fault, try pasting it here:

http://www.sslshopper.com/csr-decoder.html
0
 

Author Closing Comment

by:Poly11
ID: 39790753
Thank you!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month8 days, 15 hours left to enroll

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question