We have often come across a situation where we had to upload the wildcard certificate on the SmartZone controller. The reason, we do not want to get:
However, we run into issues while uploading the certificate on the controller like:
Hence, I will be guiding you with the step-by-step procedure of correctly uploading a certificate on the controller. In this guide, I will be talking about the steps of how to upload an SSL certificate and Wildcard certificate.
Following are some key points regarding the certificate:
Once the certificate is signed by a valid Certificate Authority like GoDaddy, Comodo, Verisign, Digicert, etc. you will receive a certificate bundle in .pfx format, for example:
And if it is an SSL certificate it would look like below:
STEPS TO UPLOAD THE WILDCARD FILE:
The easier way to extract the server certificate and private key from .pfx format bundle is to use the Open SSL tool. Below is the link to download the OpenSSL tool:
Place the pfx file into the OpenSSL's bin folder, and run the cmd using admin rights. example: cd CC:\OpenSSL-Win32\bin
Now run the below commands:
openssl pkcs12 -in WildCardCert.pfx -clcerts -nokeys -out Certificate.cer
openssl pkcs12 -in WildCardCert.pfx -nocerts -nodes -out private.key
1. Here is the certificate extension we are keeping as .cer and private key extension as .key format.
2. In the above, "WildCardCert.pfx" is the pfx cert you have with you. "Certificate.cer" is the file name for the cert exerted from pfx to .cer. And "private.key" is the private key.
3. It will ask for a password after each command to decrypt the certificate and private key. This password you would have created while generating the certificate. If no password was created and even if it prompts for a password, then just hit enter.
Once you have the cert in .cer format, open the WildCardCert.cer file and it will look like below:
You must extract the server, root, and intermediate certificate as shown above and import them all to vSZ in the correct sequence. For this task, you can use a windows machine.
To extract the Server Certificate, follow the below steps:
Open the Server Certificate file WildCardCert.cer. Navigate to Details and click on “Copy to File”
Click on Next.
Select Base-64 encoding (.CER) and click on Next.
Browse, where you want to save the file and click on Next.
Click on “Finish” and it would show “The export was successful”
Then, follow the below steps to export the intermediate cert:
Click on Intermediate Certificate and then click on View Certificate
Click on Copy to File and follow the same steps as you followed for the Server certificate.
Follow the same steps to extract the Root Certificate. Make sure all the certificates that we are extracting should be exported with the Base encoding of 64.
After you have all the certs (server, intermediate, and root). Then, navigate to the Controller’s System > Certificate > SZ as a server certificate > Import the respective files.
Upload the private.key and make sure NOT to use the key encryption password, as during the initial Open SSL commands you used the password to decrypt the certificate and key.
Then, click on Validate, it would show like below if the private key and certificates are correct and matching.
Map the “Test” certificate to the respective service:
NOTE: Once you click on OK, the controller services would be impacted for 30 minutes. Hence, it is always good to perform this activity during maintenance hours. Also, collect cluster backup prior to applying the certificate in the service. In case anything goes haywire, then we can revert to the previous configuration by restoring the backup.
STEPS TO UPLOAD THE SSL CERTIFICATE:
Once you open the file 511a3f836612e8b5.crt
It would show up like below:
Then follow the same steps as shown above to extract the server, root, and intermediate certificate. This time while uploading the SSL certificate on the controller you will need to add the Key passphrase if you have one. If not, you can keep it blank. Once the certificate is validated, apply it to the respective service.
I'm on 126.96.36.199.317 and it says that "private key and certificate are not matched". I have verified with openssl the cert and private key are matched. I also use them in other systems just fine. Here is the command I use to generate the private key, and the wildcard cert is in Base-64 encoded X.509 (PEM format)
openssl genrsa -aes256 -out private.key 2048