Wildcard Certificate
Hi all – I am trying to figure out how to add a wild card certificate given to me for a CentOS installation. I have a script that sets up HTTPS so I
am a little familiar with things – but they provided me two files:
name_ee.crt name_i1.crt
I’m not sure how to apply that to the /etc/httpd/conf.d/ssl.conf file?
Anyone done that before ?
My initial searches were not helpful. Thanks,
Jerry
8 thoughts on - Wildcard Certificate
And where’s the private key?
Can you post the lines in the files that start with five (or so) dashes („-„)?
They are all just —– BEGIN CERTIFICATE —- and everything else is encrypted of course.
They did not give a private key – I presumed with a wild card it was not needed? again -never done this so just guessing.
Thanks
Jerry
|Hi Jerry,
One is the public SSL certificate file itself and the other is probably the intermediate CA file. You also need the private key from whoever created the CSR for your wildcard certificate to be validated. Without the private key, the wildcard certificate is worthless.
For Apache in /etc/httpd/conf.d/ssl.conf … it would look like something like this:
| SSLCertificateFile /path/to/name_ee.rt|
| SSLCertificateKeyFile /path/to/privatekey.key|
| SSLCertificateChainFile /path/to/name)il.crt
||
||Scott|
||||||
No, it’s not.
You can look at it with
openssl x509 -text -in file.crt -noout
No. The certificate itself is what gets sent to every browser. It’s not secret or encrypted.
You need a certificate, the corresponding private key and in almost all instances the intermediate certificate (or certificates, depending on how many sub-CAs below the Root-CA it was issued from).
Normally (well, for certain definitions of normal), you generate the private key yourself and generate a CSR, a certificate signing request from that key. The key is just 2048 bytes of random data.
The CSR is what get’s signed by the CA’s private key and contains all the information in the certificate that you can view by clicking on the lock-icon in the browser.
I usually do this like below
bla=the_domain.toplevel openssl req -newkey rsa:2048 -nodes -out $bla.csr -keyout $bla.key -sha256
(for wildcard, I usually call the files „star.domain.toplevel“)
And then you can send the CSR to whoever has it signed, or in our case, I log into my managed PKI console and submit it myself for my supervisor to confirm it and then I download the certificate.
This is done because the private key should in theory never leave the system it was generated on, to ensure its secrecy.
Sending a private key by email is NOT secure.
You’ve already got the cert so it’s not totally relevant, but in the future you can consider using Let’s Encrypt. They won’t distribute wildcard certs but unless you have lots of subdomains you can simply request a cert for every domain you need.
LE has packages for CentOS which can plug in to Apache automatically, so configuration is quite straightforward.
–keith
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
Wildcard support is new, but it’s available! :)
Cool! I had read about wildcard support being planned a few months ago but totally forgot about it.
–keith
—
kkeller@wombat.san-francisco.ca.us
AFAIK, it’s only available with the DNS-challege.
You must have authority over your DNS and use one of the supported providers (or build your own).