openssl SSL certificates

 In Amazon AWS

Configuring SSL with openssl commands

This article shows how to use openssl to create the necessary SSL .key and .csr files for your domain.

You would then purchase a Comodo or Sertigo (or your preferred) certificate and provide the .csr details as cut and paste when creating a certificate, or if using someone like Crazy Domains, upload the two files for them to install for you.

This article shows use of a domain and subdomain, assuming www. will take care of itself in the Amazin Route53 and .htaccess file configurations.

 

Important Changes - 2023

Important Updates January 2023

Simply use the command below to generate a CSR file for Comodo, then you cut and paste the content onto the Comodo site (after you have paid for the certificate though).
Comodo then sends you the .key file to use, even though the command below generates a .key file.

openssl req -new -key mydomain.key -out mydomain.csr
[give details, e.g.:
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:Queensland
Locality Name (eg, city) [Default City]:Brisbane
Organization Name (eg, company) [Default Company Ltd]:My_Name or My_Comaony
Organizational Unit Name (eg, section) []:IT (as an example)
Common Name (eg, your name or your server’s hostname) []:mydomain.com
Email Address []:admin@mydomain.com

Please enter the following ‘extra’ attributes —->> leave these blank
to be sent with your certificate request
A challenge password []:
An optional company name []:

Then use this command to verify. You will see it uses SHA512 instead of the old SHA1:

openssl req -noout -text -in mydomain.csr

You would cut and paste the raw text data from this file to Comodo (or Sectigo).

I usually use a naming convention of mydomain_com.csr or mydomain_au and so forth rather than mydomain.

Comodo sends you (usually) a .crt and bundle file. Copy the crt file so you have the original. Then append the bundle to the .crt file in an editor. Upload that file and the COmodo .key file to you server and put into the ssl.conf file, and /etc/pki/tls/certs and /etc/pki/tls/private.

IMPORTANT: SECTIGO (and Comodo) policy now requires you add this to the DNS CAA records before you try to register the SSL certificate:

0 issue “sectigo.com”

My full entries currently are:

0 issue “sectigo.com”
0 issue “comodoca.com”
0 issue “comodo.com”
0 issue “usertrust.com”
0 issue “trust-provider.com”
0 issue “amazon.com”
0 issue “amazontrust.com”
0 issue “awstrust.com”
0 issue “amazonaws.com”
0 issuewild “;”


Create multi-domain positive DV certificate .key and .csr files for use with Crazy Domains from Comodo Store.
(Same should apply for others like Sertigo etc.)

We are doing this so that we do not incur the high annual fee from Crazy Domains. As with all certificates, we have to do the following process each year.
It mmakes sense that Crazy Domains charges more money if we use their system, as they have to do all this work behind the scenes.

We use the Positive SSL as the lowest cost certificate. As we cannot use Let’s Encrypt with Crazy Domains, we have to purchase an SSL certificate.

Why can’t we use Let’s Encrypt? Several reasons – Certbot needs an installation and ability to do a challenge and we need crontab to execute a Linux shell script to renew (which is not available in Crazy Domains entry level systems.) There may be other road blocks involved.

This example uses one subdomain. Comodo states we need to supply entries for www, as will be shown in the example futher below.
(A single domain name in Comodo would generate the www for us.)

Once a certificate package is generated, we cannot modify it, such as wanting to add another subdomain. We should know up front what we will be using. If there may be changes in the future, it is best to purchase a 1 yr certificate without renewal.

In Crazy Domains, create in public_html a file called san.cnf:

Here is the generic configuration from IBM:
Reference: https://www.ibm.com/docs/en/qsip/7.4?topic=sc-creating-multi-domain-san-ssl-certificate-signing-request

[ req ]
default_bits            = 2048  # RSA key size
encrypt_key             = no  # Protect private key
default_md              = sha256  # MD to use
utf8                    = yes  # Input is UTF-8
string_mask             = utf8only  # Emit UTF-8 strings
prompt                  = no  # Prompt for DN
distinguished_name      = server_dn  # DN template
req_extensions          = server_reqext  # Desired extensions

[ server_dn ]
countryName             = <country_or_region_code>  # ISO 3166
stateOrProvinceName     = <state_or_province>
localityName            = <city_or_locality>
organizationName        = <organization_name>
organizationalUnitName  = <organizational_unit_name>
commonName              = <common_name>  # Should match a SAN under alt_names

[ server_reqext ]
basicConstraints        = CA:FALSE
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
subjectAltName          = @alt_names

[alt_names]
DNS.1			= qradar.example.com  #Example
DNS.2			= console.example.com  #Example
IP.3			 = 192.0.2.0  #Example

Here is an example using the hypothetical domain fantasticfood.com and a subdomain members.fantasticfood.com (use your own names)
This example also uses some other dummy values – AU for Australia, Ascot as the suburb/city/locality information, a dummy organisation name.
Note that it is usual to put “IT” as the Unit name.

[ req ]
default_bits            = 2048
encrypt_key             = no 
default_md              = sha256
utf8                    = yes 
string_mask             = utf8only
prompt                  = no 
distinguished_name      = server_dn
req_extensions          = server_reqext

[ server_dn ]
countryName             = AU
stateOrProvinceName     = Queensland
localityName            = Ascot
organizationName        = Our Fantastic Food Company
organizationalUnitName  = IT 
commonName              = fantasticfood.com

[ server_reqext ]
basicConstraints        = CA:FALSE
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
subjectAltName          = @alt_names

[alt_names]
DNS.1			= www.fantasticfood.com 
DNS.2			= members.fantasticfood.com
DNS.3			= www.members.fantasticfood.com

Once you have created the configuration file (can be any name) you would normally use “openssl” followed by various commands in Linux, but on Crazy Domains we can simply use “openssl” and type in the commands without prefacing them with “openssl …….”

(Naming convention can be anything, but we use domain_com or domain_com_au etc.)

At your SSH login prompt, type: openssl

OPENSSL> req -new -nodes -sha256 -out fantasticfood_com.csr -config san.cnf -keyout fantasticfood_com.key

Check the CSR file:

OPENSSL> req -noout -text -in fantasticfood_com.csr

Chek the .key file:

OPENSSL> rsa -in fantasticfood.com_com.key -check
OPENSSL> quit

Now put the .csr and .key files into your FTP directory and download them to your PC so you can use them.

The .csr content goes into the Comodo Store SSl generation page. You select the Apache option. You make sure you already have an e-mail address that works, usually called administrator@. For example, administrator@fantasticfood.com

When yu receive the Comodo package and confirm the SSL via a link they give you, you forward the .key file that you created, and the SSL package files from Comodo to:

SSL@crazydomains.com

You ask them to install it to your account – give a little information like the account name, and the domains involved. to verify it is you, I’d include administrator@ in the cc. e-mail list.
If there is an issue, you could ensure the package and your generated files are in a particular FTP directory which you can point the CrazyDomains SSL team to.

In a year’s time, you do all this again. If you have, say, a three year fee, you would not need to redo the .key and .csr files, and simply forward the renewed pacakge to Crazy Domains, of course letting them know it was a renewal from your 3 year plan, so there should be no need to have a new .key file.

In this “fantastic” domain example, a Positive DV Multi-Domain certificate would cost more as it shows the www. entries. I would stick to the domain name and the subdomain names, rather than adding www.

If no subdomains, you omit that part.

Whilst the openssl commands have been tested and verified, using them with Comodo is still in progress.

Start typing and press Enter to search