Forum Discussion
CirrostratusImport cert/key together to prevent mismatching
Cirrocumulus- Is this a device cert or a site cert?
- Was the cert generated via the GUI or via the CLI using openssl commands?
- Is it a self-signed cert or is it from an SSL cert provider?
- Does the key have a password? If the CSR was done via the GUI, I believe the key isn't encrypted and thus no password required.
This info should help with answering your question.
Thanks!
CirrostratusThe cert is being exported from one device imported to another. There is no CSR here, just exporting and importing.
I resolved it. I used openssll to combine the .key and .crt file to a .pfx file. Then used the .pfx file to import, at the other datacenter, over-writing the existing cert in place.
- Fallout1984
Ah, okay. Good. I normally use openssl commands when creating certs, more control that way. There's one cert that I have to merge into PFX format for a particular backend server, but that's about the only time I have to use that format.
Another thing I started doing as part of my cert creation routine was verify the hash of the CSR and the key match before I export it for the cert request:
Example:
Generate hash for the private key:
openssl pkey -in /config/ssl/ssl.key/apple-pie.com.key -pubout -outform pem | sha256sum
Generate hash for the csr:
openssl req -in /config/ssl/ssl.csr/apple-pie.com.csr -pubkey -noout -outform pem | sha256sum
