How to Import a Certificate for SSL?

  • I decided to do a StartSSL certificate to see if it might solve Owncloud/iOS connection issues and have discovered that I have no clue how to import it. I've tried various things, based on my self-signed cert's details, and I've looked about on the forums and tried a few more -- everything fails.


    Any ideas?


    Please don't be offended if I don't respond right away. Wayyyyy past my bed time. Going to sleep. :)

    Seagate GoFlex Home running Debian Wheezy w/ 3.15kernel | Openmediavault Kralizec | Playing with ownCloud 7 and avoiding mySQL 5.5 like the bloody plague :|

  • Generate the Cert on your system and let the public cert signed by StartSSL instead. Getting a cert from StartSSL is a security risk. ;) Tough it may be really small.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Thanks -- but I'm not entirely clear on what you mean. I have a self-signed cert already. Are you saying to replace the signature key with the one from open SSL? It came with three, I think.


    On the other note, are they more of a risk than the self-signed variety? I have no issue with self-signed, but am using the "official" key to troubleshoot my Owncloud to iOS connection issues.


    EDIT:
    I should mention that, while I am in possession of the certificate and the private key and what have you, the information is in raw text and hexidecimal form, not the encrypted text I am guessing I would need for the three boxes provided me when I try to import or when I view the details of my self-signed certificate. Anything I try produces this error:


    Seagate GoFlex Home running Debian Wheezy w/ 3.15kernel | Openmediavault Kralizec | Playing with ownCloud 7 and avoiding mySQL 5.5 like the bloody plague :|

    2 Mal editiert, zuletzt von chilyn ()

  • I was just mentioning this because we had some discussions about that internally that SSL Certs generated by CAs like StartSSL can be a security risk because the Cert was in foreign hands.


    Normally you generate a SSL cert on your machine and then do a CSR with your CA (StartSSL) and let them sign your punlic key. But you should be fine with a Cert generated by StartSSL too.


    About importing your cert, you can edit your cert via the webinterface and copy it in manually.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • Ah I see.


    I did try to edit it but, as I said, it wo't take what I put in. All I have is the actual words+hex signature text, ot the ecrypted key and cert. Ad they always output an error. The most recent attempt put the error o the ed line instead of the beginning, so I guess that's progress -- but I honestly have o clue what should be put in each field and under what format.

    Seagate GoFlex Home running Debian Wheezy w/ 3.15kernel | Openmediavault Kralizec | Playing with ownCloud 7 and avoiding mySQL 5.5 like the bloody plague :|

  • If you're interested I could take a look via Teamviewer.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • That might work. I'll get back to you on that asap. I've managed to figure the certificate formatting issue by importing the sertificate into my laptop at /usr/local/share/ca-certificates and running update-certificates, then opening it and copy-pasting the content into the OMV edit dialogue.


    I'm trying to figure the private key now, but I don't apear to have a private key file...

    Seagate GoFlex Home running Debian Wheezy w/ 3.15kernel | Openmediavault Kralizec | Playing with ownCloud 7 and avoiding mySQL 5.5 like the bloody plague :|

  • Not many people are buying certs. I've been meaning to spend some time on this. I probably will in the next couple months. There is a member named fergbrain, or something like that, that is doing it. You might want to contact him and see if he will lend a hand. I know he is using StartSSL certs too.

  • 8o SUCCESS!!!!! 8o


    It took me a bit to wade through, but I finally figured out how to convert my .p12 file into a .pem file with openSSL and then import it into my laptop (Ubuntu) and update the certificates. This allowed me to then navigate to th file and cat it so that I could copy the ecrypted gobbledigook and paste in both the private key and the certificate (and the comments) in the import fields. It took a few tries with the certificates, as there were three in the file, and only ONE worked with the private key without mismatch errors.


    Basic steps:

    • Backup the certificate from Firefox and save it -- should be a .p12 file
    • Open a terminal and use OpenSSL to convert the file to a .pem (I had to do this to get the encrypted strings -- .p12 always gave me hex, which didn't work, and I couldn't import the p12 to my system due to unknowingness :| )

      • openssl pkcs12 -in /home/path/mycert.p12 -out mycert1.pem -nodes
    • Navigate to your updateable and friendly certs folder, then copy the new .pem file to it

      • cd /usr/local/share/ca-certificates
      • cp /home/path/mycert1.pem mycert1.pem
      • update-ca-certificates (actually type this as a command and enter)
    • As you are already in the right folder, just open the file with cat mycert1.pem
    • Click Add and then Import in the OMV certificates interface and then copy and paste as needed until it works

    *Note: the Comments field is where you put the relevant personal data like name, company, yadda. It formats something like this:


    Code
    Bag Attributes
        friendlyName: StartCom Certification Authority
    subject=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
    issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority


    I'm certain there is an easier way to do this, but this is what I gleaned from various tutorials when no Private Key file shipped with my cert. Next: to see if it actually makes any difference whatsoever to the ownCloud iOS app... :rolleyes:


    Thanks for your comments and such, @davidh2k and @tekkbebe !

    Seagate GoFlex Home running Debian Wheezy w/ 3.15kernel | Openmediavault Kralizec | Playing with ownCloud 7 and avoiding mySQL 5.5 like the bloody plague :|

    Einmal editiert, zuletzt von chilyn ()

  • Glad to give back a bit. :)

    Seagate GoFlex Home running Debian Wheezy w/ 3.15kernel | Openmediavault Kralizec | Playing with ownCloud 7 and avoiding mySQL 5.5 like the bloody plague :|

  • I tried to follow these instructions, but I seem to have done something incorrectly. When I ran the update-ca-certificates command, it didn't update my certificates:


    Code
    # update-ca-certificates
    Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d....done.



    Step 4. was okay, but just displayed the file.
    Step 5a. was initially problematic because my keyboard doesn't have a "click" key, so I figured at this point I was supposed to use the web GUI. And a bit of searching led me to "Certificates" which I found under the "System" heading.


    Step 5b. Cut and paste until it works. What? There seem to be four sections in the PEM file, and I have no idea what's supposed to go where .. well, except that the PK is supposed to go into the "Private Key" section, but I've tried all sorts of combinations, and all I get from the interface is "error this" and "error that." I think I need an example here - there are just too many possible ways to do this wrong, and I've tried a LOT of them!

  • I'm in the process of trying to make my new purchased sll cert installed and I'm having some questions.


    Do I follow namecheaps nginx installation instructions?


    My certs came as .crt and ca-bundle, and I'm following these instructions:
    https://www.namecheap.com/supp…article.aspx/9419/0/nginx


    Shall I proceed as step 3 says, or is there some other way?


    How can I install the cert for omv AND import in omv to use for other plugins too?


    Can someone shed some light???


    Thanx in advance!

  • Ok, did it.
    Was fast to ask before I tried.


    Had to


    #cat my-domain.crt my-domain.ca-bundle >> cert_chain.crt


    Then copy and paste from cert_chain.crt and my-domain.key
    straight in the certification gui -> SSL -> Import...


    And voila! It worked.


    * do I have to manually add the cert for subsonic or syncthing, or does it work automatically?
    ** is there a way to use https with this cert for transmission-webgui?

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!