[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Moving SSL to Raq3
- Subject: Re: [cobalt-users] Moving SSL to Raq3
- From: David Thurman <dthurman@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed Oct 3 22:57:34 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
on 10-4-01 12:32 AM, flash22@xxxxxxx at flash22@xxxxxxx was reported to have
made a statement that said this:
<snip>
>>>> Has anyone successfully moved a current certificate from one server to a
>>>> Raq3 if possible and gotten it to work.
>>> The cert is keyed specifically to the machine it's generated for
>>> and won't work anywhere else. Wish I had better news for you I called
Verisign on this and they stated that you could move a cert from apache to
apache, he even stated that if you had a win box with apache you may be able
to import that as well.
> for the cost of a new cert ;)
I am trying to hold off till the last moment:(
>
> The real problem here is, you need the private key used to generate the
> certificate signing request data that was sent to the CA to get the
> certificate, the resulting public key (The 'cert') is the public key that
> matches the private key on the server.
>
> When you move a key to a new server, you need BOTH parts, chances are tho,
> their old isp won't give you that , and the customer doesn't have it
> either, because they never had it, at best they got the CSR.
Well actually I was able to get into their server and grab all the cert
parts:) Their boxes are so insecure you would sh*t. I went to the apache's
cert root and downloaded them. They are in fine condition. You are correct
on what they will give the client. What they sent me was only the cert and
the request. Glad I grabbed them.
>
> If you do get it, you still need it to match the server type, and the
> server has to support the encryption type used to encode the keys unless
> they are stripped (eg no password is encoded in the private key)
>
> if you can do all that, you can make it work, but you will have to sneak
> by the raq's interface to stick the private key in, normally you create
> that on the server, in this case you need to use one that already
> exists...
Okay I actually did this. I had the key, the request and the certificate.
They where name www.domain.com.key - www.domain.com.crs - www.domain.com.crt
I put them on the server and moved them to the cert dir for the accounts web
root. I then proceeded to rename them per the way Cobalt does. Key, request
and certificate. I reset the chmod to rw -rw - and made sure they were
root and site#, I was su'd so I could perform this great fun. When I view
the SSL in the sites GUI I see the info filled in proper. I even restarted
apache. Now that I think about it I didn't restart the SSL apache, but that
shouldn't necessary should it?? When I go to view the site, I see the self
signed cert I have for the Raq's admin domain. They are on different IP's.
I remember seeing others having trouble getting a cert to be recognized and
wonder if I am missing something?? By all rights it should work. I mean we
are talking about an apache/linux box. I know cobalt is a little bit of a
bully on doing things but, well help!!
>
> ps: One other gotcha, the CA's require a contact person with the Cert that
> is often set to someone@isp, if you are moving the domain , this changes,
> and technically, you are required to get a new certificate to reflect
> this...(It has no functional signifigance however, just legal ;)
Well I can understand that. Thing is the client has 5 months left on the
cert so I wanted to hold off a little on this.
>
> gsh
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
--
Thank you,
David E Thurman
Web Presence Group
309.676.5688
dthurman@xxxxxxxxxxxxxxxxxxxx
http://www.webpresencegroup.net