获取用于SSL CSR文件中AWS Windows实例 [英] Obtaining CSR file for SSL in AWS Windows Instance
问题描述
我需要获得企业社会责任来完成订单SSL与godaddy.com。 我有Windows 2012运行在亚马逊AWS实例。服务器是防爆press.js。
域名指向到该实例的IP,和一切工作正常。
我想我一定要创建控制台或类似的东西这把钥匙。这里的问题是我从来没有做过的,我也没有地方错都没有。
我会如何呢?
我需要获得企业社会责任......我怎么会去一下[创建CSR]
既然你是在Windows上,我会下载并安装闪耀光芒的Win32的OpenSSL的。它是一种prebuilt的OpenSSL的Windows平台。
然后,我会发出以下命令。它创建了一个新的密钥,并生成一举签名请求:
OpenSSL的REQ -config例如,com.conf -new -newkey RSA:2048 -nodes \
-keyout例如,com.key.pem -days 365 -out例如,com.req.pem
注意有一个配置文件:例如-com.conf 。该配置文件允许你不喜欢的东西设定通用名称,并设置使用者替代名称。你可以找到在该配置文件<一个href="http://stackoverflow.com/questions/25259867/certificate-with-extended-key-usage-only-works-in-firefox">Certificate与扩展密钥用法只能在Firefox 。
生成CSR后,提交例如-com.req.pem 签名。
注意的:你可能不会让你把你的企业社会责任的一切。其高达CA以核实信息,调整你的请求,然后颁发证书。例如,如果您标记 CA:真正的,那么你的企业社会责任可能会被修改或拒绝,因为CA不希望你造币证书
如果你的盒子AWS实例是一个Windows映像,那么您将需要创建一个PFX和运行轨迹成适当的信任存储区。这里是你如何创建PFX。
你有什么:
- 例如-com.cert.pem(签名证书,PEM EN codeD)
- 例如-com.key.pem(私钥,PEM EN codeD)
- CA-中间cert.pem(从属CA,PEM EN codeD)
你不需要什么:
- 例如-com.req.pem(企业社会责任,因为你有一个签名的证书)
- CA-根cert.pem(根CA证书)
您需要 CA-中间cert.pem ,因为服务器必须与服务器的证书发送。发送的所有的需要中间证书避免了哪个目录的问题。它是一种在PKI众所周知的问题,这意味着客户不知道去哪里寻找一个失踪的中间证书(他们应该去威瑞信,或者他们应该去Digicert,等)。但是,你不发 CA-根cert.pem 因为客户端必须已经拥有它,信任它。
第一,并置证书:
猫的例子,com.cert.pem&GT;例如,com.chain.pem
猫CA-中间cert.pem&GT;&GT;例如,com.chain.pem
二,创建PFX给出的链和钥匙:
OpenSSL的PKCS12 -export -in例如,com.chain.pem -inkey例如,com.key.pem \
-nodes退房手续例如,com.chain.p12
第三,信任存储安装。例如参见导入服务器证书(IIS 7 )在MSDN。
亚马逊可能有相似的地方的说明。
I need to obtain an CSR to complete order for SSL with godaddy.com. I have windows 2012 running in Amazon AWS instance. Server is Express.js.
Domain is pointed to that instance IP, and all works fine
I suppose I have to create that key from console or something similar. Issue here is I have never done that, and I do no have place for mistake at all.
How would I go about it?
I need to obtain an CSR... How would I go about it [creating a CSR]?
Since you are on Windows, I would download and install Shining Light's Win32 OpenSSL. Its a prebuilt OpenSSL for the Windows platform.
Then, I would issue the following command. It creates a new key, and it generates the signing request in one fell swoop:
openssl req -config example-com.conf -new -newkey rsa:2048 -nodes \
-keyout example-com.key.pem -days 365 -out example-com.req.pem
Notice there is a configuration file: example-com.conf. The configuration file allows you to do things like set the Common Name and set the Subject Alternate Names. You can find that configuration file at Certificate with Extended Key Usage only works in Firefox.
After generating the CSR, submit example-com.req.pem for signing.
Note: you may not get everything you put in your CSR. Its up to the CA to verify the information, adjust your request, and then issue the certificate. For example, if you mark CA:true, then your CSR will probably be modified or declined because the CA does not want you minting certificates.
If your box AWS instance is a Windows image, then you will need to create a PFX and inport it into the appropriate trust store. Here's how you create the PFX.
What you have:
- example-com.cert.pem (Signed certificate, PEM encoded)
- example-com.key.pem (Private key, PEM encoded)
- ca-intermediate-cert.pem (Subordinate CA, PEM encoded)
What you don't need:
- example-com.req.pem (the CSR, since you have a signed cert)
- ca-root-cert.pem (the Root CA certificate)
You need ca-intermediate-cert.pem because the server must send it with the server's certificate. Sending all required intermediate certificates avoids the "which directory" problem. Its a well known problem in PKI, and it means a client does not know where to look for a missing intermediate certificate (should they go to Verisign, or should they go to Digicert, etc). However, you don't send ca-root-cert.pem because the client must already have it and trust it.
First, concatenate the the certificates:
cat example-com.cert.pem > example-com.chain.pem
cat ca-intermediate-cert.pem >> example-com.chain.pem
Second, create the PFX given the chain and the key:
openssl pkcs12 -export -in example-com.chain.pem -inkey example-com.key.pem \
-nodes -out example-com.chain.p12
Third, install it in a trust store. See, for example Import a Server Certificate (IIS 7) at MSDN.
Amazon probably has similar instructions somewhere.
这篇关于获取用于SSL CSR文件中AWS Windows实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
