Easy to remember, it can already be read in many places
the creation of a csr for the creation of the commercial cert for a wildcard
openssl req -new -nodes -keyout my.key -out my.csr -newkey rsa:xxxx
Generating a RSA private key
.....................+++++
........+++++
writing new private key to 'my.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Orlando
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:IT-Service
Common Name (e.g. server FQDN or YOUR name) []:*.mydomain.com ----> Attention realy *,mydomain.com for the wildcard
Email Address []:postmaster@mydomain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mypass
An optional company name []:MyCompany Ltd
check whether the csr is in order
openssl req -text -noout -verify -in my.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = FL, L = Orlando, O = MyCompany, OU = IT-Service, CN = *.mydomain.com, emailAddress = postmaster@mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b8:58:d3:c9:5e:18:8c:b9:ae:09:5a:d8:90:93:
44:df:0e:b3:5b:c4:f2:cf:46:52:a4:80:10:ac:7e:
f9:ca:d5:c6:5e:6d:16:0a:b6:c0:2c:57:5c:77:81:
0e:87:34:48:c7:85:41:20:bd:5a:2c:b3:ee:80:0b:
d8:b7:23:e3:7c:1f:a1:30:cb:f4:7b:d0:7e:ee:b1:
b4:a3:cf:cd:cf:e6:bd:4a:d2:78:c2:ce:d7:1a:a4:
3a:ff:65:3f:e3:5c:fc:3c:7c:da:f0:43:8b:a5:db:
13:a7:9c:45:7a:5b:c5:c6:e1:3d:5b:be:0a:d8:75:
a5:3d:98:90:2a:62:8d:c4:6b:62:04:a2:8d:a2:01:
c5:dd:cb:f2:fe:b3:1e:24:80:df:fb:2d:8b:06:cb:
39:1d:65:80:ba:1d:bc:a6:9f:d0:fc:39:f5:49:a5:
02:f1:1e:4e:05:4d:a8:fc:dd:e7:67:e2:3e:bf:f0:
e3:84:1a:1f:6d:a8:6a:1b:53:6c:4f:5e:56:99:4e:
b2:a6:47:cc:06:cc:57:a9:bd:79:19:d5:ab:2a:ae:
9f:32:6f:1a:31:74:21:9f:77:bd:af:4e:25:88:46:
8b:f7:97:62:67:6a:ec:2b:be:76:70:7b:65:b6:9d:
03:df:fb:40:c3:a7:60:2e:1a:87:45:f7:42:0a:8d:
52:63
Exponent: 65537 (0x10001)
Attributes:
challengePassword :mypass
unstructuredName :MyCompany Ltd
Signature Algorithm: sha256WithRSAEncryption
60:85:41:1a:1a:34:58:02:79:b7:8e:bd:5d:c7:e9:e5:6e:fc:
e0:68:b3:72:9c:3a:61:92:a9:c0:74:1f:52:6d:d8:f4:c4:e6:
9b:c2:0e:46:68:bd:53:3f:71:ac:d3:bc:c1:93:89:62:4a:dd:
b6:e1:2e:5a:ac:7b:bb:3f:05:9c:7b:2b:06:3a:c3:b0:bc:85:
85:84:ea:f5:83:5f:3a:ec:40:f1:91:cf:15:1d:15:f2:c2:17:
fc:8f:bc:13:f6:3c:42:78:7e:05:b0:12:74:48:92:ab:86:5a:
57:d5:58:8f:9d:79:a2:cb:bd:f6:a2:05:1f:a8:6c:f7:b1:80:
5c:df:e2:db:b3:f0:4d:79:c2:44:8a:cd:e5:b6:51:25:32:ae:
aa:5d:85:c8:b6:ac:46:47:d0:cf:56:56:a4:7f:77:88:d4:c4:
82:08:ad:b0:3d:7e:ae:14:98:e2:a3:6a:9a:77:40:3c:b0:d3:
c6:1b:55:3a:c5:8b:99:d7:bc:96:be:33:07:4b:7c:ec:d0:1d:
53:65:3b:4c:26:a2:08:92:b5:e5:12:67:7c:fe:3a:d6:e4:17:
c3:09:b2:68:dc:93:d2:34:67:8d:86:4d:36:20:99:e9:ba:fe:
72:c1:1f:41:b6:d6:64:0a:c2:38:de:30:ba:8c:ea:70:fe:08:
f5:0c:7b:2f
The wildcard cert can then be requested from the provider with the csr. In principle, the same procedure can be used for lets encrypt with the csr
We continue with
1. ) Step
in to the commercial certificate, here xxxx.crt depending on the requirements
pack the Intermediate_CA_Bundle.crt and the root.crt with cat into the file server.crt
cat my.crt Intermediate_CA_Bundle.crt > server.crt
2) Step 2 remove the password from the key --> if it is ever needed, remove the key from a keyfile
openssl rsa -in my.key -out my_deencrypted.key
the key file and the cert file for the Wildcard and the Intermediate_CA_Bundle.crt and the root.cert will be provided to the provider, please keep them safe.
copy server.key and server.crt to /opt/novell/gw/certs
docker exec gwweb bash -c “/update/update-certs.sh” execute
docker exec gwweb bash -c "/update/update-certs.sh"
update-certs.sh: Running update script...
/etc/nginx/gw/poas.conf exists.
Requesting certificate of myserver.com:7191 server
/etc/nginx/gw/dvas.conf exists.
Requesting certificate myserver.com:8301 server
/etc/nginx/gw/smg.conf exists.
Requesting certificate of localhost:443 server
Copying /etc/nginx/gw/smgca.crt file
Copying /etc/nginx/gw/ca.crt file
Upstream servers certificates are available. Updating the CA...
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
update-certs.sh: Update script completed
it is possible that when using wildcard certificates, error messages such as nginx: [emerg] host not found in upstream “myserver:7191” appear in /etc/nginx/gw/web.conf:1. This is due to the cn in the wildcard which is *.mydomain.com
“You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei