DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Certificate for SSL Import.

sheltons
Topic Author
Offline
Junior Member

11 Oct 2018 17:22 #1 by sheltons

Certificate for SSL Import. was created by sheltons

Due to PCI compliance I am trying to get our Certificate imported in our 2862 router for SSL VPN as it being flagged as weak - The Self Signed.

I have read https://www.draytek.co.uk/support/guides/kb-local-certificate-management but this Generates a New CSR where as I just want to import our existing Certificate if possible, and not have to purchase a specific one. The Domain Name is already included in the SAN Part.

Every time I try to import the Crt file I get Upload Fail. I have tried downloading it from GoDaddy in Apache & Other Format but they fail also.

Thanks
John.

Please Log in or Create an account to join the conversation.

admin3
Offline
Site Admin

16 Oct 2018 11:13 #2 by admin3

Replied by admin3 on topic Re: Certificate for SSL Import.

Importing a certificate from another system (LetsEncrypt, GoDaddy etc) requires importing the private key and its password as well. To do that, you should have a certificate file and a private key file.

If the private key is provided without a password, that can be added with OpenSSL. Or you can create a PKCS12 file by combining the certificate and the private key, again with OpenSSL:



Code:
OpenSSL> pkcs12 -export -out draytek.pfx -inkey C:\OpenSSL-Win32\bin\PEM\privkey.pem -in C:\OpenSSL-Win32\bin\PEM\cert.pem
Enter Export Password: examplepassword
Verifying - Enter Export Password: examplepassword
OpenSSL>

Then that draytek.pfx file gets imported as a PKCS12 file, with the password set when creating the .pfx file.

Forum Administrator

Please Log in or Create an account to join the conversation.

sheltons
Topic Author
Offline
Junior Member

18 Oct 2018 10:37 #3 by sheltons

Replied by sheltons on topic Re: Certificate for SSL Import.

admin3 wrote: Importing a certificate from another system (LetsEncrypt, GoDaddy etc) requires importing the private key and its password as well. To do that, you should have a certificate file and a private key file.

If the private key is provided without a password, that can be added with OpenSSL. Or you can create a PKCS12 file by combining the certificate and the private key, again with OpenSSL:

Code: OpenSSL> pkcs12 -export -out draytek.pfx -inkey C:\OpenSSL-Win32\bin\PEM\privkey.pem -in C:\OpenSSL-Win32\bin\PEM\cert.pem Enter Export Password: examplepassword Verifying - Enter Export Password: examplepassword OpenSSL>

Then that draytek.pfx file gets imported as a PKCS12 file, with the password set when creating the .pfx file.

Thanks for the Response.
I have been looking at the GoDaddy Export Options and I cannot find one that will give a Privatekey file, I get a .crt and an intermediates.p7b file.

I spoke to GoDaddy but they were of no help.

John.

Please Log in or Create an account to join the conversation.

sheltons
Topic Author
Offline
Junior Member

18 Oct 2018 10:41 #4 by sheltons

Replied by sheltons on topic Re: Certificate for SSL Import.

Sheltons wrote:
admin3 wrote: Importing a certificate from another system (LetsEncrypt, GoDaddy etc) requires importing the private key and its password as well. To do that, you should have a certificate file and a private key file.

If the private key is provided without a password, that can be added with OpenSSL. Or you can create a PKCS12 file by combining the certificate and the private key, again with OpenSSL:

Code: OpenSSL> pkcs12 -export -out draytek.pfx -inkey C:\OpenSSL-Win32\bin\PEM\privkey.pem -in C:\OpenSSL-Win32\bin\PEM\cert.pem Enter Export Password: examplepassword Verifying - Enter Export Password: examplepassword OpenSSL>

Then that draytek.pfx file gets imported as a PKCS12 file, with the password set when creating the .pfx file.

Thanks for the Response.
I have been looking at the GoDaddy Export Options and I cannot find one that will give a Privatekey file, I get a .crt and an intermediates.p7b file.

I spoke to GoDaddy but they were of no help.

John.

I missed trying one export type - Tomcat. It gives 2 .crt and a .pem - Does .pem mean it is a PrivateKey File?
John

Please Log in or Create an account to join the conversation.

sheltons
Topic Author
Offline
Junior Member

18 Oct 2018 11:59 #5 by sheltons

Replied by sheltons on topic Re: Certificate for SSL Import.

Either way in any combination I have not been able to import any of the certificates generated.

Please Log in or Create an account to join the conversation.

admin3
Offline
Site Admin

22 Oct 2018 14:38 #6 by admin3

Replied by admin3 on topic Re: Certificate for SSL Import.

It seems then that the Tomcat certificate output from Godaddy is the correct one, but it's odd that it's not working for you. .crt & .pem is the correct pair of extensions

I notice you haven't said which router model you have - certificates generated by companies now should be using 2048-bit key size and SHA1 or SHA256. If the router is on older firmware, it might not be able to process certificates if they're larger than the router can interpret or are using a key size the router doesn't understand.

This website has some good examples of OpenSSL commands to verify the certificate and key details on your end:
https://www.sslshopper.com/ssl-certificate-tools.html
I don't recommend using online tools to check the private key & certificate combination, just use openSSL to do the same things locally.

Forum Administrator

Please Log in or Create an account to join the conversation.