is Chained SSL certificate installation possible?

pixelhed

Verified User
Joined
Jul 4, 2003
Messages
12
Hi

I have been trying to install the chained ssl cert that i bought for the site i have, but am unable to. Each time the system reports that the request either timed out, or failed.

I got 2 certs from the company (freessl):
  • The ChainedSSL Baltimore Intermediate Certificate
  • Web Server Certificate

I have tried:

1) paste both into the box below the key
2) paste baltimore below the key
3) pasre web cert below the key & the baltimore key in the CA root cert box

Everything times out.

There is one thing that i think might be the problem, the cert was registered with a csr from another server, but the support at the company told me i should be able to use the same cert, on the new server.

If anyone can give me any help, if someone knows that certs cannot be transferred (seems logic to me), it will be gratefully received, as this situation is driving me bonkers!

thanks
 
Hello,

DirectAdmin checks the cert and key to make sure they are valid. Chained ssl certificates were not taken into account when the system was designed.

It runs:
Code:
/usr/bin/openssl x509 -modulus certfilename
to verify that the cert is valid. If there are any prompts, it would likely hang.

John
 
Thanks John,

So that means that i am not able to install the certificate myself, right? I have to ask the server admin to do this manually for me. I will be directing them to this thread as a reference, so if you can confirm this for me that would be great.

All the best
A.
 
Hello,

If its a valid cert, what you could do, is install a fake one so that the files and paths all get setup, then yes, get your admin to copy it manually overtop of the fake one:

/usr/local/directadmin/data/users/username/domains/domain.com.crt

John
 
John,

Certs that require what pixelhed is calling a "chained ssl cert" are not in any way invalid, and don't cause any prompts which would hang your install procedure, even if the chain isn't installed.

The proper way to install what pixelhed is calling a "chained ssl cert" is using the method he called "3".

What he calls a "chain cert" is technically a CA root cert, which you already allow for.

I don't know why he can't get it to work, but I've installed a cert requiring a CA root cert from Comodo, and it installs and works fine.

Jeff
 
jlasman,

The reason (i think) it does not work is that the cert was bought for another host (using the csr of another machine) - Not knowing much about this process, i asked the company i bought it from if it is poss. to transfer the cert, and they said it is.

To me it looks like they were wrong, as if you can do what i described in (3 - above) the only reason (other than some host misconfiguration - also NOT unlikely!) is that the cert is ONLY valid for one machine.

If you can shed any light on this matter, it would be appreciated.

:)
 
pixelhed said:
The reason (i think) it does not work is that the cert was bought for another host (using the csr of another machine) - Not knowing much about this process, i asked the company i bought it from if it is poss. to transfer the cert, and they said it is.
What kind of machine was it bought for? We've now successfully moved certs from other linux-based systems to DA. And that should almost always be both possible and easy.
To me it looks like they were wrong, as if you can do what i described in (3 - above) the only reason (other than some host misconfiguration - also NOT unlikely!) is that the cert is ONLY valid for one machine.[/quotes]
When your system creates the CSR it also creates a key. Did you also move the key to the new machine? If I get a chance later today I can look at one of my systems and see exactly what I ended up moving.
If you can shed any light on this matter, it would be appreciated.
I don't have much time to investigate right now but if you call me (contact information is always in my sig) I'll take a moment with you on the phone and we can compare contents of various cert files on our two systems.

As inexpensive as certs are (FreeSSL gets even less than we do :) ) it doesn't make sense to spend too much time investigating this.

As an aside, I went to the FreeSSL site a moment ago to see if there was anything "special" or different about their cert, and there isn't. But I did notice their rant about Comodo's certs being less stable than theirs. Pure unadulterated FUD.

Jeff
 
To verfiy the validiy of a certificate, we run:

/usr/bin/openssl x509 -modulus

and input the certificate from stdin. This tells us whether or not the cert is valid. If it's a chained cert, I'd have to get my hands on one to test out what that code will do with it.

John
 
John, there's no difference between a cert that requires a root (chained) cert and one that doesn't as far as validity is concerned.

A cert will require a root cert only if browsers in general use don't recognize the issuer.

So I don't believe that's the problem.

Though I'm as curious as you are, since it only costs $37 for a new FreeSSL cert I don't see it as cost effective to spend too much time on this if a new one works.

I still think he's simply installing it wrong, though, or perhaps it wasn't issued originally for a Linux system.

Jeff
 
Installing Comodo cert

I was able to install a Comodo chained ssl cert following jlasman's instructions.

Specifically I did the following:
1) In the SSL Certificates window, pasted the certificate text supplied by Comodo (ie, the contents of mydomain.crt) below the Private Key text in the text box labeled "Paste a pre-generated certificate and key"
2) Followed the link from the bottom of that page that reads "Click here to paste a CA Root Certificate". In the following page checked the "Use a CA Cert" box and pasted the text into the box supplied by Comodo in a file named mydomain.ca-bundle.

The above worked perfectly.

I generated the private key following Comodo's instructions for Apache (ie, through SSH). In a few months I will need a cert for another site and will then try using DA's feature to "Create A Certificate Request".
 
mbrand, you responded to a thread written in 2003, when the functionality you used wasn't yet built into DA.

Jeff
 
I think the problem may have been that it wasn't always easy to tell which Comodo cert was the one to put there.

Jeff
 
Back
Top