Install SSL Comodo certificate (.pfx file)

[Samplex]

I have a SSL cert of comodo wich use to run on a Windows machine,
i made a backup of it to a .pfx file now i have the following files:

webmail_mydomain_com.pfx
GTECyberTrustGlobalRoot.crt
ComodoSecurityServicesCA.crt

How can i install them DirectAdmin?

 

[nobaloney]

You're missing the private key; without it you can't install the cert. It's saved only on the original server. If you no longer have access to it you'll have to contact Comodo to re-issue the Certificate. If you tell them you want the Certificate reissued for apache you'll get the proper files and instructions on how to install them.

If you do find you have access to the private key, write back to this thread for further help.

Jeff

 

[provender]

Comodo SSL issue

I'm having an issue also with a brand new Comodo cert. I got back the .crt fle from Comodo which I put in the "Click Here to paste a CA Root Certificate" area and saved. When I go to the domain, It is still using my self-signed cert. that I had created while testing.

There is also a ca-bundle that came with the cert. Do I need to do something with that also? The instructions with DA aren't very clear (and appear to be for an older version of the console). Any help you could provide would be appreciated. Thanks...

 

[nobaloney]

I'm having an issue also with a brand new Comodo cert. I got back the .crt fle from Comodo which I put in the "Click Here to paste a CA Root Certificate" area and saved.

You pasted it in the wrong place. it goes into the Paste a pre-generated certificate and key textbox, right under the private key. Be sure you radio button is pressed, and click to save it.

There is also a ca-bundle that came with the cert. Do I need to do something with that also?

Unzip it if it's zipped, then take the entire unzipped file, including all the certs into it, into the textbox unveiled when you Click Here to paste a CA Root Certificate.

Then save that.

DirectAdmin runs the task queue every minute, so it may take up to about 75 seconds or so to install what it needs to install and to restart apache. So wait about 75 seconds before you try the site again.

It should work. If it doesnt, plese post your secure URL here.

Jeff

 

[Samplex]

cert

You're missing the private key; without it you can't install the cert. It's saved only on the original server. If you no longer have access to it you'll have to contact Comodo to re-issue the Certificate. If you tell them you want the Certificate reissued for apache you'll get the proper files and instructions on how to install them.

If you do find you have access to the private key, write back to this thread for further help.

Jeff

Why? If i restore the pfx certificate on a IIS server it works perfectly again but i found a ways to convert pfx to pem. can i do something with a pem file?

 

[provender]

Jeff,

I followed your instructions and pasted the .crt file on the first page under "Paste a pre-generated certificate and key", I then clicked the "Click Here to paste a CA Root Certificate" and pasted the ca-bundle key on the following page and got "Success! CA Certificate is ok. Your site should be secure within a few minutes." I waited five minutes and went to the site and got the following message "You have attempted to establish a connection with helper.percipion.com. However the security certificate presented belongs to www.snakeoil.dom". I'm not even sure where this came from (I believe it is the server default) since I have been using a self-signed cert. while testing the site.

From my perspective I think I've followed your instructions, and haven't received any error messages. Any ideas?

 

[nobaloney]

Samplex,

I'm not familiar with what IIS requires or uses. I do know that SSl requires a key as well as a cert.

This wikipedia article may help you understand. The Certificate is your public key, and the key I'm refering to is your private key.

Your Certificate file includes these two lines as header and footer, and some encoded text in the middle:

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXxxxxxx
-----END CERTIFICATE-----

and the key file:

-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXxxxxxx
-----END RSA PRIVATE KEY-----

To install the Certificate on your DA server you need to paste both of these, the Private Key above the Certificate, into the section marked Paste a pre-generated certificate and key and save, and then the files making up the CA bundle in the section marked Click Here to paste a CA Root Certificate.

Jeff

 

[nobaloney]

provender, you need to have both the private key and the certificate pasted into the section marked Paste a pre-generated certificate and key, and save.

Have you done that? did you make sure the radio button was clicked? Please see my post directly above.

Thanks.

Jeff

 

[Samplex]

Working

I got it working now, i will make instruction how to do it later and will post it here..

Only thing is now how to make it work with Webmail?
https://ssl.mydomain.com -- > Squirrelmail ??

Is that possible?

 

[nobaloney]

I don't know why it's not working. For a working example, look here.

If you post your domain name I can do some checking from here.

Jeff

 

[Samplex]

ssl

That is working https://www.mydomain.com/webmail but i want https://ssl.mydomain.com connect directly to my webmail without puttting https://..../webmail behind the url.

 

[provender]

Well, I'm not sure which of the the things were wrong. The Comodo folks said my key wasn't matching - so they reissued and I followed your steps and everything is working as is should now. I have one final question. If I decide to add an additional cert on the root domain (or another sub) at a later date, and follow the exact same procedure - will it have any effect on the existing sub (or does something different need to be done in DA)? Thanks for again for all of your help...

 

[nobaloney]

I'm glad Comodo could help you because unless you really own the domain mydomain.com you never gave us the right information, making it between hard to help and impossible to help.

You can only have ONE Secure Certificate on any IP#/port number combination, and DirectAdmin doesn't support Secure Certificates on separate port numbers on the same IP#, so you cannot have a Certificate on any other domain or subdomain on the same IP#.

Unless you own the server hosting your domain you'd have to work with your hosting provider to assign additional IP#s for additional Certificates. Depending on your provider you might have to pay additional fees and get additional accounts.

Jeff