CSR Touble

[Publiglobe]

Hello Everybody,
My agency, has a webserver With DirectAdmin installed which needs one SSL certificate.

There is a problem with the CSR generated by Direct Admin. When i fill out all the forms into the "generate certificare request" area, and generate the CSR, my ssl provider says that the CSR is password protected and they are unable to create a valid cert. I can only use the direct admin panel (no ssh, no openssl prompt). What should i do to remove the password protection within the csr? I need to change some setting?

Sorry for bad english

Thank You in advance

 

[scsi]

There is no password protection when creating ssl certificates in directadmin.

http://site-helper.com/ssl.html#install

 

[nobaloney]

Googling for password protected CSRs gives no results except this thread. Post your CSR (don't worry, it's not a security risk) and I'll run it through my validity tester.

Jeff

 

[Publiglobe]

Hi,
thank you for your replyes

this is my CSR:

-----BEGIN CERTIFICATE REQUEST-----
MIIDFjCCAf4CAQAwgasxCzAJBgNVBAYTAklUMRgwFgYDVQQIEw9SZWdnaW8gQ2Fs
YWJyaWExGDAWBgNVBAcTD1JlZ2dpbyBDYWxhYnJpYTEaMBgGA1UEChMRUHVibGln
bG9iZSBzLnIubC4xCzAJBgNVBAsTAklUMRowGAYDVQQDExF3d3cucHVibGlnbG9i
ZS5pdDEjMCEGCSqGSIb3DQEJARYUYW5kcmVhQHB1YmxpZ2xvYmUuaXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycP8ThCOVVJbi9pYo+44vrqRl+VIu
wm1PvQaR3UKGfvO/G7b5hjB+nsaKjakQl0uhr5UPa+h8FY0PnkZhiTSwsOr4lqaQ
+bpO0cb8ReB8+oLFkQp9V+xyWnb5rHY0OvGpGqVCdtTaihva+h6a6q17z+oUp08v
TDYUn49fq0wsyLcFbbNR3k3umFR/h3hl+n+nPDEApOzSUnTAJ7Bi/yMIIABsRcDs
m09T2YxGmhQUUO2u7YVcAj2C5emU+olj/bnXqb/WUbAgey86bMuIae/FeVYEPmdu
9YZevqQtx/NOuz8PHlaZ/md/Z+O+gUU5X8gXeTfrM+KsIf3kTpGP1WJXAgMBAAGg
JTAjBgkqhkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcN
AQEFBQADggEBABNeokUAEmBjRoqIqmSqdpmEe9QBoHbElxdPJ37sQ7ib9xWCQxbq
KDO1OEMOGeg/G5llpT6qC0Q3/i+TN5mOyonPIbbI+0eRGJKLYUnHgWHmP0f6iaqb
phorV+doVhiRL2ttMUPU0ErkN8y6wgdv4gHKmDT9LkoVdXag/0EFJL0aIWzWHHYp
xKoZyBsHryFj2kI6nlijRO4hgCdwUs/g8a7CCIjkm86lxCdcnXte1kicM2NR+UfJ
O/zMUveXLidzgUorttKGHnm/wn97306lqp89fa2/s/bulQL4xQgLwYTydazB+826
phDgvYntUOIW1AtOFKdGk0LN3VXIdZw1OPk=
-----END CERTIFICATE REQUEST-----

Thank you in advance

 

[nobaloney]

Verisign's CSR Verifier says:

Error: Your CSR contains a challenge phrase. This is not a secure practice. Please generate a new CSR that does not contain a challenge phrase.

I'm not sure why it's not a secure practice.

How did you get your original private key? Googling tells me that you need to replace your private key with one that isn't encrypted. I have some idea how this might have happened.

If you're using a standard DirectAdmin control panel to create your CSR and Private Key, then create a new Private Key. The way you do that is by first creating a 2048-bit self-signed certificate, then going back and creating your CSR with the 2048-bit setting.

But...

First save both the Private Key and the Cert already installed in DirectAdmin (on the same screen).

Then after you've got your CSR go back and save the Private Key as well, so you'll have it for the install of the new certificate when issued.

The paste back in the old window contents and save, so you can still use your old Cert until the new one is issued.

Once the new Cert is issued, first copy the new Private Key into the window, then under it the new Certificate, then save.

Depending on the Cert you bought you may need to install a CA root or intermediate Cert as well.

Note thatl the CSR is not encrypted; your provider is simlifying. The CSR was created with an encrypted Private Key, and if they give you a Cert based on that CSR, then every time you restart Apache (and every time DirectAdmin restarts Apache) you'll need to manually enter a password, which is arguably quite impossible. And why the standard now is to not use a password.

Or you can just buy a new Certificate from me, with installation: see my post here.

Jeff

 

[Publiglobe]

Thank you, i've already tryied this way, but maybe i've made something wrong. I'll retry and let you know

Thank you for your help

 

[nobaloney]

Please let us know if it works. The reason I offer a new Certificate with installation at such a low price is because it's cheaper and easier for me to install a Certificate I know than to troubleshoot an installation I dont know.

Jeff

 

[syberghost]

Googling for password protected CSRs gives no results except this thread. Post your CSR (don't worry, it's not a security risk) and I'll run it through my validity tester.

Jeff

It's not a security risk... unless it contains a challenge passphrase. Then anybody with the CSR can revoke your certificate, if your registrar allows challenge phrases in the CSR. That's why putting the challenge phrase in the CSR is not a secure practice.

Sorry to zombie the thread, but this post shows up high in some Google searches, so I figured it should include this information.

 

[lamletoi]

It's not a security risk... unless it contains a challenge passphrase. Then anybody with the CSR can revoke your certificate, if your registrar allows challenge phrases in the CSR. That's why putting the challenge phrase in the CSR is not a secure practice.

Sorry to zombie the thread, but this post shows up high in some Google searches, so I figured it should include this information.

I have the same problem here.
Can not use CSR with ssls
Use one-word challenge password (no spaces) containing letters or digits only.