Forum Discussion
- Is this a device cert or a site cert?
- Was the cert generated via the GUI or via the CLI using openssl commands?
- Is it a self-signed cert or is it from an SSL cert provider?
- Does the key have a password? If the CSR was done via the GUI, I believe the key isn't encrypted and thus no password required.
This info should help with answering your question.
Thanks!
- The-messengerNov 05, 2021Cirrostratus
The cert is being exported from one device imported to another. There is no CSR here, just exporting and importing.
I resolved it. I used openssll to combine the .key and .crt file to a .pfx file. Then used the .pfx file to import, at the other datacenter, over-writing the existing cert in place.
- Fallout1984Nov 05, 2021Cirrocumulus
Ah, okay. Good. I normally use openssl commands when creating certs, more control that way. There's one cert that I have to merge into PFX format for a particular backend server, but that's about the only time I have to use that format.
Another thing I started doing as part of my cert creation routine was verify the hash of the CSR and the key match before I export it for the cert request:
Example:
Generate hash for the private key:
openssl pkey -in /config/ssl/ssl.key/apple-pie.com.key -pubout -outform pem | sha256sum
Generate hash for the csr:
openssl req -in /config/ssl/ssl.csr/apple-pie.com.csr -pubkey -noout -outform pem | sha256sum