I am unable to complete the SSL certificate installation. The Wizard gives me an error when I try to enter the server certificate. The error message is “Unable to decode next certificate chain” this happens when I drag drop the csr file. I even tried to manually enter the data but get the same error either way.
You can’t use a certificate request. That would go to your CA. You need a certificate from your CA, not a certificate request.
Oh, ok. I am not to familiar with the process of getting a certificate. Who is the CA?
CA == “Certificate Authority”. The organizations that are trusted by browser makers and OS makers to sign certificates that identify people or servers or businesses. For the most serious kind, you pay. For such I use SSL.com, though I used to use DigiCert.
It is possible to get certificates for free from letsencrypt.org, though you have specific requirements you must follow to prove you are entitled to have them. It is also possible to be your own CA, but you’ll have to manually tell all your clients to trust it.
The overall process goes like this:
- You generate a private key that you intend to install in your server. Nobody else gets that.
- You generate a certificate signing request that supplies the name of your organization and the intended name of your server (www.example.com, or whatever), along with cryptographic proof that the file was prepared with your private key.
- You arrange for a CA to examine your CSR and satisfy themselves that it is appropriate (letsencrypt automates the process) and they countersign the CSR to produce a certificate.
- You install both private key and cert into your server.
- From then on, when a client connects via https or other secure channel, your server presents the certificate to the client along with cryptographic proof that it has the private key, during the encryption handshake. The client examines the certificate to validate the signature’s proof of origin in a trusted organization (the CA).
2 Likes
Thanks for the great explanation! Just a few questions so I am clear.
- What tool do I use to create the private certificate?
- I assume I use the Ignition "Generate Certificate Signing Request" tool to create the request?
- Then I can go to either SSL.com or (other pay service) or letsencript.org with the certificate request to get the certificate. Correct?
- And then finally, what tool do I use to install the certificate onto the server?
Oh, and last question. Am I considered a webserver even though I am running the gateway on my home computer? If so where does the www.example.com name come from? All I have is my public IP address. Is there a way for me to alias that?
-
“private certificate” is not a meaningful phrase. I create private keys with OpenSSL on a linux command line. There are other tools to do so. I haven’t played with Ignition’s new SSL interface, but it seems like it might have created a key for you as part of creating a CSR.
-
Yup. Some CAs want you to do both private key generation and CSR generation on their website. I don’t particularly like that. CSR’s can also be generated by a variety of tools–I tend to use OpenSSL on a linux command line.
-
Paid services handle the CSR through their website, usually with some form of manual verification of your identity and your right to use the domain name. LetsEncrypt only issues certificates through their automated processes. I do that via a linux command line (certbot) and custom Apache configuration. You’ll have to research the best method for your circumstances if you want a free certificate. Note that the most common automated process for LetsEncrypt involves making your domain name publicly visible on HTTP (not HTTPS), at least for their challenge-response process.
-
The SSL wizard in Ignition looks pretty nice. Paste your cert where you were trying to paste your CSR.
-
Look at Dynamic DNS services to associate a domain name with your public IP address.
Thanks for the help and clarification 