3Answers
  • 14
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

SSL Generation Question

Does it matter where I generate an SSL Cert? I'm creating a cert with godaddy and they are asking for a CSR. Does it matter if I generate the CSR on my local dev system or do I need to generate the CSR on the production server?

If I can do it locally: 1. are there any cert files I should backup? 2. and what files will I need to transfer to the production server?

ssl

Under most *nixes when using OpenSSL, it doesn't matter what machine you generate the CSR (or certificate) from, since it's just an x.509-encoded text file. Installing a certificate is typically as simple as copying the cert/key files onto the machine and pointing the configuration at them.

I'm not a Windows guy, but my understanding is that the tool that generates the CSR has to be run on the machine the certificate will be used for - certificates are stored as funny pkcs12-encoded files somewhere. However, the certificate (using the CSR) can still be generated anywhere, since it's just a text file that's imported.)

  • 5
Reply Report
    • That is correct, but I have run into a few weird cases where the resulting pkcs12 was stored in some bizarre certificate store, and not easily dealt with as a "regular" pkcs12.

You can generate the RSA keys anywhere. This produces a private/public key pair. Always keep track of where this private key is -- you may wish to (read: SHOULD) password protect/encrypt it. OpenSSL provides this functionality.

I like to think of it always in terms of a paired private/public key. The signing process just adds more information to the public key. Once you generate the CSR, you can lock away your private key for now. The CSR is your public key, plus information you wish to have signed by a CA, such as your name, country, perhaps a domain name, etc, all signed with your private key.

The CA sends you back a certificate of your public key, plus the information that they deemed "yes we will sign this part", plus their signature with their private key (verifiable now through their public key).

Now you have a private key (locked up) + a public key (with signatures and extra information). This still follows hand-in-hand with the thought of "private key-public key".

Now, whether you are on a dev server, or production server, or wherever, you can copy the private key + public key (certificate) to your application server.

Note: I usually generate my private keys on my laptop, disconnected from the network, until the private key is safe. I don't know what logging or backing up is going on inside my Web server, but unless I can trust the platform I am generating a key on, I should consider it potentially compromised.

On your server (Web server, presumably?) you will need to configure your SSL application to point to your public key and private key, and if your private key is password protected, you will need to provide the password to application startup in some manner.

Some applications will require a bundled PEM file containing your certificate, your private key, and any public certificates that correspond to signatures on your certificate. You can bundle these up if you have all the pieces.

  • 2
Reply Report

As you can migrate keys and certificates from one server to another there is no hardware dependency, e.g. you can generate them anywhere you like.

For operation you need

  • the private key, that you need to protect well and that shouldn't be openly available on any machine (this is the danger if it's available on your dev machine and stays there)
  • the certificate that you get, in your case from godaddy.

With Apache I've even pasted both into the same file for convenience. As they have their own header (it's basically encoded ascii-gobbledigoop) information, you just need to provide this filename to apache as both the SSLCertificateFile and SSLCertificateKeyFile. Both are required, our certification company offered unlimited download for the certificate.

  • 0
Reply Report

Trending Tags