问题
I need to obtain an CSR to complete order for SSL with godaddy.com. I have windows 2012 running in Amazon AWS instance. Server is Express.js.
Domain is pointed to that instance IP, and all works fine
I suppose I have to create that key from console or something similar. Issue here is I have never done that, and I do no have place for mistake at all.
How would I go about it?
回答1:
I need to obtain an CSR... How would I go about it [creating a CSR]?
Since you are on Windows, I would download and install Shining Light's Win32 OpenSSL. Its a prebuilt OpenSSL for the Windows platform.
Then, I would issue the following command. It creates a new key, and it generates the signing request in one fell swoop:
openssl req -config example-com.conf -new -newkey rsa:2048 -nodes \
-keyout example-com.key.pem -days 365 -out example-com.req.pem
Notice there is a configuration file: example-com.conf. The configuration file allows you to do things like set the Common Name and set the Subject Alternate Names. You can find that configuration file at Certificate with Extended Key Usage only works in Firefox.
After generating the CSR, submit example-com.req.pem for signing.
Note: you may not get everything you put in your CSR. Its up to the CA to verify the information, adjust your request, and then issue the certificate. For example, if you mark CA:true, then your CSR will probably be modified or declined because the CA does not want you minting certificates.
If your box AWS instance is a Windows image, then you will need to create a PFX and inport it into the appropriate trust store. Here's how you create the PFX.
What you have:
- example-com.cert.pem (Signed certificate, PEM encoded)
- example-com.key.pem (Private key, PEM encoded)
- ca-intermediate-cert.pem (Subordinate CA, PEM encoded)
What you don't need:
- example-com.req.pem (the CSR, since you have a signed cert)
- ca-root-cert.pem (the Root CA certificate)
You need ca-intermediate-cert.pem because the server must send it with the server's certificate. Sending all required intermediate certificates avoids the "which directory" problem. Its a well known problem in PKI, and it means a client does not know where to look for a missing intermediate certificate (should they go to Verisign, or should they go to Digicert, etc). However, you don't send ca-root-cert.pem because the client must already have it and trust it.
First, concatenate the the certificates:
cat example-com.cert.pem > example-com.chain.pem
cat ca-intermediate-cert.pem >> example-com.chain.pem
Second, create the PFX given the chain and the key:
openssl pkcs12 -export -in example-com.chain.pem -inkey example-com.key.pem \
-nodes -out example-com.chain.p12
Third, install it in a trust store. See, for example Import a Server Certificate (IIS 7) at MSDN.
Amazon probably has similar instructions somewhere.
来源:https://stackoverflow.com/questions/25296131/obtaining-csr-file-for-ssl-in-aws-windows-instance