Results 1 to 3 of 3
  1. #1
    Newbie
    Join Date
    Sep 2020
    Posts
    2

    Default Private Key for 3rd party certificate

    Hi all,

    I'm trying to install a 3rd party server certificate using the Wiki instructions (https://wiki.untangle.com/index.php/Certificates). I used the admin interface (Config > Administration > Certificates > "Create Certificate Signing Request") to generate my CSR. I went to my SSL provider (NameCheap) submitted my CSR and obtained my signed cert and intermediate bundle. However, when I go to "Upload Server Certificate," it's asking for my "Certificate Key." I assumed that when I used the NG Firewall to create the CSR that it would have also created the private key behind the scenes and that I would not be asked to upload/paste it in. Regardless, I don't know where my private key is, and as such, can't complete the installation of my cert.

    I SSH'd into my NG Firewall and listed the files within /usr/share/untangle/settings/untangle-certificates. I see the CSR I created (which I confirmed is the one I generated by decoding it and checking the date the file was created). However, I don't see any ".key" file that was associated with it. Wondering if it might be elsewhere on the box but not thinking it likely, I did a "find" from the root directory and don't see any other keys except the defaults and those used by OpenVPN.

    It's totally possible I'm overlooking something simple in the instructions on the Wiki, but I can't seem to figure out where I'm going wrong. Any help would be greatly appreciated!

    I have a "Home" license and am running v.15.1.0. Thank you!

  2. #2
    Untangler
    Join Date
    May 2008
    Posts
    397

    Default

    It is probably a hack and will void support. But here is a script I use to load my Letsencrypt wild card. Convert your cert to .pem if needed. The cert is on a debian vm.

    Code:
    #!/bin/bash
    
    scp root@path-to-cert.pem /etc/apache2/ssl/apache.pem
    
    cp /etc/apache2/ssl/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem
    
    service apache2 restart
    If you are on windows use scp to copy the files.

    Don't forget to backup the files first.

  3. #3
    Newbie
    Join Date
    Sep 2020
    Posts
    2

    Default

    Thanks, @donhwyo! I didn't have to follow your instructions, per se. But they definitely helped, and I got it solved!

    I think the problem here is user experience within the UI. And again, maybe I simply overlooked something. I directed my attention to the "apache.*" files in /usr/share/untangle/settings/untangle-certificates/. What I found was that the apache.key file MUST have been used to generate my CSR. I originally overlooked that, and it wasn't obvious, because when I did an "ls -llat" or "stat" that file was created/modified Mar 13 2018. So, NG Firewall uses the original Apache private key when it creates the CSR.

    I confirmed it was the correct private key for my cert by doing a "cat" on this "apache.key" file and entering that into the field requesting it in the UI, and the UI does a validation of the key against the certs. The fields I'm referring to are as follows:

    Annotation 2020-09-03 134524.png

    When I say there is a user experience problem that I think the product team should address (and again, maybe I missed something simple here) but when I originally entered my cert and the intermediate bundle into the UI - without the key, because I didn't have it - I got an error that I must enter the key and the upload failed. Again, didn't have the key, so couldn't get through that step. I had to SSH into the box, ultimately find the "apache.key" file, "cat" it and copy & paste it into the field that requires it in the UI.

    At first I thought the solution would be to simply drop the key field from UI. But that would cause a problem for folks that generate their CSR elsewhere. So maybe the solution would be download or present the key if you generate the CSR from the NG Firewall. And of course add a note that you must keep the key secure or destroy, etc.

    Anway, hope this helps someone else or possibly improve the product - which I'm a big fan of!
    Last edited by ceherring; 09-03-2020 at 11:01 AM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2