I'm trying to import a certificate generated in Cloudflare into AWS. Coludflare provided me with the certificate and private key, but AWS also requires a field called "certificate chain". Where can I get this value?
According to the article at https://support.cloudflare.com/hc/en-us/articles/115000479507, you can get the PEM file from https://support.cloudflare.com/hc/article_attachments/360037885371/origin_ca_rsa_root.pem and use it in certificate chain field.
Related
I am trying to create a custom domain in AWS AppSync and have followed the below steps,
Created an origin certificate in Cloudflare.
Imported the certificate in AWS Certificate Manager.
Trying to create a new custom domain with name api.<domain-name>.com, the ACM certificate is listed in the drop-down. But after selecting it and clicking on create, getting the error message - Certificate is invalid.
Not sure why it says so, as the certificate is already successfully imported in ACM.
Any help is much appreciated.
Here's a snapshot of the error,
Note -
All the AWS resources are in us-east-1 region.
I am able to create a custom domain for API Gateway using the same certificate.
Cloudflare Origin CA is not supported as per https://docs.aws.amazon.com/appsync/latest/devguide/http-cert-authorities.html
At this time, self-signed certificates are not supported by HTTP resolvers when using HTTPS. AWS AppSync recognizes the following Certificate Authorities when resolving SSL/TLS certificates for HTTPS:
Can anyone help me that I am using load balancer in google cloud platform but here I am not able to properly install ssl. Only certificate chain and private key box is showing not public key box. Why it is happening ? Is I have missed something or glitch from google side ?
**public key => But where to upload this ??
certificate chain => available
private key => available**
Which one is certificate chain in these that google is asking ?
And when checking it is showing grade B due to incomplete chain
As I suspected in the comment section, the issue was with a self-managed certificate (Trust Chain).
When creating a Certificate in GCP you can use Google-Managed and Self-Managed certificates.
In this setup OP used GoDaddy Certificate and validated it on ssllabs. One of the issues was
This server's certificate chain is incomplete. Grade capped to B.
More details can be found in this article - How Certificate Chains Work
A certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA's are trustworthy.
In Using self-managed SSL certificates - Step 2: Create a self-managed SSL certificate resource guide you can find information that chain certificate needs to be verified by the user:
Paste in your certificate or click Upload to navigate to your certificate file.
You can choose to include the CA certificate chain in the same file as the certificate. Google Cloud does not
validate the certificate chain for you – validation is your responsibility.
There is also information about the trust chain when you are creating a Certificate in GCP via UI, that your trust chain must be correct.
The certificate must be in PEM format and include correct certificate trust chain. The certificate chain must be no greater than 5 certs long.
Solution
Solution to this issue was to merge the certificate chain with OP's certificate.
Useful links
Creating a .pem File for SSL Certificate Installations, especially part Creating a .pem with the Private Key and Entire Trust Chain
How to combine various certificates into single .pem
You don't need to upload the Public Key to the LoadBalancer. Only the certificate and Private Key are needed.
The Public key portion is embedded into the Certificate
Just add main security certificate at the top of certificate chain mostly contains 3 to 4 certificates and add this final certificate in certificate field while creating a certificate. then all things will be corrcted. Thank you enjoy.
I am following along with the following tutorial to add an SSL certificate to an API hosted with AWS API Gateway: aws-docs. I am able to successfully follow along with Generate a client certificate using the API Gateway console, resulting in the following certificate:
I am also able to Configure API to use SSL certificates by following along the prompt. The issue comes in the section that is Configure a backend HTTPS server to verify the client certificate. The instructions specify that "you must have obtained the PEM-encoded private key and a server-side certificate". Pressing "copy" retrieves the certificate, but I never got a private key when creating the certificate, and I don't see any option to retrieve the private key. How would I go about retrieving the PEM-encoded private key for a certificate created using API Gateway?
The goal of all this is to create an http request using python's requests library. Without the certificate, when posting the request I get an error which looks like:
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)'))
You can specify a certificate and private key with requests like the following according to geeksforgeeks:
result = requests.post(url, cert=('/path/client.cert', '/path/client.key')
However, as stated above, there is no obvious way to get the PEM-encoded private key. Setting the flag verify=False for the request is not acceptable for this application due to security concerns. So either a way to get the PEM-encoded private key or create the python request in another way using just the .cert file obtained using the "copy" button would be acceptable solutions for this application.
I have recently faces the same issue, when I had to create a Client Certificate, as I was following the official guide.
I also didn't receive any PEM key
Therefore I resorted to using AWS CLI
aws apigateway get-client-certificate --client-certificate-id <<your_client_cert_id>>
docs
I generated an SSL Certificate for my google instance cdn for the past 12 months all has been working fine, until now when after renewing the certificate with certbot when I tried to add the new certificate it fails
on the CDN console.
Interestingly the certificate works fine on https://dev.owinomart.com
but google complains that "The SSL certificate and key do not match".
When adding on the Instance, I even re-created a solo certificate for https://cdn.owinomart.com.
Creating SSL certificate "certificate-september-25-2018" failed.
Error: The SSL certificate and key do not match.
The certificate was generated for
https://dev.owinomart.com and
https://cdn.owinomart.com
It worked fine for dev but failed on cdn(which is a google CDN instance)
What could be the problem?
From your comment, it sounds like you are adding a certificate to an existing domain.
a) Please confirm that you are adding a certificate to https://cdn.owinomart.com and not deleting the old certificate resources.
From our findings, such a thing might happen when multiple keys exist, and so the Certificate Signing Request (CSR) is unable to find the correct key.
b) Please also make sure you have created a separate folder and generated a new private key along with the certificate.
I would like to point to "Creating SSL certificate resource" section of public documentation on Creating and Using SSL Certificates and would like to know which of the two scenarios you are following - that is, creating a new key with a new certificate or Creating CSR from existing certificate files?
Lastly, I am also sharing you a link on ’How do I verify that a private key matches a certificate?’ If it matches, you could manually copy the private key to the Google CDN instance.
If the modulus of the certificate and the modulus of the private key do not match, then you're not using the right private key. You can either create a brand new key and CSR and send contact support or do a search for all private keys on the system and compare their modulus.
Current Situation: I host all my files on an AWS EC2 instance but recently I bought a domain name from Network Solutions and pointed that domain name to my ec2 instance. Also, I got an SSL certificate issued from Network Soltuions for that specific domain name.
Question: How do I upload an SSL Certificate to AWS. Now, I know that we can use AWS Certificate Manager or AWS Load Balancers to import an SSL Certificate but it asks me for a Certificate Private Key which I have no idea what it is. I am sure I did not get any private key from Network Solutions. All I have are the 4 .crt files and the certificate chain.
You will need to get the Private key from Network if you want to use the one they provided. Or like others are saying you can provision one for free from ACM and let AWS manage it, through they do not give you the private key.
.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
You can use the CLI or the console to import Certificates in ACM
$ aws acm import-certificate --certificate file://Certificate.pem
--certificate-chain file://CertificateChain.pem
--private-key file://PrivateKey.pem
The following example shows how to import a certificate using the AWS Management Console.
Open the ACM console at https://console.aws.amazon.com/acm/home.
Choose Import a certificate.
Do the following:
a. For Certificate body, paste the PEM-encoded certificate to import.
b. For Certificate private key, paste the PEM-encoded, unencrypted
private key that matches the certificate's public key.
c. (Optional) For Certificate chain, paste the PEM-encoded certificate
chain.
Choose Review and import.
Review the information about your certificate, then choose Import.
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html
Routing SSL traffic to your Domain.
Create an ELB and Assign the Cert to a Listener
Set your Domain name to the ELB.