This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate problem

Hello,
I'm try to upload my certificate.

If I upload certificate in PFX format, I receive error "Invalid key/cert pair".
If I upload certificate in PEM format I receive error "Invalid chain cert".
If I try to paste certificate text (KEY + CERT + INTERMEDIATE + ROOT), the error is "Invalid chain cert".

My certificate is a Comodo EssentialSSL Wildcard Certificate.
I have this files for my certificate:

  • Key - mykey.key
  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your EssentialSSL Wildcard Certificate - mycertificate.crt

If I upload only key + certificate (whitout intermediate and root), upload is ok, but, if I test my email server for correctly certificate installation, the certificate chain is not ok.
http://www.checktls.com/perl/TestReceiver.pl

Can you help me ?
Tnx
Manuel



This thread was automatically locked due to age.
Parents
  • Manuel,

     

    I've seen your solution below, but am unable to get it to work here. Are you able to screenshot/paste what you have for comparison please?

     

    Thanks,

    Mark

  • Hi Mark,

    I have removed all of the other responses as your asking about an Email appliance and not a UTM.

    The important question is.. did you fill out the CSR on the appliance.. or did you fill out your request on the provider's site? 

  • Hi Red_Warrior, The CSR was completed through NameCheap who the SSL was purchased through. The SSL purchased is a 3 year wildcard, which we’ve successfully installed into Exchange 2016 and the Kerio firewall onsite. Thanks, Mark
  • In that case you will need to assemble the entire certificate yourself.

    if the csr is initiated through the applaince it will (cheat) and allow you to simply edit the bundle and upload that to the appliance.

     

    You will need to make sure you have all of the parts in .pem format.

    In regards to the certificate chain there is no "right" way all the time.. you will need to manually chain it.

    to do this download notepad++

    open each certificate in your bundle in a separate tab.

    goto a site like.  sslshopper.

    https://www.sslshopper.com/certificate-decoder.html

    do NOT paste in your private key and do not use the CSR checker.

    simply decode the "public" keys in your bundle..  each entry of your key will have an issuesr and it will identify the "next" certifcate in the chain.

     

    IE: (yours will be different)

    Common Name: es1000.example.com
    Organization: Sophos PLC
    Locality: Vancouver
    State: British Columbia
    Country: CA
    Valid From: January 17, 2017
    Valid To: January 15, 2027
    Issuer: es1000.example.com, Sophos PLC

    match the common names / issues to the lower issuer. 

     

    This will allow you to establish the entire certificate chain and identify the correct order.

    this is required because unlike a web certificate the browser will NOT "fill in the blanks" with certificates it has in its certificate store.   Every part of your certificate must be included and in the proper order.

     

    TBH: I recommend a 5$ cheap single common name cert generated from the appliance (I hate the idea of presenting my wildcard cert to every spammer on the internet)

    if you do this, simply fill out the csr from the appliance.. get it stamped .. you will get it back.. uplaod it it and you're done.

     

    Important:

    Your format MUST be exactly like this.. (granted the order could be incorrect, the CSR response goes first and the private key second)

    do not leave any trailing spaces, or line feeds..

     

    Although we can't support anything other than the self signed certificate on the appliance, here are my notes for a KB I was in the process of doing.

  • PART #3 About the Formats and Converting the certificates (thanks to sslshopper)

    About the Formats:

    PEM Format

    The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

    Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.
    DER Format

    The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. The SSL Converter can only convert certificates to DER format. If you need to convert a private key to DER, please use the OpenSSL commands on this page.
    PKCS#7/P7B Format

    The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.
    PKCS#12/PFX Format

    The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

    When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

     

    Convert DER to PEM

    openssl x509 -inform der -in certificate.cer -out certificate.pem

    Convert P7B to PEM

    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

    Convert PFX to PEM

    openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes


    Process:

    this process will convert your DER to PEM and upload the file to your FTP site.
    there are other ways to get the files on or off the system but thats just the easy way.

    Login as root
    enter Password

    # cd /tmp
    # openssl x509 -inform der -in certificate.cer -out certificate.pem
    # ftp
    ftp> open your.ftp.com
    ftp> enter your username
    ftp> enter your password
    ftp> put certificate.pem
    ftp> bye


    PART #4 - Assembling the certificate

    open notepad and select a new document. From there you must cut / paste ALL of the parts of the certificate EXACTLY as
    discribed below. Do not add spaces, dont make the - - - look pretty. cut/paste each part in the correct order or the certificate
    will fail to import.

    Deffinations:
    - - - - - BEGIN RSA PRIVATE KEY - - - - -

    this is your private key, you should NEVER give it to anyone or let ANYONE see any part of it .. EVER!!
    Thats why you are reading this document because you dont want to just give it to some idiot that claims they will convert it.

    WHY? becasue anyone with your private key can packet capture and decrypt ANY piece of information it was used to encrypt with
    - - - - - END RSA PRIVATE KEY - - - - -

    - - - - - BEGIN CERTIFICATE - - - - -

    this is the common public key that your provider got, chances are if you got a go daddy cert this is the whole reason
    you are having to convert it, because they wont give you certificates in clear text formats. So be it!
    - - - - - END CERTIFICATE - - - - -

    after these 2 parts the next parts are the intermediate CA's in order to complete the certificate correctly you must
    include ALL of the CA's .. In most cases they will provide you with 3 CA's Each one is sepereated with the same
    - - - - - BEGIN CERTIFICATE - - - - - -
    - - - - - END CERTIFICATE - - - - -

    once the certificate chain is complete.. save it to your desktop and scroll down to Part 5


    SAMPLE CERTIFICATE


    -----BEGIN RSA PRIVATE KEY-----
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
    MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCB
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
    MIID1jCCAr4CCQDNL+Mr0mfZT
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
    Y2EtdHMtZXM0MDAwLTAxLnJlZ
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
    b3Bob3MxCzAJBgNVBAYTAkNBM
    -----END CERTIFICATE-----

    PART #5 - Installing the certificate

    Log Into the appliance UI
    under Configuration / System / Certificates
    Add Certificate
    check off Upload Exisitng certificate and private key
    Next
    check off import certificate file
    add a description in the provided box
    click browse
    select your file on the desktop
    Next

    You should then see the process indicator get to 100% click done
    you will now see your key listed in the list of valid keys
    click on the underlined link on the name of the certificate and visually check and make sure everything looks right

    Last step, verifying the keys.

    click on the name of your cert.
    where it says download certificate, click download
    save the file to your desktop
    open the file and make sure you see, the public key, CA, CA, CA
    once that is confirmed you are good to go, you can send that key to any company
    you wish to do business with and they will be able to validate your traffic and trust
    your certificate

  • I too am trying to add my goDaddy UK certificate to SEA.

    Incidentally, I have installed into the Sophos XG successfully using the same files. This is a more simple step asking you to select the .pem (I just used my cert and not add CA etc) and .key (which I used one generated from csr) and then enter the passphrase. 

    On SEA
    I have already added the goDaddy CA into System, Certificates, Trusted Certificate Authorities which confirmed successful.


    I have my SSL cert in the form of a .crt file from goDaddy, I have the goDaddy Intermediate Certificate in .crt file (used to add into Trusted CA) - I opened notepad, dropped bundle.crt into it and saved as .pem

    So, I have assembled a file(saved as .pem) as follows in the order shown

    1) Copied text from RSA Private key (from when I generated csr on SEA)
    2) Copied text from my .crt file
    3) Copied text from goDaddy bundle .crt

    I was a little confused (but have tried both ways). You said copy text but do not add spaces or remove the Begin end etc. Then you show an example where the begin and end are on a separate line. As I say, I tried all text continuous and no spaces and as per your example. Both ways say 'Invalid/Corrupt Certificate.

    Run out of ideas now.


    Thanks in advance

Reply
  • I too am trying to add my goDaddy UK certificate to SEA.

    Incidentally, I have installed into the Sophos XG successfully using the same files. This is a more simple step asking you to select the .pem (I just used my cert and not add CA etc) and .key (which I used one generated from csr) and then enter the passphrase. 

    On SEA
    I have already added the goDaddy CA into System, Certificates, Trusted Certificate Authorities which confirmed successful.


    I have my SSL cert in the form of a .crt file from goDaddy, I have the goDaddy Intermediate Certificate in .crt file (used to add into Trusted CA) - I opened notepad, dropped bundle.crt into it and saved as .pem

    So, I have assembled a file(saved as .pem) as follows in the order shown

    1) Copied text from RSA Private key (from when I generated csr on SEA)
    2) Copied text from my .crt file
    3) Copied text from goDaddy bundle .crt

    I was a little confused (but have tried both ways). You said copy text but do not add spaces or remove the Begin end etc. Then you show an example where the begin and end are on a separate line. As I say, I tried all text continuous and no spaces and as per your example. Both ways say 'Invalid/Corrupt Certificate.

    Run out of ideas now.


    Thanks in advance

Children
  • So, I eventually resolved the problem!

    This is the resolution. Obviously, the names of your input files will be different to mine.

    1) Use openssl to convert mycert.ssl to mycert.pem (openssl x509 -in mycert.crt -out c:\temp\mycert.crt.pem -outform PEM)

    2) Use openssl to convert myprivatekey.key to myprivatekey.pem (openssl rsa -in myprivatekey.key -out myprivatekey.key.pem -outform PEM

    3) Combined the two files using Notepad. The contents of myprivatekey.key.pem then added mycert.crt.pem and saved file as combined.pem

    4) Then I added combined.pem and it added successfully