Certificate problem

Manuel,

 

I've seen your solution below, but am unable to get it to work here. Are you able to screenshot/paste what you have for comparison please?

 

Thanks,

Mark

Hi Mark,

I have removed all of the other responses as your asking about an Email appliance and not a UTM.

The important question is.. did you fill out the CSR on the appliance.. or did you fill out your request on the provider's site? 

Hi Red_Warrior, The CSR was completed through NameCheap who the SSL was purchased through. The SSL purchased is a 3 year wildcard, which we’ve successfully installed into Exchange 2016 and the Kerio firewall onsite. Thanks, Mark

In that case you will need to assemble the entire certificate yourself.

if the csr is initiated through the applaince it will (cheat) and allow you to simply edit the bundle and upload that to the appliance.

 

You will need to make sure you have all of the parts in .pem format.

In regards to the certificate chain there is no "right" way all the time.. you will need to manually chain it.

to do this download notepad++

open each certificate in your bundle in a separate tab.

goto a site like.  sslshopper.

https://www.sslshopper.com/certificate-decoder.html

do NOT paste in your private key and do not use the CSR checker.

simply decode the "public" keys in your bundle..  each entry of your key will have an issuesr and it will identify the "next" certifcate in the chain.

 

IE: (yours will be different)

Common Name: es1000.example.com

Organization: Sophos PLC

Locality: Vancouver

State: British Columbia

Country: CA

Valid From: January 17, 2017

Valid To: January 15, 2027

Issuer: es1000.example.com, Sophos PLC

match the common names / issues to the lower issuer. 

 

This will allow you to establish the entire certificate chain and identify the correct order.

this is required because unlike a web certificate the browser will NOT "fill in the blanks" with certificates it has in its certificate store.   Every part of your certificate must be included and in the proper order.

 

TBH: I recommend a 5$ cheap single common name cert generated from the appliance (I hate the idea of presenting my wildcard cert to every spammer on the internet)

if you do this, simply fill out the csr from the appliance.. get it stamped .. you will get it back.. uplaod it it and you're done.

 

Important:

Your format MUST be exactly like this.. (granted the order could be incorrect, the CSR response goes first and the private key second)

do not leave any trailing spaces, or line feeds..

 

Although we can't support anything other than the self signed certificate on the appliance, here are my notes for a KB I was in the process of doing.

PART #3 About the Formats and Converting the certificates (thanks to sslshopper)

About the Formats:

PEM Format

The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.
DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. The SSL Converter can only convert certificates to DER format. If you need to convert a private key to DER, please use the OpenSSL commands on this page.
PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.
PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

 

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Process:

this process will convert your DER to PEM and upload the file to your FTP site.
there are other ways to get the files on or off the system but thats just the easy way.

Login as root
enter Password

# cd /tmp
# openssl x509 -inform der -in certificate.cer -out certificate.pem
# ftp
ftp> open your.ftp.com
ftp> enter your username
ftp> enter your password
ftp> put certificate.pem
ftp> bye

PART #4 - Assembling the certificate

open notepad and select a new document. From there you must cut / paste ALL of the parts of the certificate EXACTLY as
discribed below. Do not add spaces, dont make the - - - look pretty. cut/paste each part in the correct order or the certificate
will fail to import.

Deffinations:
- - - - - BEGIN RSA PRIVATE KEY - - - - -

this is your private key, you should NEVER give it to anyone or let ANYONE see any part of it .. EVER!!
Thats why you are reading this document because you dont want to just give it to some idiot that claims they will convert it.

WHY? becasue anyone with your private key can packet capture and decrypt ANY piece of information it was used to encrypt with
- - - - - END RSA PRIVATE KEY - - - - -

- - - - - BEGIN CERTIFICATE - - - - -

this is the common public key that your provider got, chances are if you got a go daddy cert this is the whole reason
you are having to convert it, because they wont give you certificates in clear text formats. So be it!
- - - - - END CERTIFICATE - - - - -

after these 2 parts the next parts are the intermediate CA's in order to complete the certificate correctly you must
include ALL of the CA's .. In most cases they will provide you with 3 CA's Each one is sepereated with the same
- - - - - BEGIN CERTIFICATE - - - - - -
- - - - - END CERTIFICATE - - - - -

once the certificate chain is complete.. save it to your desktop and scroll down to Part 5

SAMPLE CERTIFICATE

-----BEGIN RSA PRIVATE KEY-----
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW
MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa
MIID1jCCAr4CCQDNL+Mr0mfZT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx
Y2EtdHMtZXM0MDAwLTAxLnJlZ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw
b3Bob3MxCzAJBgNVBAYTAkNBM
-----END CERTIFICATE-----

PART #5 - Installing the certificate

Log Into the appliance UI
under Configuration / System / Certificates
Add Certificate
check off Upload Exisitng certificate and private key
Next
check off import certificate file
add a description in the provided box
click browse
select your file on the desktop
Next

You should then see the process indicator get to 100% click done
you will now see your key listed in the list of valid keys
click on the underlined link on the name of the certificate and visually check and make sure everything looks right

Last step, verifying the keys.

click on the name of your cert.
where it says download certificate, click download
save the file to your desktop
open the file and make sure you see, the public key, CA, CA, CA
once that is confirmed you are good to go, you can send that key to any company
you wish to do business with and they will be able to validate your traffic and trust
your certificate

I too am trying to add my goDaddy UK certificate to SEA.

Incidentally, I have installed into the Sophos XG successfully using the same files. This is a more simple step asking you to select the .pem (I just used my cert and not add CA etc) and .key (which I used one generated from csr) and then enter the passphrase. 

On SEA
I have already added the goDaddy CA into System, Certificates, Trusted Certificate Authorities which confirmed successful.

I have my SSL cert in the form of a .crt file from goDaddy, I have the goDaddy Intermediate Certificate in .crt file (used to add into Trusted CA) - I opened notepad, dropped bundle.crt into it and saved as .pem

So, I have assembled a file(saved as .pem) as follows in the order shown

1) Copied text from RSA Private key (from when I generated csr on SEA)
2) Copied text from my .crt file
3) Copied text from goDaddy bundle .crt

I was a little confused (but have tried both ways). You said copy text but do not add spaces or remove the Begin end etc. Then you show an example where the begin and end are on a separate line. As I say, I tried all text continuous and no spaces and as per your example. Both ways say 'Invalid/Corrupt Certificate.

Run out of ideas now.


Thanks in advance

So, I eventually resolved the problem!

This is the resolution. Obviously, the names of your input files will be different to mine.

1) Use openssl to convert mycert.ssl to mycert.pem (openssl x509 -in mycert.crt -out c:\temp\mycert.crt.pem -outform PEM)

2) Use openssl to convert myprivatekey.key to myprivatekey.pem (openssl rsa -in myprivatekey.key -out myprivatekey.key.pem -outform PEM

3) Combined the two files using Notepad. The contents of myprivatekey.key.pem then added mycert.crt.pem and saved file as combined.pem

4) Then I added combined.pem and it added successfully