{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 傲 的问题《Obtaining CSR file for SSL in AWS Windows Instance》','https://www.manongdao.com/q-596643.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I need to obtain an CSR to complete order for SSL with godaddy.com. I have windows 2012 running in Amazon AWS instance. Server is Express.js.
Domain is pointed to that instance IP, and all works fine
I suppose I have to create that key from console or something similar. Issue here is I have never done that, and I do no have place for mistake at all.
How would I go about it?
Since you are on Windows, I would download and install Shining Light's Win32 OpenSSL. Its a prebuilt OpenSSL for the Windows platform.
Then, I would issue the following command. It creates a new key, and it generates the signing request in one fell swoop:
Notice there is a configuration file:
example-com.conf. The configuration file allows you to do things like set the Common Name and set the Subject Alternate Names. You can find that configuration file at Certificate with Extended Key Usage only works in Firefox.After generating the CSR, submit
example-com.req.pemfor signing.Note: you may not get everything you put in your CSR. Its up to the CA to verify the information, adjust your request, and then issue the certificate. For example, if you mark
CA:true, then your CSR will probably be modified or declined because the CA does not want you minting certificates.If your box AWS instance is a Windows image, then you will need to create a PFX and inport it into the appropriate trust store. Here's how you create the PFX.
What you have:
What you don't need:
You need
ca-intermediate-cert.pembecause the server must send it with the server's certificate. Sending all required intermediate certificates avoids the "which directory" problem. Its a well known problem in PKI, and it means a client does not know where to look for a missing intermediate certificate (should they go to Verisign, or should they go to Digicert, etc). However, you don't sendca-root-cert.pembecause the client must already have it and trust it.First, concatenate the the certificates:
Second, create the PFX given the chain and the key:
Third, install it in a trust store. See, for example Import a Server Certificate (IIS 7) at MSDN.
Amazon probably has similar instructions somewhere.