Can I generate CSR for remoted server and what server I should use(thin,mongrel)?
Solution 1
Common names do not contain port numbers or colons such as :3000
. They should not be an IP address. They also do not contain protocol identifiers such as https://
.
If memory serves me correctly, numbers on their own are not valid as a domain name (although they can be for subdomains) and there is no top-level domain that is just a number. Your common name of XX.XXX.XXX:3000
where X are numbers is not an IP address or a domain name.
The common name should be nothing but the fully qualified domain name that the certificate is to be used for.
You can use *.example.com
for the common name if you are requesting a wildcard certificate.
If your app is running on port 3000, you should request your certificate normally, without the port number, and then tell the clients to use port 3000. If the client is a web browser, this is done in the URL: `https://www.example.com:3000/"
The choice of "Web Platform" is optional and allows Thawte to give you the files in the format required by that software. For instance, nginx requires that the certificate and any chain certificates are in the same file, in the right order. Apache can have them in separate files and import them both with SSLCertificateFile
and SSLCertificateChainFile
. If your website is running on a well-known HTTP server that's in the list, choose that software. If you wrote it yourself or it's custom software written for you and it isn't in the list, consult the manufacturers of the software.
Solution 2
Common name was in format : XX.XXX.XXX:3000, where X is number
Firstly, the host name or IP address in the certificate mustn't include the port.
Secondly, assuming XX.XXX.XXX is an IP address, IP addresses must be in a Subject Alternative Name entry of IP address type (not DNS type, and not in the Subject DN's CN). See RFC 2818:
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
Some clients are more relaxed about this, but that's no reason to get a non-compliant certificate.
I'm not sure Thawte will issue you a certificate for an IP address anyway, since it's quite difficult for them to check who the IP address belongs to.
(I'm a bit surprised that they even bother looking at the CN, since all they really need is to grab the public key from the CA, and issue a cert with only whatever they've independently validated, anyway.)
Related videos on Youtube
deny7ko
Updated on September 18, 2022Comments
-
deny7ko over 1 year
I am moving my app into production and need help in generating CSR. I created a private key and followed these steps:
- Created private key
- Entered passphrase for it (
openssl genrsa -des3 -out domainname.key 1024
) - Created CSR (
openssl req -new -key domainname.key -out domainname.csr
) - In the CSR, I entered all the info. Common name was in format:
XX.XXX.XXX:3000
, where X is number.
Finally, I generated the CSR, but at this stage my application is on a remote server with IP address
http://XX.XXX.XXX.XXX:3000/
and onthawte.com
when generating the trial SSL it shows me the error:The Common Name in the CSR is invalid.
Has anyone had a similar task and can advise me what I have done wrong?
Second question: What server can you recommend to me and accordingly what Web Platform (when generating SSL) I should choose in the list ?
-
Bruno almost 12 yearsVoting to move to ServerFault.
-
Bruno almost 12 yearsYou could also improve your question by stating which steps you've used in "I created private key and followed all next steps finally generated CSR" [...]".
-
deny7ko almost 12 yearsOk, I will post there and edit question.
-
deny7ko almost 12 yearsThanks, so this XX.228.126.168:3000 is FQDN or not ? I should try to write it with dot in the end or something else ?
-
deny7ko almost 12 yearsShould I move my app to some host with domain name ?
-
deny7ko almost 12 yearsThanks, can I use IP adress of my remote cloud server ? Should I put my application into real host ?
-
Ladadadada almost 12 yearsThe "common name" must be a domain name. It can't be an IP address. It is possible to host SSL certificates in the cloud, a "real host" is not required, but a domain name is required.
-
deny7ko almost 12 yearsCan I set up domain name of remoted server and how to do it ?
-
Ladadadada almost 12 yearsTo answer your questions in order: "Yes" and "That depends on your registrar, DNS provider, server software and server management tools." You should do them in order: buy a domain, point it at your server's IP address, buy the certificate for that domain, configure your web server to serve that domain with the SSL certificate.
-
Ladadadada almost 12 yearsJust for testing, running your own DNS server or editing your
/etc/hosts
file is adequate. For hosting there is a free tier of Amazon EC2 and probably other cloud providers. VPSs can be had for approximately 1 latte per month. Or you could just host it on your own machine or a VM in your own machine. It's only once you want other people to use it that it gets difficult and/or expensive. -
deny7ko over 11 yearsBruno, I tried to enter alternative name as my IP, but it said, that I need to enter Common name(domain name). What should I enter there ?
-
Bruno over 11 yearsYou might as well enter your IP address in the CN too. It's the CN that's used in most GUI interfaces to manage your certificates, so it will help. It should also help for non-compliant clients.
-
deny7ko over 11 yearsI can't get SSL certificate only because of Common name. In creation form error - Your Common Name may not be an Internet-accessible IP Address! So I should get domainname somewhere.
-
Bruno over 11 yearsThat sounds like a limitation in the tool you're using to create the certificate more than an actual certificate format limitation (in principle, some host names might not be Internet-accessible either). To be honest, I was just answering this question like this because your problem was about IP addresses, but you should use a host name if you can. There a general problem with using IP addresses, as mentioned in the "Out of scope" section of RFC 6125.
-
deny7ko over 11 yearsDo you know site with free domain names on which I can use easily and fast ?
-
Bruno over 11 yearsI'm not sure of any registrar that can provide you a domain name for free (especially if you want it to be yours ultimately and not theirs), but there are some fairly cheap ones (it's worth checking that they don't have hidden fees).