Is it possible to apply a SSL Certificate without CSR
By the past, i used to generate a CSR file on my server. This CSR was sent to the registrar. Then, the registrar gaves me a certificate.
Today, my registrar gave me a certicicate (.cer file) and i did not send a CSR file to him.
this indicates that registrar (CA) signed again your public key. CSR is literally a public key that CA signs and creates certificate. You can open existing and new certificate an compare public keys. If they match, you can replace existing certificate with new certificate.
if pubic key is the same in both certificates, then:
- open Certificates MMC focused on Local Machine context (
certlm.msc
) - import received
.cer
file without private key - run
certutil -repairstore my <SerialNumber>
command, where<SerialNumber>
is the serial number of new certificate.
Example:
certutil -repairstore my "0102030405060708090a0b0c0d0e0f"
where 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
is serial number in hex octets.
Certutil will associate existing private key with new certificate. Verify that key is successfully associated with new certificate:
certutil -store my "0102030405060708090a0b0c0d0e0f"
As the result you will get two public certificates that share the same key pair. Then you can use IIS manager to assign new certificate to web sites.
Related videos on Youtube
Bob5421
Updated on September 18, 2022Comments
-
Bob5421 over 1 year
By the past, i used to generate a CSR file on my server. This CSR was sent to the registrar. Then, the registrar gaves me a certificate.
Today, my registrar gave me a certicicate (.cer file) and i did not send a CSR file to him.
My question is: Does this CSR file really needed ? Or is there a way to setup an SSL certificate without having generating a CSR before ? I was thinking CSR contains public key.
For information, this is for setting up https on IIS.
Thanks
-
wurtel about 5 yearsThe CSR is the way of obtaining a certificate without having to provide the issuer with the private key. If you didn't first send a CSR, then the issuer will also have to give you the private key.
-
Patrick Mevzek about 5 yearsIs this a new certificate or a renewal of an existing one? Also some CAs or resellers can generate the private key in your web browser, it will never go out of it, and hence create a CSR under the hood without you having to create it specifically, you will just need to input the data that is normally inside, like hostnames for DV-certificates, etc.
-
-
Bob5421 about 5 yearsThanks, how should i do if CA gives me CSR, Private key and CRT file?
-
Crypt32 about 5 yearsCA will never give you private key, because it is private and is held by a client only.
-
Bob5421 about 5 yearsIn fact CA is generating for me a csr and a private key. This is not the private key of the CA
-
Crypt32 about 5 years
In fact CA is generating for me a csr and a private key.
-- if they did, I would recommend to change CA. It is not their responsibility to create keys on your behalf. Keys are generated only by client and only client has knowledge of private key.