Linux Generate Private Key And Certificate

Posted on by

How can I find the private key for my SSL certificate. If you just got an issued SSL certificate and are having a hard time finding the corresponding private key, this article can help you to find that one and only key for your certificate. Generating a Secure Shell (SSH) Public/Private Key Pair; Generating a Secure Shell (SSH) Public/Private Key Pair. Several tools exist to generate SSH public/private key pairs. The following sections show how to generate an SSH key pair on UNIX, UNIX-like and Windows platforms. (such as the ssh utility on Linux), export the private key. Sep 11, 2018  As a security precaution, always generate a new CSR and private key when you are renewing a certificate. Clinging to the same private key is a road paved with security vulnerabilities. Also, it is recommended to renew an SSL certificate before the expiration date. Dec 03, 2011 You can use the following single step command if this is what you need and you should be good to go requesting the certificate from the Certificate Authority (or your SSL vendor) or jump to the self-generated certificate step further below otherwise. Generate a private key without passphrase + CSR.

Introduction

This document describes the procedure to generate certificates which have to be uploaded with every fresh installation of AMP Virtual Private Cloud (VPC). With the introduction of AMP Private Cloud 3.X, hostnames and certificate/key pairs are required for all of the following services:

  • Administration Portal
  • Authentication (new in Private Cloud 3.X)
  • FireAMP Console
  • Disposition Server
  • Disposition Server - Extended Protocol
  • Disposition Update Service
  • Firepower Management Center

Here, we will discuss a quick way to generate and upload the required certificates. You may tweak each of the parameters, including the hashing algorithm, key size, and others, as per your organization's policy, and your mechanism of generating these certificates might not match with what is detailed here.

Prerequisites

Free

Components Used

Cisco recommends that you have knowledge of these topics:

  • Windows Server 2008 onwards
  • AMP Private Cloud installation
  • Public Key Infrastructure

Requirements

The information in this document is based on these software and hardware versions:

  • Windows Server 2008
  • CentOS 7
  • AMP Virtual Private Cloud 3.0.2

Warning: The procedure mentioned below can vary as per your CA server configuration. It is expected that the CA server of your choice is already provisioned and the configuration of the same has been completed. The following technote just describes an example of generating the certificates and Cisco TAC will not be involved in troubleshooting issues related to certificate generation and/or CA server issues of any kind.

Generate Certificates on Window Server

Ensure that the following roles are installed and configured on your Windows Server.

  • Active Directory Certificate Services
  • Certification Authority
  • Certification Authority Web Enrollment
  • Online Responder
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service
  • Active Directory Domain Services
  • DNS Servers
  • Web Server (IIS)

Generate a Certificate Signing Request (CSR)

Step 1. Navigate to MMC console, and add the Certificates snap-in for your computer account as shown in the image here.

Step 2. Drill down Certificates (Local Computer) > Personal > Certificates.

Step 3. Right click on the empty space and select All Tasks > Advanced Operations > Create Custom Request

Step 4. Click Next at the Enrollment window.

Step 5. Select your certificate enrollment policy and click Next.

Step 6. Choose the template as Web Server and click Next.

Step 7. If your 'Web Server' template has been configured correctly and is available for enrollment, you will see the status as 'Available' here. Click 'Details' to expand click on Properties.

Step 8. At a minimum, add the CN and DNS attributes. The rest of the attributes can be added as per your security requirements.

Step 9. Optionally, give a Friendly Name under the General tab.

Step 10. Click on the PrivateKey tab and ensure that you're enabling Make private key exportable under the Key Options section.

Step 11. Finally, click on OK. This should lead you to the Certificate Enrollment dialog from where you can click on Next.

Step 12. Browse to a location to save the .req file which will be submitted to the CA server for signing.

Submitting the CSR to the CA and generating the certificate

Step 1. Navigate to your MS AD Certificate Services Web Page as below and click 'Request a Certificate'

Step 2. Click on the advanced certificate request link.

Step 3. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 4. Open the contents of the previously saved .req file (CSR) via Notepad. Copy the contents and paste it here. Ensure that the Certificate Template is selected as Web Server

Step 5. Finally, click on Submit.

Step 6. At this point, you should be able to Download the certificate as shown in the image here.

Generate Public Private Key Pair

Exporting the Private Key and converting to PEM format

Step 1. Install the certificate into your Certificate Store by opening the .cer file and clicking on Install Certificate.

Step 2. Navigate to the MMC snap-in that was selected earlier.

Step 3. Navigate to the store where the certificate was installed.

Step 4. Right click the correct certificate, select All Tasks > Export.

Step 5. At the Certificate Export Wizard, confirm to export the private key as shown in the image.

Step 6. Enter a password and click Next to save the private key on your disk.

Step 7. This will save the private key in .PFX format, however, this needs to be converted to .PEM format to use this with AMP VPC.

Step 8. Install OpenSSL libraries from here:https://wiki.openssl.org/index.php/Binaries

Step 9. Open a command prompt window and change to the directory where you installed OpenSSL.

Step 10. Run the following command to extract the private key and save it to a new file: (If your PFX file is not in the same path as where the OpenSSL library is stored, you will have to specify the exact path along with the filename)

Step 11. Now run the following command to also extract the public cert and save it to a new file:

Generate Certificate on Linux Server

Ensure that the Linux server that you're trying to generate the required certificates has the OpenSSL libraries installed. Verifying if this and the procedure listed below will vary from the Linux distribution that you're running. This portion has been documented, as done on a CentOS 7 server.

Generate Self Signed RootCA

Step 1. Generate the Private Key for Root CA certificate

Step 2. Generate the CA certificate

Generate a certificate for each service

Create the certificate for Authentication, Console, Disposition, Disposition-Extended, Update server, Firepower Management Center(FMC) service as per the DNS name entry. You need to repeat below certificate generate process for each service (Authentication, Console etc.)

Generate Private key

Replace the <example.key> with actual certificate key such as Auth-Cert.key.

Generate CSR

Replace the <example.csr> with actual certificate CSR such as Auth-Cert.csr

Generate Certificate

Replace <example.csr>, <example.crt> with actual certificate CSR and certificate name

Adding The Certificates to AMP VPC

Private Key Definition

Step 1. Once the certificates are generated from any of the above methods, upload the corresponding certificate for each of the services. If they have been generated correctly, all the check marks are enabled as seen in the image here.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

Linux Generate Private Key And Certificate Online

There is currently no specific troubleshooting information available for this configuration.

VMware Workstation 8 Universal Keygen, Serials for Win & Linux. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. VMware Workstation is recognized for its broad operating system support, rich user experience. Vmware workstation 8 license key generator online.

Several tools exist to generate SSH public/private key pairs. The following sections show how to generate an SSH key pair on UNIX, UNIX-like and Windows platforms.

Generating an SSH Key Pair on UNIX and UNIX-Like Platforms Using the ssh-keygen Utility

UNIX and UNIX-like platforms (including Solaris and Linux) include the ssh-keygen utility to generate SSH key pairs.

To generate an SSH key pair on UNIX and UNIX-like platforms using the ssh-keygen utility:
  1. Navigate to your home directory:
  2. Run the ssh-keygen utility, providing as filename your choice of file name for the private key:

    The ssh-keygen utility prompts you for a passphrase for the private key.

  3. Enter a passphrase for the private key, or press Enter to create a private key without a passphrase:

    Note:

    While a passphrase is not required, you should specify one as a security measure to protect the private key from unauthorized use. When you specify a passphrase, a user must enter the passphrase every time the private key is used.

    The ssh-keygen utility prompts you to enter the passphrase again.

  4. Enter the passphrase again, or press Enter again to continue creating a private key without a passphrase:
  5. The ssh-keygen utility displays a message indicating that the private key has been saved as filename and the public key has been saved as filename.pub. It also displays information about the key fingerprint and randomart image.

Generating an SSH Key Pair on Windows Using the PuTTYgen Program

The PuTTYgen program is part of PuTTY, an open source networking client for the Windows platform.

Linux Generate Private Key And Certificate Online

To generate an SSH key pair on Windows using the PuTTYgen program:

Public Private Key Encryption

  1. Download and install PuTTY or PuTTYgen.

    To download PuTTY or PuTTYgen, go to http://www.putty.org/ and click the You can download PuTTY here link.

  2. Run the PuTTYgen program.
  3. Set the Type of key to generate option to SSH-2 RSA.
  4. In the Number of bits in a generated key box, enter 2048.
  5. Click Generate to generate a public/private key pair.

    As the key is being generated, move the mouse around the blank area as directed.

  6. (Optional) Enter a passphrase for the private key in the Key passphrase box and reenter it in the Confirm passphrase box.

    Note:

    While a passphrase is not required, you should specify one as a security measure to protect the private key from unauthorized use. When you specify a passphrase, a user must enter the passphrase every time the private key is used.

  7. Click Save private key to save the private key to a file. To adhere to file-naming conventions, you should give the private key file an extension of .ppk (PuTTY private key).

    Note:

    The .ppk file extension indicates that the private key is in PuTTY's proprietary format. You must use a key of this format when using PuTTY as your SSH client. It cannot be used with other SSH client tools. Refer to the PuTTY documentation to convert a private key in this format to a different format.
  8. Select all of the characters in the Public key for pasting into OpenSSH authorized_keys file box.

    Make sure you select all the characters, not just the ones you can see in the narrow window. If a scroll bar is next to the characters, you aren't seeing all the characters.

  9. Right-click somewhere in the selected text and select Copy from the menu.
  10. Open a text editor and paste the characters, just as you copied them. Start at the first character in the text editor, and do not insert any line breaks.
  11. Save the text file in the same folder where you saved the private key, using the .pub extension to indicate that the file contains a public key.
  12. If you or others are going to use an SSH client that requires the OpenSSH format for private keys (such as the ssh utility on Linux), export the private key:
    1. On the Conversions menu, choose Export OpenSSH key.
    2. Save the private key in OpenSSH format in the same folder where you saved the private key in .ppk format, using an extension such as .openssh to indicate the file's content.