1

I am running a small company and unfortunately my IT support just quit. I am running a site on GAE. My SSL expired and I ordered a new one, receiving the following files:

  • 3 .cer files in an SHA-1 folder
  • 3 .der files in an SHA-2 folder
  • a csr.txt file
  • a privatekey.txt file

I need to upload to Google App Engine which is asking for:

  • a PEM encoded X509 certificate
  • an unencrypted PEM encoded RSA private key

I am working on Mac OS. I tried using openssl and seem to have generated a private.pem file from the privatekey.txt source, but when I run an openSSL command on the csr.txt file I get:

$ openssl x509 -in csr.txt -out public.pem
unable to load certificate
23137:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/
  OpenSSL098-52.8.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

The csr.txt file starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- with nothing else than the key in between.

fixer1234
  • 28,064
Adam
  • 11

1 Answers1

0

This command is not going to work: openssl x509 -in csr.txt -out public.pem. You need to generate a Signing Request or CSR.

To create a new signing request, perform the following:

openssl req -key privatekey.txt -keyform PEM -days 365 -out example-com.req.pem

For more detailed instructions, see How to easily create a SSL certificate and configure it in Apache2 in Mac OS X? Focus on the CSR, and don't worry too much about things like Apache.

You can inspect the signing request with:

openssl req -in example-com.req.pem -text -noout

There are no naming requirements. I happen to use site.type.encoding. Here are some examples:

  • example-com.req.pem - signing request for example.com in PEM format
  • example-com.req.der - signing request for example.com in DER format
  • example-com.cert.pem - certificate for example.com in PEM format
  • example-com.cert.der - certificate for example.com in DER format

This could be a point of contention, but... DO NOT create a new key. Rather, use the existing key as long as it has not been compromised.

Key continuity is a more desirable security property then key rotation. Key continuity also works well with RFC 7469, Host Public Key Pinning for HTTP. If you generate a new key, you effectively break a good pinset used by HPKP and other pinning schemes.

Depending on your security posture, you may consider the existing key potentially compromised because the old IT admin left. If that's the case, then generate a new key pair.

Also, you can get free Class 1 server certificates from StartCom and CAcert. I know the StartCom certs are trusted by most (all?) desktop and mobile browsers.

Community
  • 1
jww
  • 12,722