It's time to renew my GoDaddy-generated SSL certificate and I'm having a little trouble with the official instructions (here: https://docs.webfaction.com/user-guide/websites.html#renew-a-certificate). I am trying to use an automatically-renewed SSL cert generated by GoDaddy. I can very easily go to my site's "Edit Certificate" page but the fields that are there and the fields in GoDaddy's certificate don't really match. The WebFaction dashboard is asking for at least a certificate and a public key but the certificate .zip file GoDaddy generated for me only contains -----BEGIN CERTIFICATE-----...-----END CERTIFICATE----- pairs (no -----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY----- pair) and when I use the cert from GoDaddy in the WebFaction dashboard it says the cert doesn't match the private key. GoDaddy provided me with two files in that .zip: a hexadecimal .crt file and a gd_bundle-g2-g1.crt file. The former contains only one cert and the latter contains three certs. How do I continue here? Do I need to generate a new CSR and give it to GoDaddy? Is their automatically-renewed cert useless for WebFaction? asked 30 Oct '16, 20:45 Warlax |
The certificate should work, but the key and certificate must match. The private key is not provided by GoDaddy - it is created when you generate the CSR used to obtain the certificate. If the new certificate doesn't match the existing private key for the site, that means a different CSR was used to obtain the certificate and thus there is a different private key. If you can't locate this file, you'll have to generate a new CSR and key, and then have GoDaddy re-issue your certificate. If you'd like for us to try the installation for you, please open a support ticket. answered 30 Oct '16, 21:05 maryh Ah, I see. So, because they generated a new cert without knowing my private key (the key I had originally used to generate the CSR for the original cert they generated for me), there's no way this new cert would be useful for me on WebFaction?
(30 Oct '16, 21:37)
Warlax
The certificate authority is not in possession of your private key, only the CSR. The key is created when the CSR is generated. If you don't have the key that matches the CSR they used, you won't be able to install that certificate. There is no way to make the certificate work without a matching private key. The solution is to generate a new CSR and key, and have the certificate re-issued using the new CSR.
(30 Oct '16, 21:45)
maryh
|