UCC SSL Certificate

Submitted by mike8 on Sat, 12/15/2012 - 22:48

I have a UCC SSL Certificate for 5 domains. So far I have only used 3 domains. I have added another domain, and had the Certificate Signer add the new domain, no problems there. But I also have to add it to my Private Key, but so far I have not been able to do that. It keeps telling me the Certificate, and the Private.key do not match.

How do I find out what my Private.key has in it, so I can add the new domain to it, so they match

Regards Michael

Status: 
Closed (fixed)

Comments

Submitted by andreychek on Sat, 12/15/2012 - 23:22

In the domain you're installing that SSL cert into, there should be a file named "ssl.key". Can you run this command against that ssl.key file, and attach the output to this request:

openssl rsa -noout -modulus -in ssl.key

Secondly, the new SSL certificate they sent you. Can you save that as a file onto your server somewhere, and run this command against that file:

openssl x509 -in SSL_CERT_FILENAME -text -noout

And then attach that output to this request. That should give some insight into what's going on there.

Submitted by mike8 on Sat, 12/15/2012 - 23:49

here is the first one Modulus=F44CDA144CC9833686E88FA584A37D403A6CFC84E4C35AFAA8B4F75823184E639172D45DF5B0943991BF81B543C999771C3277E51B0AA0756B452A929FCE85FF219000548730DF15103EBD3BA541D1C536377053636526F5EBFB5E49B6AFB860C98B1E47CD01FC42EDA454EB4FDFFCECCF1D68F8C4527D2B058115AA77E5D3529EBBF3DB5A1CA52A69283FFFFD222A6238E59E94D36FDFEE064392D63D8A329F028472E3EDA111CB437751197EA42B97DC9D73C4373E24CD4EA988F2C1DAA8BF147754FA725F3491768024C4DD7A3BF58AEEE47F24584675F3E0A90A0647514036A73513B2170CF415F3D1ACF1C77A69C462D92813B8CA03F83BA895127F2C83

here is the 2nd one -----BEGIN CERTIFICATE----- MIIF0DCCBLigAwIBAgIHSzjuluXE5jANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5 IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky ODcwHhcNMTIwMzA0MDAxMTI2WhcNMTMwMzA0MDAxMTI2WjBdMRswGQYDVQQKExJ3 d3cuYXNyc2VydmljZS5jb20xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlk YXRlZDEbMBkGA1UEAxMSd3d3LmFzcnNlcnZpY2UuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA9EzaFEzJgzaG6I+lhKN9QDps/ITkw1r6qLT3WCMY TmORctRd9bCUOZG/gbVDyZl3HDJ35RsKoHVrRSqSn86F/yGQAFSHMN8VED69O6VB 0cU2N3BTY2Um9ev7Xkm2r7hgyYseR80B/ELtpFTrT9/87M8daPjEUn0rBYEVqnfl 01Keu/PbWhylKmkoP//9IipiOOWelNNv3+4GQ5LWPYoynwKEcuPtoRHLQ3dRGX6k K5fcnXPENz4kzU6piPLB2qi/FHdU+nJfNJF2gCTE3Xo79Yru5H8kWEZ18+CpCgZH UUA2pzUTshcM9BXz0azxx3ppxGLZKBO4ygP4O6iVEn8sgwIDAQABo4ICJTCCAiEw DwYDVR0TAQH/BAUwAwEBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw DgYDVR0PAQH/BAQDAgWgMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZ29k YWRkeS5jb20vZ2RzMS02NS5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcXATA5 MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3Jl cG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v Y3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0cDovL2NlcnRpZmljYXRl cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVybWVkaWF0ZS5jcnQwHwYD VR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwgZEGA1UdEQSBiTCBhoISd3d3 LmFzcnNlcnZpY2UuY29tgg5hc3JzZXJ2aWNlLmNvbYITd3d3LmFzci1zeXN0ZW1z LmNvbYIXd3d3LnBhdHRpZXNwcmV0dGllcy5jb22CHnd3dy5nb2NoZW5vdXJmYW1p bHloaXN0b3J5LmNvbYISd3d3LnJ1c3R5LWdvbGQubmV0MB0GA1UdDgQWBBQNbqFI I001PV4z8n+w59IPhxcXDDANBgkqhkiG9w0BAQUFAAOCAQEAr/ZfGVqeoEAOk/3c mYtacDuQK2tfRBaOZfDAQJWdEPhJ9KQk37OZxzvedHET9AMh8hbdVU0jlbzJieHP FuyQXtDIEYJ9NKnMzJLe9sqranyA7i6VXiSGsVWqhU4O8Zi9bi4Lx4MJizorEBoQ WWuxxotxfXK3ds5prNLGVRwDtL6ZjCBxoEjyiudMGEG5o8Mni3SQ9FhmOpuhkhzJ 1BL+jnS/44VhhV9pNdCsXYLoZCbSzQb0rirTQJB44dKChspHJ8ouQ30Jbf/v9QT9 xx4U16XzVGm6wn9kXY91yfcyf5/Qcq7YxAVkVW5EJA+jP1N+JToUU0I7Tjj7gsrE Icv+Cg== -----END CERTIFICATE-----

This Certificate should have 4 domains in it. www.asrservice.com www.gochenourfamilyhistory.com www.pattiespretties.com www.pdfmanualshop.com <----This is the one they just added.

Michael

Submitted by andreychek on Sun, 12/16/2012 - 00:10

That first one looks good... but the second one looks like the SSL cert itself, rather than the output of the command... could you try running this command against that file:

openssl x509 -in SSL_CERT_FILENAME -text -noout

And in place of "SSL_CERT_FILENAME", use the SSL cert filename. Thanks!

Submitted by mike8 on Sun, 12/16/2012 - 00:49

OK here you go again

OK it was the wrong one.

Submitted by mike8 on Sun, 12/16/2012 - 00:50

This was a copy of the wrong one.

Submitted by mike8 on Sun, 12/16/2012 - 00:36

OK this is the right one.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4b:73:52:89:41:36:ca
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
        Validity
            Not Before: Dec  1 00:35:26 2012 GMT
            Not After : Mar  4 00:11:26 2013 GMT
        Subject: O=www.asrservice.com, OU=Domain Control Validated, CN=www.asrservice.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:aa:9a:47:09:bb:cd:32:2a:4f:3d:32:a6:f2:ff:
                    13:1b:47:5f:2e:44:b4:98:9f:14:7d:e8:59:83:92:
                    49:37:7d:d8:3e:d7:27:e0:55:52:ef:e4:04:df:40:
                    05:71:9b:9b:ef:40:bc:17:31:37:d2:a4:47:c9:f4:
                    b2:80:43:bd:fe:9b:d4:11:8d:5c:1e:fe:b2:ac:79:
                    bd:71:eb:15:ce:cd:1f:c8:11:ae:bc:6b:b9:cf:c3:
                    6d:28:1c:e2:1d:72:39:a8:cb:8c:05:5e:7d:d3:18:
                    e9:08:04:14:e1:db:f4:c7:5b:8c:84:6e:21:06:3e:
                    04:b2:9c:23:73:90:6d:cc:83:e5:2b:ce:21:03:49:
                    7a:7a:1f:86:70:9a:39:50:7c:c9:e5:cb:d7:eb:08:
                    80:98:eb:bf:ca:e7:3f:7c:0c:c2:7b:50:da:09:95:
                    6b:f5:00:17:53:b1:5a:90:a1:a1:30:ec:7d:91:ad:
                    01:3e:fe:93:23:65:ce:2a:3c:87:41:8e:64:2e:f0:
                    60:af:40:57:68:4b:fc:56:36:de:22:12:5b:57:3d:
                    ed:1b:a5:e3:4e:6c:b1:89:15:ca:10:46:ab:6d:38:
                    47:d5:58:66:12:82:58:58:e2:a2:71:09:50:b7:ad:
                    ac:33:c3:e7:4e:ef:70:0c:2b:1c:1d:8b:9a:fb:95:
                    db:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:
                URI:http://crl.godaddy.com/gds1-80.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/

            Authority Information Access:
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt

            X509v3 Authority Key Identifier:
                keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7

            X509v3 Subject Alternative Name:
                DNS:www.asrservice.com, DNS:asrservice.com, DNS:www.pattiespretties.com, DNS:www.gochenourfamilyhistory.com, DNS:www.pdfmanualshop.com
            X509v3 Subject Key Identifier:
                28:42:DD:E1:E5:B3:06:04:17:3F:01:34:BD:07:C7:B3:A4:C4:B9:83
    Signature Algorithm: sha1WithRSAEncryption
        88:a4:ad:4f:47:eb:a4:c6:db:bc:ed:fe:cb:c9:14:8f:47:2c:
        95:c7:4f:08:e9:ae:5e:16:4e:72:5f:94:f8:2f:ad:39:48:5e:
        ca:f0:0a:d2:ce:e4:48:72:95:2b:2f:47:59:47:1d:00:a4:d5:
        a5:b6:6d:2b:4f:c0:2a:ad:fd:bc:5c:e9:0d:aa:82:36:df:bd:
        81:be:b4:6f:94:5e:d2:e8:82:c9:be:9b:21:91:60:80:f1:c0:
        2e:63:de:a1:4b:29:ed:2a:d8:2e:c3:16:50:73:09:fa:49:6f:
        1c:04:55:8b:2b:03:09:be:b6:a8:a2:e6:5d:d6:6b:34:67:1e:
        35:ab:fd:30:d3:88:00:87:dc:82:e6:3e:58:a2:dc:52:63:40:
        fd:b0:a6:85:12:be:60:69:b9:16:21:ff:8a:66:61:5c:30:73:
        b4:2c:59:89:1d:d8:64:c6:98:00:97:6b:1c:91:8c:8f:3f:8f:
        6c:7d:95:f7:96:28:6f:da:4f:ee:f9:c6:49:c4:7f:ed:41:12:
        4f:63:e5:07:10:02:2c:22:88:4c:77:18:f0:d9:13:b1:11:ea:
        19:7d:ef:39:41:d9:3c:cc:39:1f:6a:0f:46:f9:5d:f7:8d:68:
        df:de:09:1c:56:8c:32:73:c5:6a:3a:53:9a:27:72:28:31:c4:
        76:79:72:f4

Submitted by andreychek on Sun, 12/16/2012 - 09:52

Yeah, those do look like the correct domains in the most recent certificate you posted.

The problem I'm seeing, is that the "modulus" is different in the SSL certificate and the private key.

In order for the two to be considered a pair, the modulus needs to match.

The private key you're using for this domain -- where did that come from? Was that a private key being used by one of the other domains on your UCC certificate?

You can see the modulus for your SSL cert below... you may want to see if any of the other private keys for domains listed on that SSL cert have a matching one. You can see the modulus of a private key by running this command:

openssl rsa -noout -modulus -in ssl.key

And the modulus of your SSL cert is as follows:

                Modulus (2048 bit):
                    00:aa:9a:47:09:bb:cd:32:2a:4f:3d:32:a6:f2:ff:
                    13:1b:47:5f:2e:44:b4:98:9f:14:7d:e8:59:83:92:
                    49:37:7d:d8:3e:d7:27:e0:55:52:ef:e4:04:df:40:
                    05:71:9b:9b:ef:40:bc:17:31:37:d2:a4:47:c9:f4:
                    b2:80:43:bd:fe:9b:d4:11:8d:5c:1e:fe:b2:ac:79:
                    bd:71:eb:15:ce:cd:1f:c8:11:ae:bc:6b:b9:cf:c3:
                    6d:28:1c:e2:1d:72:39:a8:cb:8c:05:5e:7d:d3:18:
                    e9:08:04:14:e1:db:f4:c7:5b:8c:84:6e:21:06:3e:
                    04:b2:9c:23:73:90:6d:cc:83:e5:2b:ce:21:03:49:
                    7a:7a:1f:86:70:9a:39:50:7c:c9:e5:cb:d7:eb:08:
                    80:98:eb:bf:ca:e7:3f:7c:0c:c2:7b:50:da:09:95:
                    6b:f5:00:17:53:b1:5a:90:a1:a1:30:ec:7d:91:ad:
                    01:3e:fe:93:23:65:ce:2a:3c:87:41:8e:64:2e:f0:
                    60:af:40:57:68:4b:fc:56:36:de:22:12:5b:57:3d:
                    ed:1b:a5:e3:4e:6c:b1:89:15:ca:10:46:ab:6d:38:
                    47:d5:58:66:12:82:58:58:e2:a2:71:09:50:b7:ad:
                    ac:33:c3:e7:4e:ef:70:0c:2b:1c:1d:8b:9a:fb:95:
                    db:9b

Submitted by mike8 on Sun, 12/16/2012 - 11:01

The private key was the one I used in the Primary domain (asrservice.com) when I run the command you gave me I get this,

[root@host ~]# openssl rsa -noout -modulus -in ssl.key
Modulus=F44CDA144CC9833686E88FA584A37D403A6CFC84E4C35AFAA8B4F75823184E639172D45DF5B0943991BF81B543C999771C3277E51B0AA0756B452A929FCE85FF219000548730DF15103EBD3BA541D1C536377053636526F5EBFB5E49B6AFB860C98B1E47CD01FC42EDA454EB4FDFFCECCF1D68F8C4527D2B058115AA77E5D3529EBBF3DB5A1CA52A69283FFFFD222A6238E59E94D36FDFEE064392D63D8A329F028472E3EDA111CB437751197EA42B97DC9D73C4373E24CD4EA988F2C1DAA8BF147754FA725F3491768024C4DD7A3BF58AEEE47F24584675F3E0A90A0647514036A73513B2170CF415F3D1ACF1C77A69C462D92813B8CA03F83BA895127F2C83

It doesn't look anything like the Certificate Modulus that you posted above.

Submitted by andreychek on Sun, 12/16/2012 - 12:36

You can ignore the : characters, and the line breaks in the modulus.

You can use this command to show just the modulus for an SSL cert, this will keep the format looking the same:

openssl x509 -noout -modulus -in SSL_CERT_FILENAME

Submitted by mike8 on Sun, 12/16/2012 - 15:01

Well I found the original Private.key, If I use it with the old Certificate, it installs. If I use it on the new Certificate with the new Domain it fails, with Private.key, and Certificate do not match.

Is the Private.key suppose to have the Domain Names in it too?

Submitted by andreychek on Sun, 12/16/2012 - 16:21

Reading the GoDaddy documentation on adding a new domain to a UCC certificate, it doesn't sound like you should need a new private key whenever they add a new domain.

That is, the modulus on the new SSL cert should be the same as the old one.

However, since that's not the case -- you may need to generate a new key to use with that new SSL certificate.

I believe GoDaddy calls that "re-keying" -- and that's something you can do for free.

It essentially means, your SSL key is lost or not functioning.

I would suggest logging into their website, find your SSL cert, and have them re-key it. They'll have screens there explaining how to go about that.

Submitted by mike8 on Sun, 12/16/2012 - 17:13

OK I can't believe I spent 2 weeks trying to figure this out. I spent an hour on the phone with GoDaddy support on this, It took about 2 minutes to get this solved just by re-keying the certificate and, uploading a new csr file. Then downloading a new Certificate. They walked me through re-keying the certificate last time and never said I had to upload a new csr file. Anyway it is now working, so you can mark this fixed.

Thank you for your help on this, it was just too easy to fix.

Best Regards Michael

Submitted by andreychek on Sun, 12/16/2012 - 19:27

Great, I'm glad it's working now!

Submitted by Issues on Sun, 12/30/2012 - 20:58

Automatically closed -- issue fixed for 2 weeks with no activity.