Where to find the private key for SSL certificate

[reydelleon]

Hi there,

 

I'm trying to follow the instructions to install an TLS certificate in my ISY994iZW and I'm finding it quite hard.

 

After generating the CSR and getting the certificate, I got three files from the CA: mydomain.ca-bundle, mydomain.crt and mydomain.p7b. Since it seems that the Dashboard only accepts format is PFX, or at least that is the only one mentioned in the documentation, I tried to convert the .p7b file to PFX. OpenSSL is asking for the private key to do the conversion.  The problem is, the ISY never provided me with a private key when I generated the CSR, unless it is using the CSR as one.

 

So, the question then is: Where can I find that key? 

 

Thanks for your time.

[Michel Kohanim]

Hi reydelleon,

 

Private key is stored in ISY. Did you try Receive Cert button?

 

With kind regards,

Michel

[reydelleon]

I did try it. What is happening is that the certificates seems to be imported (they show up in the intermediate certificates window), but after I close the window and restart (manually, because the Dashboard only offered in a couple tries),  the certificate is not there anymore.

 

Is there a way to put the certificate directly on the SD card?

[Michel Kohanim]

Hi reydelleon,

 

I think you are not following the correct procedure. Import Cert is used IF AND ONLY IF you already have a certificate and private key from an authority. On the other hand, the procedure you followed is through CSR generation and they sent you certificates only (no private keys). In this case, you MUST use "Recv. Cert" button and NOT Import button.

 

No, you cannot copy certs onto the SD Card.

 

With kind regards,

Michel

[jtara92101]

To clarify Michel's response, if you "already have a certificate", you would have (typically) created a CSR from some command-line or GUI app using Windows, MacOS, Linux, etc. It would have generated a private key, and saved it in a file. It would have been up to you to retain and safeguard the file with the private key. The private key is not recoverable. If you've lost it, you'll need to get another certificate.

 

If that's how you created your CSR, the private key is where-ever you put it.

 

If that's what you did, you MIGHT find it in a hidden directory called .ssh on whatever computer you generated it on. Maybe under your home directory.

 

If you generated the CSR on your ISY (Dashboard Settings/Network/Server Certificate) ISY created a private key for you, and stored it in the ISY. And then you would use "receive certificate". You don't need to have the private key, but I guess it would be included in your ISY backup.

 

You are asked for a "keystore password", which isn't well explained. I GUESS you supply a password to protect the file that holds the private key.

 

(I've never set up my ISY with a server certificate. I've done the command-line bit for various unrelated certificate needs.)

[reydelleon]

Hi there,

 

Thanks for your answers. 

 

As it stands I have followed the procedure exactly as it is laid out in the PDF here. Thought it is dated, all the documentation that I have found is about the same, so I assumed that not much have changed. To be more precise I did the following:

 

1. Generated the CSR in the Dashboard (making sure I completed all the fields)

2. Used the CSR to get a Possitive SSL (Comodo) certificate from Namecheap (haven't even closed the window with the generated CSR yet)

3. Got three files: .crt | .ca-bundle | .p7b from the CA

4. Closed the CSR window and pressed Received certificate button.

5. Pasted the contents of the .crt file in there and save. At this point I can see the certificate is there.

6. I get asked if I want to import intermediate certs. Here I have tried to import the other two files or just declining to import any intermediates (in many different tries and combinations). No results.

7. I close the Server Certificate window. At this point, in a couple of occasions the Dashboard offered to re-start (which I believe is expected behavior). Most attempts, I've had to restart myself.

8. After the restart I try to access the ISY and original certificate from UDI is used.

9. I open the Server certificate window again and then Intermediate Certs and the cert that was listed there after 5.

 

I'm I missing something that is not obvious? I have done that at least 10 times, literally, without ever getting it to work.

 

Thanks again for your time?

[reydelleon]

Solved it,

 

I went ahead and created the CSR out of the ISY Dashboard. Got the the certificate issued and after converting it to PFX with OpenSSL (and using the private key generated with the CSR). Went to the ISY and used the Import Certificate button and this time, it offered to restart. After the restart the gateway is secured.

 

I guess the best way to go is not to use the Dashboard to generate the CSR.

 

Thank you all for the help.