How to rekey a GoDaddy SSL certificate with Apache on Ubuntu

December 1, 2013 5.9k views
Hi everyone, I'm trying to move an existing SSL certificate to my new digitalocaen droplet and am following the tutorial here: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 GoDaddy shows the following for my certificate: Common Name:www.repfineart.com Organization:www.repfineart.com Organization Unit:Domain Control Validated Serial Number:22121223482928715 (4E:97:22:B3:B2:6E:4B) Certificate Details Type:Standard SSL Private Key Length:2048 bits Signature Algorithm:SHA-1 Issuing Organization:Go Daddy Valid From:3/27/12 1:22:41 PM GMT Valid To:9/7/16 7:13:06 PM GMT Status:Current Here I am generating the CSR: root@web:/etc/apache2/ssl# openssl req -x509 -nodes -days 1012 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt Generating a 2048 bit RSA private key ...............................................................................................+++ .................................................................+++ writing new private key to '/etc/apache2/ssl/apache.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Arkansas Locality Name (eg, city) []:Little Rock Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.repfineart.com Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:www.repfineart.com Email Address []:lance@repfineart.com root@web:/etc/apache2/ssl# more apache.crt -----BEGIN CERTIFICATE----- MIID/zCCAuegAwIBAgIJAKqnrQwK2+FfMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYD VQQGEwJVUzERMA8GA1UECAwIQXJrYW5zYXMxFDASBgNVBAcMC0xpdHRsZSBSb2Nr MRswGQYDVQQKDBJ3d3cucmVwZmluZWFydC5jb20xGzAZBgNVBAMMEnd3dy5yZXBm aW5lYXJ0LmNvbTEjMCEGCSqGSIb3DQEJARYUbGFuY2VAcmVwZmluZWFydC5jb20w HhcNMTMxMjAxMTcyNjUwWhcNMTYwOTA4MTcyNjUwWjCBlTELMAkGA1UEBhMCVVMx ETAPBgNVBAgMCEFya2Fuc2FzMRQwEgYDVQQHDAtMaXR0bGUgUm9jazEbMBkGA1UE CgwSd3d3LnJlcGZpbmVhcnQuY29tMRswGQYDVQQDDBJ3d3cucmVwZmluZWFydC5j b20xIzAhBgkqhkiG9w0BCQEWFGxhbmNlQHJlcGZpbmVhcnQuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArlSkwmIZQJwegs1txIJWpv7nCqnTJZFl d1A9i1P2PHynjXVWqCO29KxqfHRl62TuWZ4qKIH05yVaFJm5wxWmDUu7BjWV3Iuq SVBdfergEjHhkRtC8IjxV5BVCU/eu40ErxvqQp7qYQq7IfmQfa/rpNzsVHq3aOS8 wUZ7iXot0RhIcwL5u0SbV1Ln/svV+S2HWA1edrjsB/W1lSvR6s+4WtJDHscoWbbV UsE33tcx0HkcutTQMhLCHOT1l1Ao3k5m+zRjmfZoTnpMBtGiebOye+/xm2qBb2rH EAVtAqxVv36gvqYHT1FVtT5KlG1onPTQxZgk+trJ69b7z83R6AIdJwIDAQABo1Aw TjAdBgNVHQ4EFgQUJ2/dAn8Kcv2GqbUbQ2fktvVpQA4wHwYDVR0jBBgwFoAUJ2/d An8Kcv2GqbUbQ2fktvVpQA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOC AQEARKsDGp9lv9bBYhJsQIB/33fQsK88KMvQ5W73+bn1NXXoleOtcccMcOUFxNF6 euWNaQ3L1lW0EBtjzzyRapQaRiOurLEr+Ok8TWBds8zRO9CW+mER9qQXisy43miA hrNbdLTYKX5xgvNh0OwGkhJ9qLB9ktwYrJ2FZkfbca1t5E0hHvXyGOJDNK9DEsy8 Il9fl9s5VF69MHKCQ9vjGVDpnGLNharCjHP3c90WT5qTsRxktuZx1kZPEW0/IMFj GINBfTt285Okz4W9IdQUQmPcBK2aK2/XnsOhjYsi6Dj/VVBoGrgpO2UEa1RD925m F000yoeMKB/wMN/vXFGDKJHCyw== -----END CERTIFICATE----- I then take the apache.crt contents from above and paste into the CSR field at GoDaddy. I select rekey this certificate and it returns an "Invalid CSR" error. I have tried pasting with and without the ---CERTIFICATE--- lines. I'm really stuck here and could use a nudge in the right direction. Thank you!
1 Answer
The issue was this command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Using this command worked:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Have another answer? Share your knowledge.