UCC SAN SSL Certificate–GoDaddy/Azure - CloudFronts

UCC SAN SSL Certificate–GoDaddy/Azure

Posted On June 10, 2015 by Admin Posted in 

Introduction

Adding sub-domain to UCC SSL 5 certificate and revoking existing SSL Certificate.

Problem Statement:

We have sub-domain called salesportal.mywebsite.com hosted on windows azure. Salesportal.mywebsite.com associated with SSL binding but that SSL is expired and we want to revoke that certificate and add it to UCC SSL 5 certificate from Go-daddy.

=> We have salesportal.mywesite.com hosted on windows azure.

=> SSL certificate purchase from Go-Daddy. In our case we want to remove standard certificate and add it to UCC 5 Certificate.

Please follow below steps to revoke existing SSL and add it to New SSL certificate

Installation

To proceeds with SSL, first step is to download Open SSL. This is Open source software that will help us to create CSR request.

Download Open SSL from following link:

http://indy.fulgan.com/SSL/

Generate CSR

Create CNF file for CSR

For more detail visit following URL. http://azure.microsoft.com/en-in/documentation/articles/web-sites-configure-ssl-certificate/

Let’s understand how to apply SSL Certificate to multiple Domain. Download Sample code from http://azure.microsoft.com/en-in/documentation/articles/web-sites-configure-ssl-certificate/#bkmk_subjectaltname

Example:

# ————– BEGIN custom sancert.cnf —–

HOME = .
oid_section = new_oids
[ new_oids ]
[ req ]
default_days = 730
distinguished_name = req_distinguished_name
encrypt_key = no
string_mask = nombstr
req_extensions = v3_req # Extensions to add to certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = 
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = 
localityName = Locality Name (eg, city)
localityName_default = 
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = 
organization = Organization Name
organization__default=
commonName              = Your common name (eg, domain name)
commonName_default      = www.mydomain.com
commonName_max = 64
[ v3_req ]
subjectAltName=DNS:payments. mydomain.com, DNS:blog.mydomain.com

# ————– END custom sancert.cnf —–

Note:

=> subjectAltName contains sub domain name. It can also contains main domain name as well.
Example. www.crmonline.com

File start with # ————– BEGIN custom sancert.cnf —–

Above example can be tricky

Problem statement 1:

We have UCC SSL 5 certificate connected to payments.mywebsite.com and its running. We are adding salesportal.mywebsite.com domain to UCC SSL 5 certificate. In that case your Common Name will be payments.mywebsite.com and subjectAltName will be salesportal.mywebsite.com.

Note: common name need to add from console window and subjectAltName in the cnf file.

Example:

# ————– BEGIN custom sancert.cnf —–

HOME = .
oid_section = new_oids
[ new_oids ]
[ req ]
default_days = 730
distinguished_name = req_distinguished_name
encrypt_key = no
string_mask = nombstr
req_extensions = v3_req # Extensions to add to certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = 
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = 
localityName = Locality Name (eg, city)
localityName_default = 
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = 
organization = Organization Name
organization__default=
commonName              = Your common name (eg, domain name)
commonName_default      = www.mydomain.com
commonName_max = 64
[ v3_req ]
subjectAltName=DNS:salesportal.mywebsite.com,

# ————– END custom sancert.cnf —–

Problem Statement 2:

We have UCC SSL 5 certificate connected to www.mywebsite.com and its running. We are adding salesportal.mywebsite.com domain to UCC SSL 5 certificate. In that case your Common Name will be www.mywebsite.com and subjectAltName will be salesportal.mywebsite.com.

Please note: your common name you have to add from console window and subjectAltName in the cnf file.

Example:

# ————– BEGIN custom sancert.cnf —–

HOME = .
oid_section = new_oids
[ new_oids ]
[ req ]
default_days = 730
distinguished_name = req_distinguished_name
encrypt_key = no
string_mask = nombstr
req_extensions = v3_req # Extensions to add to certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = 
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = 
localityName = Locality Name (eg, city)
localityName_default = 
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = 
organization = Organization Name
organization__default=
commonName              = Your common name (eg, domain name)
commonName_default      = www.mydomain.com
commonName_max = 64
[ v3_req ]
subjectAltName=DNS:salesportal.mywebsite.com,

# ————– END custom sancert.cnf —–

CSR Generation

Write following command in Open SSL Console window.

req -new -nodes -keyout myserver.key -out server.csr -newkey rsa:2048 -config sancert.cnf

Note: sancert.cnf is above sample.

myserver.key file is used to generate .pfx file.

Steps 1:

=> Please fill basic information like Country name, State etc.

=> I have entered common name like payments.mywebsite.com because first time UCC SSL certificate is associate with payments.mywebsite.com.

=> If you are first time creating csr request then common name will be www.mywebsite.com

If you want to check your CSR request then open CSR file in notepad and copy all code paste in following website. https://www.sslshopper.com/csr-decoder.html

Revoke Expired SSL Certificate (GoDaddy)

Always it’s better to revoke SSL certificate after it is expired. Please refer following URL for more support. https://support.godaddy.com/help/article/4747/revoking-an-ssl-certificate?countrysite=in

Login to GoDaddy account:

1. Click on SSL Certificate:

2. Click on manage

You can see we have one sub-domain Standard SSL is expired and another sub-domain has standard UCC SSL 5 certificate. We are going to add expired sub domain to standard UCC SSL certificate.


3. Click view status of expired domain.

4. Click on conform after that following window will appeared.

5. Wait for few minutes and refresh page.

Certificate is expired successfully.

6. Following is status of certificate

Add Domain to UCC 5 Certificate

Click on domain which has UCC 5 certificate. If you have just purchase UUC 5 certificate then open that certificate and paste csr request.

(Which also include # ————– BEGIN custom sancert.cnf —–# and # ————– END custom sancert.cnf —–#).

Then click on manage.

To add domain to UCC 5 Certificate, first we need re key that certificate

Copy and paste your CSR in a text box

Then Click on submit changes that will submit your New CSR request to GoDaddy

Verification window will appeared.

Refresh this page, you can see new Domain is successfully added to this certificate.

Install certificate to Azure

Download certificate from GoDaddy

=> Select Server type IIS and download zip file.

=> Important file is .crt extension and Ignore other files contain in zip

=> Open OpenSSl and click run as administrator(Run as administrator is IMP)

Type following command in command line

pkcs12 -export -out salesportal.pfx -inkey myserver.key -in 889d0fa6641ee566.crt

myserver.key is file when first time we generate CSR request.

After password is entered .pfx file will generate in the same folder. (Note password will required for azure)

Azure Setup

Open Azure account and click on configure


=> Please ignore existing certificate file as you see in this image.

=> Click on Upload a certificate button. Select pfx file and type password. (Password will be same password that enter to generate .pfx file)

When certificate is install it will appeared on Azure account and list of domain will also shows to us.

SSL Binding:

Select certificate that you want to bind with domain.

Click on save. Certificate will bind to your domain

Type domain name with https prefix to see latest changes


Share Story :

Secured By miniOrange