SSL query regarding certificate.pem

Discussion in 'General' started by Median, Feb 4, 2006.

  1. Median

    Median New Member

    Hi.

    I set up SSL for one of my websites and installed the certificate which works fine. Now I need to upload the personal certicate for a site created by ISPConfig to PayPal which will only accept the certificate in .pem format. In the ssl directory of the website, there is no .pem files.

    Is it possible to get ISPConfig to generate a .pem file?

    Thanks
     
  2. falko

    falko Super Moderator Howtoforge Staff

    What for does PayPal need an SSL certificate? :confused:
     
  3. Median

    Median New Member

    Encryped Website Payments from osCommerce using SSL and the PayPal IPN.

    Data is encrypted between the user's browser and the osCommerce server by implementing SSL on the server. Data between the user's browser and PayPal is encrypted by the use of SSL at PayPal.

    The data transferred from the osCommerce server to PayPal is not encrypted unless PayPal Encrypted Website Payments are used (see https://www.paypal.com/cgi-bin/webscr?cmd=p/xcl/rec/ewp-intro-outside)
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Have you tried to upload the .crt file from the SSL directory to paypal? As ISPCOnfig uses the default Cert file format from apache i guess the .crt file is already in .pem file format.
     
  5. Median

    Median New Member

    I'll give it a try. Thanks Till.
     
  6. Median

    Median New Member

    Further SSL Queries

    When I try and use my SSL certificate with PayPal Encrypted Website Payments I get an error saying
    I note that the section of ISPConfig where the certificate request is generated does not include the option to add an email address. So my questions are:

    Is an email address included when generating the certificate request and if so, which one?

    If not, how can I generate a certificate request for that website which will include the email address?

    Is there anyway that I can add this functionality into ISPConfig as I have customers who will be needing to do the same?

    Thanks
     
    Last edited: Feb 5, 2006
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes the email address is included. When your website is for example www.yourdomain.com, then the email address in the ssl cert is:
    "[email protected]"

    If you need custom email addresses, you will have to add an ssl_email field in the form designer on the SSL tab and then modify the file /root/ispconfig/scripts/lib/config.lib.php around line 1645. The function is named make_openssl_cnf(....);
     
  8. Median

    Median New Member

    Thanks Till. That is the address used in both PayPal and osCommerce so I'm at a loss as to what is causing the problem.

    Do you know of anyway I can check the address in the certificate to find out what it is and make adjustments for the next certificate?

    Thats something I may look at later once I get this problem sorted.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    No. But I'am pretty sure that there must be such a tool. Maybe you find some infos on the openSSL pages?

    Another idea: Have you tried to connect to the SSL site with your internet browser and had a look at the certificate information there?
     
  10. Median

    Median New Member

    I had a search but couldn't find one - I'll keep looking.

    Yes, tried that first but couldn't see any email address at all in the certificate.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, maybe the way ISPConfig adds the email address to the SSL-Cert config file is incorrect. But if i remember correctly when I upload an SSL certificate request made by ISPConfig to instantssl i have seen the mail address there :confused:

    Have you checked other SSL certs not made by ISPConfig if you can see the email address there in the webbrowser?
     
  12. Median

    Median New Member

    The email address is correct in the csr - you can check it using
    Code:
    openssl req -noout -text -in domainname.csr
    Just checked a couple of commercial websites and can't see them. I'll get another certificate made and see if that cures it, but I'm sure I did everything correctly.

    At least the csr works fine.
     

Share This Page