How to use OpenSSL to create a CSR for GoDaddy and then convert it to a PFX for Azure



  • You can find/replace all instances of domain with the value you want to use here, such as bundystl
    You can find/replace all instances of year with the current year such as 2017

    All commands here are on the assumption that you are using CentOS 7 from the minimal ISO.

    1. Log into the CentOS machine with SSH. I like to use the Bitvise SSH CLient because it includes a SFTP client.

    2. I like to use a separate directory for each domain that I need to work with. Make a directory and change into it.

    [root@keygen ~]# mkdir domain
    [root@keygen ~]# cd domain
    
    1. Assuming you have no private key file already, generate the private key and certificate request
    openssl req -out domain_year.csr -new -newkey rsa:2048 -nodes -sha256 -keyout domain.key
    
    1. a. If already have the private key, jsut generate the new CSR.
    openssl req -out domain_year.csr -new -key domain.key
    
    1. Fill out information appropriately. Never use a challenge password, you will just have to strip it back out..
    Generating a 2048 bit RSA private key
    ..........+++
    .........................................+++
    writing new private key to 'domain.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:
    State or Province Name (full name) []:
    Locality Name (eg, city) [Default City]:
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    1. Show the CSR text to the screen and copy / paste into GoDaddy
    [root@keygen domain]# cat domain_year.csr
    -----BEGIN CERTIFICATE REQUEST-----
    MIIDYzCCAksCAQAwPzELMAkGA1UEBhMCVVMxEzARBgNVBAcMClN0IENoYXJsZXMx
    <snippers>
    w2D4gxiqrmyK+A+SDhhbWlsN2ybve8DPkuLLRW/FJOtumWzsKkUFpT/2QsQuetPj
    kxE06g/VNA==
    -----END CERTIFICATE REQUEST-----
    
    1. In your GoDaddy account, navigate to the certificate and click on Rekey and Manage
      0_1492635785923_upload-e31d4911-f4e7-46bf-a13e-cdb51e7aec93

    2. Then click on the plus in front of Re-Key certificate to show the CSR entry. Paste in your CSR, including the ---Begin--- and ---End--- lines. Click save there.
      0_1492635881886_upload-cc1603c9-ec00-4661-81ba-0b891d0c0eeb

    3. Click the Submit all saved changes button and wait for your email stating the certificate has been issued.
      0_1492636056273_upload-14efdc3b-56a1-48da-bc8c-812e08760d38

    4. Click Download
      0_1492636152601_upload-1aa2a5f7-579f-427f-b651-940df5ab8fd8

    5. Choose the IIS option.
      0_1492636186177_upload-0e7e4fad-2eae-43f9-b800-403b2c03f48f

    6. Extract the two files form the ZIP file to a local directory.
      0_1492636259158_upload-67c2cf8d-82a4-4d53-84fe-f1f56fbba6b7

    7. Use a SFTP window in Bitvise to copy the files to the domain directory you made before.
      0_1492636461447_upload-eea19ee9-3fa2-4f1a-9f8f-8c70cd4dbcd8

    8. Convert the GoDaddy P7B into a PEM formatted certificate file.

    openssl pkcs7 -in gd-g2_iis_intermediates.p7b -print_certs -out gd-g2_iis_intermediates.pem
    
    1. Now you can create the PFX file. When you are prompted for an export password, leave it blank. Just hit enter twice.
    openssl pkcs12 -export -out domain_year.pfx -inkey domain.key -in domain.crt -certfile gd-g2_iis_intermediates.pem
    
    1. Download the PFX to your local machine
      0_1492636770812_upload-2f2d54f6-c12e-4bcc-a442-37cb4eba4b64

    2. Log into Azure and upload your new SSL Certificate.