How to use OpenSSL to create a CSR for GoDaddy and then convert it to a PFX for Azure

  • You can find/replace all instances of domain with the value you want to use here, such as bundystl
    You can find/replace all instances of year with the current year such as 2017

    All commands here are on the assumption that you are using CentOS 7 from the minimal ISO.

    1. Log into the CentOS machine with SSH. I like to use the Bitvise SSH CLient because it includes a SFTP client.

    2. I like to use a separate directory for each domain that I need to work with. Make a directory and change into it.

    [root@keygen ~]# mkdir domain
    [root@keygen ~]# cd domain
    1. Assuming you have no private key file already, generate the private key and certificate request
    openssl req -out domain_year.csr -new -newkey rsa:2048 -nodes -sha256 -keyout domain.key
    1. a. If already have the private key, jsut generate the new CSR.
    openssl req -out domain_year.csr -new -key domain.key
    1. Fill out information appropriately. Never use a challenge password, you will just have to strip it back out..
    Generating a 2048 bit RSA private key
    writing new private key to 'domain.key'
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [XX]:
    State or Province Name (full name) []:
    Locality Name (eg, city) [Default City]:
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    1. Show the CSR text to the screen and copy / paste into GoDaddy
    [root@keygen domain]# cat domain_year.csr
    1. In your GoDaddy account, navigate to the certificate and click on Rekey and Manage

    2. Then click on the plus in front of Re-Key certificate to show the CSR entry. Paste in your CSR, including the ---Begin--- and ---End--- lines. Click save there.

    3. Click the Submit all saved changes button and wait for your email stating the certificate has been issued.

    4. Click Download

    5. Choose the IIS option.

    6. Extract the two files form the ZIP file to a local directory.

    7. Use a SFTP window in Bitvise to copy the files to the domain directory you made before.

    8. Convert the GoDaddy P7B into a PEM formatted certificate file.

    openssl pkcs7 -in gd-g2_iis_intermediates.p7b -print_certs -out gd-g2_iis_intermediates.pem
    1. Now you can create the PFX file. When you are prompted for an export password, leave it blank. Just hit enter twice.
    openssl pkcs12 -export -out domain_year.pfx -inkey domain.key -in domain.crt -certfile gd-g2_iis_intermediates.pem
    1. Download the PFX to your local machine

    2. Log into Azure and upload your new SSL Certificate.