0

This is greatly troubling me,

I have generated a .csr and .key file to send to dynadot (which sends that to AlphaSSL) with this command:

openssl req -out foo.com.csr -new -newkey rsa:2048 -nodes -keyout foo.com.key

It had asked me for confirmation and I received apparently an intermediate chain certificate, however I just placed it in foo.com.crt and it worked fine on my domain.

Contrary to what the purchasing pages had stated, SSL only works on (domain.com) and not (www.domain.com) and I had used domain.com for my common name when generating the original signing request.

I thought this was due to me not using the intermediate chaining, so I had foolishly overwritten the .csr and .key to try to install the GlobalSign root cert before the AlphaSSL one provided to me by dynadot in the same .csr file, however it gives me a warning about a mismatch with my .key file now (I am using nginx)

I had tried to reproduce my steps and settings, however I cannot get the (fresh crt, just what was given to me by dynadot) and .key that I regenerated with the same settings - it just mismatches.

Is it possible to re-request the csr? or generate the private .key from the .csr I was given?

I would rather not spend another chunk of money, and I've no actual AlphaSSL account so I am not sure I can really ask for support or redo the signing.

If you could provide any advice or help I would appreciate it.

Alexander
  • 207
  • 1
  • 3
  • 11
  • I believe it works the other way around - request a `www.example.net` certificate and the `example.net` *SAN* is usually added free of charge. – Felix Frank Jun 19 '14 at 08:36

3 Answers3

7

You can't do any of those. Just issue a revoke request and get a new cert. If you loose your private key - bang, you're gone. That's the whole point of it.

sh1ny
  • 535
  • 3
  • 6
  • I'll try AlphaSSL as they seem to ask for contact without an account or anything, I do not see anything on the my reseller (Dynadot), glad it is slightly easier than I thought. – Alexander Jul 26 '11 at 10:47
  • you should also never be required to submit a key file to a provider either – anthonysomerset Jul 26 '11 at 12:26
0

Like @sh1ny already said: if your private key is gone, you're* out of options. Have the certificate revoked and get a new one.

Perhaps this time from somewhere that doesn't gauge you on simple things like automatically signed basic TLS certificates? ;-)

*) You should be. If they can help you out in another way than revoking your certificate or maybe signing another CSR free of charge, then you should avoid them anyway!

Gnarfoz
  • 717
  • 4
  • 10
0

If you have a root login to a server you have generated it on, and if you did it via whm/cpanel

try looking for a key at /var/cpanel/ssl/system

they might have been there until the system cleanup...

Just look at the file dates, because names might be random.

Aleksandar Pavić
  • 412
  • 2
  • 8
  • 18
  • Thanks for the input. Once your rep allows, please consider adding such hints as comments instead of full answers. – Felix Frank Jun 19 '14 at 08:35