getting a godaddy cert using certtool
simon at josefsson.org
Mon Jan 11 10:59:02 CET 2010
There has been some questions about getting certificates from commercial
CAs using GnuTLS tools. I just bought a cert from godaddy and it worked
fine. I was using certtool and thought I'd share the steps I used. I
used GnuTLS 2.8.5 as packaged in Debian.
$ certtool -p --outfile api2.yubico.com-key.pem
Generating a 2048 bit RSA private key...
$ certtool --generate-request --load-privkey api2.yubico.com-key.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): SE
Organization name: Yubico AB
Organizational unit name:
State or province name:
Common name: api2.yubico.com
Enter a dnsName of the subject of the certificate: api2.yubico.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate: 184.108.40.206
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Is this a TLS web client certificate? (y/N): n
Is this also a TLS web server certificate? (y/N): y
PKCS #10 Certificate Request Information:
I cut'n'pasted the CSR printed in '...' above to Godaddy, and verified
the domain ownership through their e-mail ping, and I was then able to
download a ZIP file containing the certificate.
There are some things I note in the certificate I got though:
Key Purpose (not critical):
TLS WWW Server.
TLS WWW Client.
This is even though I didn't ask for a WWW client cert!
Key Usage (critical):
This seems right.
Subject Alternative Name (not critical):
They added a 'www.api2.yubico.com' name although I didn't ask for it.
Note that they dropped the IP address SAN that I supplied.
More information about the Gnutls-devel