CSR "component is missing" after transferring SSL certificate

[Steven1st]

Hi, I have recently moved my hosting provider and have setup a few websites on the new server. 1 of which had a SSL certificate from Geo-trust in April so I was hoping to transfer it to the new server.

I have copied and pasted the Private key, Certificate and CA certificate. I have also set it up on its own webspace with dedicated IP address.

When I go to the website the padlock is there and all seems fine but after clicking on a few links a message appears saying the owner of the SSL does not match. It recognises that its from Geo-trust and 256 encryption.

When looking at the SSL certificate on plesk it says the CSR component is missing but the Private key, Certificate and CA certificate are all supplied.

How do I get the CSR to be supplied to fix this error?

Thanks
Steve

 

[abdi]

Why not just re-install it ...However you can also look through /usr/local/psa/var/certificates

 

[Steven1st]

I have re installed it loads of times. Either you can request the CSR through Plesk or copy and paste the text. It wont allow me to do both.

So I either have a CSR with a private key that does not match the old cert or I have the problem above.

Is there a way to combine the CSR with the old private key in the directory you suggested?

 

[abdi]

Yes there's. You just go to that directory and find the appropriate file that has the SSL and edit it. Its just a txt file so you will then add or replace the CSR in there with your own.

 

[Steven1st]

Is the CSR in that directory as well? All I can find in there are the private key & and cert and then in another file the CA cert.

Where do I need to add the CSR?

 

[abdi]

I actually just realized that you don't need a CSR to have the SSL function. I did a migration too with the SSLs and noticed that the CSR is missing in the Plesk but yet my SSL is functioning just fine.

 

[ChrisKief]

The certificate is stored in both the Plesk PSA database (certificates table) as well as the file system. If you'd like to transfer your certificate along with the CSR, do the following:

- create a new CSR for the domain using Plesk (you can use whatever information you'd like, we're going to overwrite it, only the Certificate name will remain)
- connect to the PSA database and go to the certificates table, you will see the new CSR you just created (how to - http://kb.parallels.com/en/3472)
- overwrite the values in the csr and pvt_key columns with your CSR and Private Key (NOTE - you'll need to encode them using a tool such as this - http://meyerweb.com/eric/tools/dencoder/)
- head back to the certificate page in Plesk and refresh, you'll now see your CSR and Private Key (the certificate information will also update)
- you can now submit the Certificate and CA certificate via the form (you do not need to encode the values this time)

You should have a working certificate with CSR stored in Plesk.

Cheers

 

[Faris Raouf]

Hold on there Steven - you may be looking for a solution to the wrong problem.

The error you see in Plesk (CSR missing) is not an error really, it is just a notice. It is shown because the CSR is indeed missing.
But just as Abdi says, as far as I'm aware, it is not required in order for a site to be secured*. Indeed, if, when you visit the site, the lock is there initially, as you mention, then the certificate is working correctly and the CSR is not required.

I assume you have transferred the site from another server? If so, what I suspect is happening is that one or more other pages are doing an include of some sort or another that includes insecure content or content from the wrong place. Or maybe the links may be going to somewhere you don't expect.

When you click on the lock icon on the "good" pages, you should see all the details shown. On the ones with the error, you need to carefully check what it says exactly. That will give you the clue to what's wrong. Also search the page source for links, iframes and php includes etc. Check for http and https *** as well as IP-based links ***.

Depending on your browser, when you click on the lock icon you will see a general status of the certificate. But you can also drill down to more detail, and the problem may be shown there. For example in Internet Explorer, you can click on View Certificates, at which point you get a General, Details and Certification Path tabs. In the General tab, you'll see who/what the certificate in use has been issued to. e.g. www.domain.tld, and the validity period.

The Details and Certification Path tabs gives you even more info.

If you look at these details on the "broken" pages, what exactly do you see? And again check out the page source - " the owner of the SSL does not match" is, I presume, not the actual error, but close to it? What you need to check is what SSL is being used at that point, and what content is being delivered. The bottom line is that the certificate being used does not seem to match what's being served.

* At least for normal certificates - maybe EV ones are different? I don't know. All I can say is that transferring a certificate is normally as simple as doing exactly what you did, as Abdi confirms (and which I've also done without problems in the past, many times).

ChrisKeif -- wow! That's useful. Is that something you've had to do? I mean is this problem that Steve is having, which I'm saying should not be a problem but could be wrong about(!), something you have encountered before?

 

[ChrisKief]

Yes, this is how I've transferred certificates before. But as you've said, the CSR is not necessary for the site to work properly via SSL / https. I only did it for completeness.