New SSL certificate for *

My SSL certificate for * was expiring so I started renewal process. The big difference from last year certificate is that I wanted to generate my private key and not leave it to my SSL reseller. Previous year was my first time buying SSL certificate and I wasn't sure what a CSR (Certificate Signing Request) should contain. Now I have CSR and I expected to be easy and started the process, knowing that private key should be RSA-2048:

# openssl genrsa -out new.key 2048
# openssl x509 -x509toreq -in old.crt -out new.csr -signkey new.key

And then new.csr wasn't accepted with cryptic error. My reseller found that the actual error can be seen by running the following verify command, kindly suggesting that private key is generated by them anyway:

# openssl req -text -noout -verify -in new.csr
verify failure
139920534435656:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139920534435656:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:773:
139920534435656:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:190:

No, I wanted my private key to be mine only. Trying to resolve the error didn't succeed. I just created a new CSR from scratch, without using the old certificate as template. I only took the subject of the certificate. It turned out that this is enough for accepting the CSR and I successfully got my new wildcard certificate:

# openssl req -new -subj '/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*' -key new.key -out new.csr

From my experience last year I knew I have to prepare chained certificate for some servers (STAR_tower_3_bg.chained.crt for nginx's ssl_certificate and for the rest where certificate chain is a separate configuration parameter).

# cat STAR_tower_3_bg.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > STAR_tower_3_bg.chained.crt
# cat EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt >

I'm stuck with version 1.2.1 of Debian's nginx for now. I already did my best for Perfect Forward Secrecy in my nginx setup, it will be improved once I upgrade to Debian Wheezy. What I added now is enforcing SSL for my webmail website:

add_header X-Frame-Options DENY;
add_header Strict-Transport-Security max-age=31536000; # 365 days