Private Key Certificate
🔞 ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻
Private Key Certificate
SSL & PKI
CSR Private Key: How to Generate Your Private Key from a Certificate
By
Savvy Security
June 22, 2022
7 Mins Read
Are you planning to add a secure socket layer/transport layer security (SSL/TLS) certificate to your cybersecurity arsenal but you don’t know how to get the required certificate signing request (CSR) and a private key? No worries generate private key from a certificate
Don’t be yet another victim to be added to the 85% of organizations that suffered a cyberattack in 2021. Learn how to generate a private key from a certificate using a free CSR generator tool.
It’s fast, painless, and easy — so much so that we’re going to show you how to do it right now.
An SSL/TLS certificate won’t only encrypt all communications between your server and the client, but it’ll also avoid your website being marked as “not secure” by the most used browsers.
Before you can receive the SSL/TLS certificate from a trusted certificate authority (CA), you’ll require two important digital files:
All this information will be used to create the SSL/TLS certificate that will be issued to you by the CA. A CSR generator tool will create something that looks like this:
Image caption: This is an example of CSR obtained with a generator tool
How do you get them? Let’s find it out!
Time is money. Why should you spend time and effort to manually generate your private key from a CSR or with the Windows MMC console when you can do it using a free CSR generator tool in seconds? How? By using our browser-based CSR generation tool .
The CSR generator will enable you to keep your private key really private. Why? Because instead of being server-based like many other CSR generators, it’s browser-based. This means that your private key will be generated and displayed only inside your browser. This is fine so long as you’re using a secure, encrypted website like CheapSSLsecurity.com. Your key will never be saved, transmitted, or shared to our server.
OK, enough talking, let’s get down to business and discover how to get a private key from a CSR using the CSR generation tool.
A screenshot of the form that you’ll need to complete can be seen below:
2. Enter your hostname (i.e., common name) .
Type the fully qualified domain name (FQDN) of your server that customers use to access your website.
Tip : Do you need the key for a wildcard SSL certificate? Then make sure you enter your common name using this format: *.mydomain.com
Ensure you use the exact legal name (e.g., Google, Inc.). If you don’t have one and are a private site owner, enter your full name.
Indicate the department that’ll handle the certificate (e.g., IT department, Security team). Tip : This field isn’t mandatory and can be left blank. In fact, the OU field is being deprecated across the industry as a whole because it’s a non-validated field that threat actors could misuse.
5. Enter the city where your company is located .
Make sure you enter your legal location. I’ve entered Philadelphia for demonstration purposes.
6. Add the state or province where your company is located .
This should match the information you entered in the previous step. If you typed Philadelphia, for example, you’ll then indicate Pennsylvania as your state.
Based on the information entered till now, choose from the drop-down menu the country your organization is located in.
8. Select your preferred key generation algorithm .
You can choose between the most used Rivest-Shamir-Aldman (RSA) algorithm and the newer elliptical curve cryptography (ECC). Don’t know which one to pick? Check out our SSL/TLS algorithms comparison article to make an informed choice. I’ve selected ECC here for this example as it offers the same level of encryption as RSA but it’s faster and more secure.
If you selected the RSA key algorithm in the previous step, you may want to stick to the National Institute of Standards and Technology ’s (NIST) recommendation and choose the approved, pre-filled high strength 2048 key size as a minimum. If you’re like me and opted for the ECC key algorithm, you can go with 256 as your key size.
Tip : The tool only lists highly secure key sizes. Smaller sizes aren’t included in the drop-down menu to avoid you getting a too-insecure private key.
Review all the information you entered. Is it correct? Well done! Now, all you have to do is to click on the Generate CSR button at the bottom of the form.
11. Get ready to order your SSL/TLS certificate .
There we go! Now you have your private key ready to download as a text file! Download it and save it on your device. Copy your CSR and send it to the CA to get your brand new SSL/TLS certificate. And remember, when you need to renew it, you’ll just have to follow the same process again.
If you scroll down the page, in addition to the CSR certificate and the CSR private key, the tool will also provide you with ready-made commands to manually generate a CSR directly on your server. (We list multiple server options to choose from.) Cool, huh?
Hungry for more free tools? Check out the other SSL tools and ready-to-use commands available on our SSL tools and guides page !
As highlighted in the article, a certificate authority (CA) won’t be able to issue an SSL/TLS certificate until you’ll send them the CSR for it. This also means that you won’t be able to get a hold of your private key until you complete the certificate signing request.
Remember, you can always generate your private key and CSR manually using the MMC console . But is it worth it? Do you have the time and the skills required?
Don’t put the security of your website, organization, and customers at risk of a data breach. Get your CSR and private key using a CSR generator tool like the one shown in the example. It’ll save you the hassle of a lengthy manual process and keep your data safe and sound.
Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.
You don’t need a multi-million dollar budget or 24/7 security team to protect your website and business against the latest cybersecurity threats. Savvy Security’s mission is to provide practical, proven advice to help you keep hackers out of your business.
Savvy Security © 2021 Web Security Solutions, LLC
Type above and press Enter to search. Press Esc to cancel.
U.S. Dollar Euro British Pound Canadian Dollars Australian Dollars Indian Rupees China Yuan RMB More Info →
Dashboard Expiring Soon Domain List Hosting List Private Email SSL Certificates Profile
We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page .
If you just got an issued SSL certificate and are having a hard time finding the corresponding Private key, this article can help you to find that one and only key for your certificate.
Firstly, let’s dive into basics a little. The design of global public key infrastructure, relying on which modern secure negotiation through SSL/TLS is possible, implies that there is always a pair of unique keys -
Nonetheless, in most cases, this code won’t come into your sight while generating the CSR. It is usually created in the background and silently saved in the server’s filesystem. And obviously, during the SSL certificate installation the key should be fetched to the certificate automatically. However, some systems do not have such a kind of behavior or sometimes we need to install the certificate on another server. These are the examples of the cases when we really need to know the exact location of the Private key.
Below you can find tips, examples and pieces of advice that you can consider to follow in order to get a missing puzzle and avoid certificate reissue (i.e., repeating the process of activation and validation from scratch).
Linux operating systems (Apache, Nginx, Lighttpd, Heroku) Traditionally, Private keys on Linux-based operating systems (Ubuntu, Debian, CentOS, RedHat, etc.) are openssl generated keys with the crypto toolkit and saved into files with the .key or .pem extension. However, since specific extensions are not obligatory for simple text files on Linux systems, the Private key code can be put into a file with virtually any name.
If you remember the full or partial name of the .key file, you can try to get its location by running the ‘find’ command as below:
sudo find [search_start_folder] -type f -iname 'private.key'
- [search_start_folder] parameter indicates the directory to start the search from and through all directories inside it, for example, to search from “root”, the / sign should be specified;
- to do the search by a partial filename, the assumed name of the file should be specified with an asterisk (*), for example, the “*.key” value allows locating every file with the name ending with “.key”.
HINT : Very often, the name of the key file resembles the domain name the certificate is issued for, e.g., “example.com.key”, “example_com.key”, “example-com.key” etc.
Another way to get the Private key file location is to search inside the files by certain patterns:
grep -r --exclude-dir=log --exclude-dir=ssh --exclude=*history -I -l -e '-----BEGIN PRIVATE*' -e '-----BEGIN RSA*' -e '-----BEGIN EC*' [search_start_folder] 2> /dev/null
This one-liner command prints out an absolute path to the file, which contains a matching expression (------BEGIN header), for example, “/etc/ssl/private.key”.
Windows operating systems (IIS, Exchange, Small Business server) Windows systems do not allow retrieving the Private key in plain text. When an SSL certificate is imported either through Microsoft Management Console (MMC) or IIS, the matching Private key is bound to the certificate automatically, of course, if the certificate is being imported to the same instance the key was generated on. But if we need to get the Private key for example for the certificate installation on another server, there is an option to export the key in a password protected file (PFX or PKCS12 format). To do so, you will need to open MMC Certificates snap-in in the following way:
Win+R > mmc.exe > OK > File > Add/Remove Snap-in > Certificates > Add > Computer account > Next > Local computer > Finish > OK
Then navigate to Certificate Enrollment Requests > Certificates (if the certificate request was not completed) or Personal > Certificates (if the certificate request was already completed) folder, right-click on the certificate entry and click All Tasks > Export to open the export wizard. More details on the export process can be found here .
As a result, you will receive a .pfx file containing the key. To get the key in plain text, you can convert the .pfx into PEM-encoded files using tool (PKCS#12 to PEM option).
Mac OS X The default “Keychain” tool in the Server app does not allow accessing the generated Private key through the graphic user interface. However, using the command line tools in Terminal, it is possible to navigate to the “/etc/certificates” folder and open the key file, which should be called something like “.key.pem”.
Tomcat (using keytool) Unless the SSL connector on Tomcat is configured in APR style, the Private key is usually stored in a password-protected Java keystore file (.jks or .keystore), which was created prior to the CSR. To extract the key in PEM format, the keystore should be converted into .pfx/.p12 (PKCS#12) file firstly. With the ”keytool” utility, it can be done with the help of the following command:
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias -srcstorepass -srckeypass -deststorepass -destkeypass
“keystore.jks” should be replaced with the name of the keystore, containing the required key; “keystore.p12” - with the name of the .pfx/.p12 file the keystore will be converted into; , and refer to the alias, the keystore password and the key password values specified during the keystore generation; and values are required for securing the integrity of the new .pfx./p12 file; it is possible to use the same password for both parameters though.
When the .pfx/.p12 file is created, it can be converted into PEM formatted files either with the help of this tool (PKCS#12 to PEM option) or using OpenSSL. The OpenSSL command would be:
openssl pkcs12 -in keystore.p12 -nocerts -nodes -out private.key
- ‘private.key’ refers to the name of the file the Private key text will be saved to.
cPanel There are 2 ways to get to the Private key in cPanel:
There's another menu in the "SSL/TLS" manager that allows to find the matching Private key for the certificate. Click on "Certificate Signing Request (CSR)" and locate your CSR by the domain.
Scroll the next page down, where you can see the "This CSR uses the following key" option and a link below it to obtain the Private key:
WHM In WHM the Private keys are stored along with the corresponding CSRs and certificates in “SSL Storage manager”. To get there, you can click “SSL/TLS” on the home screen and then on the “SSL Storage manager”. To open the Private key text, you will need to click on the magnifier button in the first column called “Key”.
Plesk After navigating to Domains > domain.com > SSL/TLS certificates, you should see the page similar to the one on the screenshot below. The key sign with the message “Private key part supplied” indicates the presence of the needed key in the system. To open it in plain text, you will need to click on the name of the entry and scroll down until the key code appears on the screen. Alternatively, you can click on the green arrow sign on the right and download the .pem file containing the key, the CSR and the certificate along with the CA bundle, if they were imported already. The .pem file can be opened with any text editor like Notepad:
Synology NAS DSM In Synology DSM, the Private key is downloaded in the archive.zip file on the last step of the CSR generation wizard. It is saved in the server.key file inside the .zip archive and can be opened on a local computer with a text editor:
Webmin The Webmin panel was designed as a graphic user interface on top of the command line tools, although it comes with the File manager (Filemin) which can be used for browsing the file system in order to find the key file, which was created by the OpenSSL command in Command Shell when the CSR was generated.
The other way to find the Private key in Webmin is to open “Command shell” under the “Others” section and run the “find” or “grep” command from the “Linux operating systems” paragraph of this article.
VestaCP The Private key on VestaCP is not saved anywhere throughout the user interface; it is necessary to save the key text into a local file during the CSR generation.
However, there is still a chance to find it through SSH. When VestaCP creates a new CSR, the Private key is stored as a temporary file in the “/tmp” directory. The absolute path to the key file might look like “/tmp/tmp.npAnkmWFcu/example.com.key”, for example. The main bottleneck here is that the files inside “/tmp” are deleted permanently during each server reboot.
To get the location of the key file on your instance, the following command can be invoked:
find /tmp -type f -iname ' domain.com .key'
- “domain.com” should be replaced with the actual domain name the CSR was generated for.
Alternatively, the same old “grep” can be used as well:
grep -r -I -l -e ‘-----BEGIN PRIVATE*’ -e ‘-----BEGIN RSA*’ /tmp 2> /dev/null
DirectAdmin In the recent versions of DirectAdmin panel the Private key is usually saved in the system and gets pre-fetched in the “Paste a pre-generated certificate and key” section in the SSL Certificates menu.
If during the certificate installation you are about to paste the certificate text under the auto-populated Private key text but see an empty window, it could mean the CSR code was generated elsewhere or the Private key was not added to this window due to a system glitch. In the latter case, it is possible to retrieve the key via SSH. It is normally saved in the following directory: /usr/local/directadmin/data/users/ /domains/ .key , where corresponds to your DirectAdmin username and - to the domain the CSR has been generated for.
Webuzo The “SSL” section in Webuzo is located on the home page. Clicking on the “Private keys” button will lead to the list of the generated keys. To see the key text, the pencil button should be clicked on the right side of the list under the “Option” column:
In conclusion, if none of the above-mentioned tips were helpful and the original Private key cannot be retrieved, it is necessary to generate the new CSR / Private key pair and reissue the certificate, making sure that the Private key is safe this time.
We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.
If you need specific help with your account, feel free to contact our Support Team . Thank you.
Need help? We're always here for you.
We make registering, hosting, and managing domains for yourself
or others easy and affordable, because the internet needs people.
Join Our Newsletter & Marketing Communication We'll send you news and offers.
The entirety of this site is protected by copyright © 2000–2022 Namecheap, Inc.
4600 East Washington Street, Suite 305, Phoenix, AZ 85034, USA
We are an ICANN
accredited registrar.
Serving customers since 2001.
choose your language
English
Español
Dutch
Deutsch
Français
Italiano
Chinese (Simplified)
Chinese (Traditional)
Japanese
Korean
Português
TECHNICAL SUPPORT CHAT >
VALIDATION CHAT >
SALES CHAT >
1.877.438.8776 (Toll Free US and Canada)
Secure, update, monitor and control connected devices at scale
The smarter way to manage certificate lifecycles
Issue & install
Inspect & remediate
Renew & automate
Assign & delegate
The smarter way to manage certificate lifecycles
Issue & install
Inspect & remediate
Renew & automate
Assign & delegate
Modern PKI. Real-world results.
Trusted & Secure Identities
Trusted & Secure Email (S/MIME)
Trusted & Secure Network Devices
Trusted & Secure Network Access (VPNs)
Trusted & Secure Smart Cards
Lingerie Nude Girls
Big Ass Film
Gyno Lesbian