Cannot install self-signed certificates?

sparek-3

• January 13, 2018 09:51

So... installssl no longer allows you to install a self-signed certificate because no CA Bundle is used? WHM API 1 Functions - installssl - Software Development Kit - cPanel Documentation That's... dumb? Got a client that wants to install their own self-signed certificate. I'm not really up for a debate on the merits to this or a free DCV certificate, that's not the point. How is one suppose to install a certificate when a CA Bundle is not required? Keep getting the error Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate. When I don't list a CA Bundle. Is there and override some where?

• 

  cPanelMichael

  • January 18, 2018 17:52

  Hello, The SSL installation process should detect that it's a self-signed certificate and allow the installation to succeed. Can you open a support ticket so we can take a closer look at why that's not working on your system? Thank you.

  0
• 

  sparek-3

  • January 18, 2018 18:20

  I got it to work by manually replacing the contents in the files that the cPanel installed self-signed certificate were using in the Apache configuration. The client has since received a valid DCV certificate, so I don't guess this is any issue right now. But I suppose the question should remain, why is the cab field necessary? Why does the installation process poop out when no CA Bundle is given when the installation process thinks there should be CA bundle? If I don't want to install the CA Bundle that should be my decision regardless of how the certificate is going to be presented to web site visitors.

  0
• 

  cPanelMichael

  • January 19, 2018 19:54

  Hello, As I understand, previously the SSL certificate installation process did not use OpenSSL to verify that a CA bundle was complete. This allowed users to install invalid CA bundles (leading to potential warnings when accessing the secure URL in web browsers). We've since added verification of CA bundles via OpenSSL before we accept the CA bundle for installation. Additionally, the system automatically checks to determine the best CA Bundle to use for a certificate and installs it (even if you manually enter a different one). I believe internal case CPANEL-14447 would address your concerns. It's open to report the confusion that can occur when users are unaware that their manually entered CA Bundle may not be honored when installing a SSL certificate. I'll monitor this case and update this thread with new information as it becomes available. Thank you.

  0

Please sign in to leave a comment.