bdawg wrote:I had some issues when I was creating my own certificate issued from a third party certificate authority with SABnzbd.
I have found that I can use both 2048 and 4096 bit keys, however the current version of SABnzbd does not seem to work with SHA-2 (aka SHA-256 or SHA-512) certificates. I didn't really get much in the way of errors/log information, so I thought I might post this thread. SHA-1 certificates work fine.
Remember you obviously need to place the unencrypted private key in the key field. Use OpenSSL to convert between certificate file formats.
Can you explain how you can create / get your own certificate? Is it a certificate that is trusted by browsers?
Sure. Your browser has a list of Root Certificate Authorities that it trusts. For example, in Firefox, go to Options > Advanced > Encryption > View Certificates. Chrome has something similar, Options > Under the bonnet > HTTPS > Manage certificates.
That means that you can go to anyone of those Root Certificate Authorities, and procure a certificate through them. The Certificate Authority goes through a few basic checks on the domain that you are requesting a certificate for, to ensure that it really does belong to you.
Once you have met the requirements, you submit your certificate request.
This is done in mainly one of two ways.
1. Follow the certificate request process on the site. This differs from site to site, but it generally asks you to select the domain/subdomain, choose the key length (2048, 4096 etc), choose the hash type (SHA-1, SHA-2, etc). It will probably you for a password to encrypt the private key. It will then give you a private key (usually domain.com.key) and a server certificate file (domain.com.crt).
Now, if you provided a password, the private key is usually encrypted with that password. However, SABnzbd requires that you specify a certificate with the unencrypted key. Therefore, you need to decrypt this key. Sometimes your certificate provider will have a web based tool to do this (look in the control panel of your account), however, it's just as easy (plus arguably more secure) to use OpenSSL with the following command.
openssl.exe rsa -in <Encrypted Key Filename> -out <Unencrypted Key Filename>
OpenSSL should ask you for a password to decrypt the file.
2. On a machine you own, you can generate a certificate request. You can again do this with OpenSSL, however you can also do this within the Windows IIS Web server component. This is basically a local version of #1 above. As you go through the request, specify your details to be included within the certificate (domain name, organisation, country, etc). It spits out a .TXT file (or sometimes a .CSR file if you use OpenSSL). You then upload that .TXT file to the Certificate Authority of your choice, and they issue you a .CER file. You then "complete" the certificate request within IIS by selecting "Complete Certificate Request" within IIS. (If you did this within Windows, you can then export the certificate as a .PFX file, and then use OpenSSL to split out the PFX file into a private key/server certificate format that you can use in SABnzbd, and most other non-IIS web servers).
Basically, wthe certificate authority will sign your certificate with the Root Certificate's private key. As the root certificate's public key certificate is already on your browser, you can then decrypt it.
The reason why I wanted to use a custom certificate is because it is much harder to perform a man-in-the-middle attack with a key that is provided by a trusted third party certificate authority (though not impossible).
Hope that helps. If you want to add anything to the Wiki, let me know and I'll clean it up a bit first.