GoDaddy SSL Certificate for User Portal

Question

I have an SSL certificate from GoDaddy that I am trying to import into the XG 230 firewall. It wants the private key in a .key format which GoDaddy is only giving me a .crt format. The certificate key is in .p7b format which works just fine it appears. 
 I am reading articles on how to convert ssl certificates using OpenSSL but I am not seeing a way to convert .crt certificate to .key format. 
 Is this even possible? Am I just missing something completely? 
 I just want my users outside when they go to vpn.mycompany.com to not get a certificate error.

ChrisBacker1 · Accepted Answer

Richard, 
 This article helped me a lot with using and installing OpenSSL. Let me know if you have any questions. 
 
 http://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/

AllanD · Answer

RichardPhillips said: 
 I am a noob to OpenSSL and only have access to Windows PC's 
 
 For Windows here is what I did. First import your certificate into IIS (which it probably already is). Then go into Certificate Management: 
 
 Open Microsoft Management Console (mmc.exe) 
 File -> Add/Remove Snap-ins 
 Add in Certificates - Computer account - Local Computer 
 Go under Personal -> Certificates. 
 Right click the certificate you imported into IIS and select All Tasks -> Export. 
 
 Hit Next then Yes export the private key. 
 On the next screen I would click "Export all extended properties" then Next. 
 Check the Password box and give it a password. Save it somewhere then Next and Finish.

You should be able to import that .pfx file into the Sophos with the password you set without having to use OpenSSL. I've imported two certificates to two different XG's this way. 
 -Allan

DaMaN841 · Answer

I've had luck using this with GoDaddy after creating my own private key via OpenSSL. 
 The two files in green are supplied by GoDaddy. The file in red is generated by you via OpenSSL. The file in blue is the output for Copernicus along with the matching name without the extension. 
 I believe the gd_bundle.crt is given if you choose "Other" when downloading from GoDaddy. 
 openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in GoDaddy.crt -inkey privatekey.pem -out copernicus.my.com.pkcs12 -name copernicus.my.com -passout pass:changeit 
 I hope this helps. If there is a better way, I'd love to know if you find out. 
 Cheers, 
 Kyle

DaMaN841 · Answer

Ah, okay, I understand your disconnect and I should have picked up on it, my mistake. 
 You first need to generate your own CSR and Key, which you then sign via GoDaddy's CA. 
 
 openssl req -new -newkey rsa:2048 -nodes -keyout vpn.company.com.key -out vpn.company.com.csr 
 You'll have to enter some information: Country Code, State, City, Org. Name, Org. Unit, Common Name, Email, Password and Company Name 
 This will generate two files, vpn.company.com.key and vpn.company.com.csr 
 Sign into GoDaddy and sign the vpn.company.com.csr 
 Choose Other when you download the CRT files. It should provide you with a your signed GoDaddy.crt and their public gd_bundle.crt . 
 openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in GoDaddy.crt -inkey vpn.company.com.key -out vpn.company.com.pkcs12 -name vpn.company.com -passout pass:password 
 
 I hope this clears up any confusion. Let me know how you do! 
 Cheers, 
 Kyle

bizanator · Answer

You can do this inside Windows pretty easily. 
 Download the Other pack from Godaddy 
 Extract the zip file 
 double click the (randomname).crt 
 The Windows Certificate viewer opens up. 
 Click the Details Tab 
 Select Copy to File... 
 Export as CER (BASE64) 
 Save file & Upload to Sophos