ZeroSSL no private key is generated?


#1

My domain is: joeybabcock.me

I’m not sure if this is the correct place to post this issue but ZeroSSL.com didn’t have its own forums and I saw a previous post that seemed to have the same issue but it was locked and had no solution.

Anyway, when I generate a CRT using ZeroSSL, it gives me the CRT and CABUNDLE but there is no longer the second box where the private key usually is.


#2


#3

Did you provide a CSR to ZeroSSL? Because in that case, it would not create a private key for you.


#5

This seems like a pretty likely explanation!


#6

I did not initially provide a CSR, I had it generate one for me


#7

Weird. I just went through the process without providing a CSR, and this is the final result:


#8

I just did it again with a different site, and it once again gave me no private key…

A CSR is not the same as an account key correct?


#9

Correct.
CSR are signing requests.
You generate the private key and the CSR and the CA returns the public cert and chain.


#10

How can I go about generating the private key?


#11

It is not required but some consider it more secure to do so (completely offline).
You can use OpenSSL.

Here is a single step for generating a private key and CSR:

openssl req -out public.csr -new -sha256 -newkey rsa:2048 -nodes -keyout private.key

Here it is in two separate steps:

openssl genrsa -out private.key 2048
openssl req -new -sha256 -key private.key -out public.csr

#12

https://gethttpsforfree.com provide a workflow for completely-offline generation of all keys, if you can’t get ZeroSSL to work.


#13

I have gotten it to work in the past, i’m not sure why its not generating the two boxes this time as opposed to how I’ve done it in the past…


#14

Try another browser?


#15

OK, will I have to reverify my domains if I do that?


#16

Do what?

In general, you always have to verify domain control.
[otherwise anyone could ask for any cert for any domain]


#17

@leader, do you know why the user interface on ZeroSSL might vary this way?


#18

FYI, Let’s Encrypt has rate limits, and you have successfully issued at least two certificates. Let’s Encrypt’s rate limiting system doesn’t know you’re having trouble with the private keys. Be careful not to issue too many duplicate certificates.

https://tools.letsdebug.net/cert-search?m=domain&q=joeybabcock.me&d=168


#19

I’ll hold off on trying to make another certificate then. I believe the one I created a month or two ago still has a few weeks so i can try and recover it.


#20

The only valid case for the domain key NOT being shown on the last step for the process is when a CSR was used on the first step (for the obvious reasons, explained on site, including the FAQ page). If it has been generated on site, it will be shown.

Long time ago there was one case when the page has not been shown correctly, which came out to be because of the browser plugin playing with the layout a bit (was Grammarly if I’m not mistaken), but that was fixed quickly.

To sum this up: if the process of generating the certificate has not been interfered with in some unusual way and you have not used a CSR on the first step, you will always be getting both the certificate and associated domain key on the last step.

You can also pre-generate a CSR/key pair with the CSR generator at https://zerossl.com/free-ssl/#csr and then use the generated CSR with the SSL Certificate Wizard. Note: they key generated with the CSR Generator is effectively your “domain key” and it does not need to be entered anywhere in SSL Ceritificate Wizard - this is what you use when adding your certificate into your web server configuration.


#21

Oddly enough I do have grammerly installed, I will disable it and see if I’m able to get it to work.