Link Shortening and Click Tracking SSL FAQ

SSL, CSR, RSA? FAQ!

This blog post aims to answer some frequently asked questions around domains, DNS records, certificates, keys, and syntax configurations for use with our Link Shortening and Click Tracking features.

There’s a lot of minutiae to encryption and that’s for good reason – you need to be sure that your information and data hasn’t been read or tampered with by unauthorized parties. As with any well thought out protocol, there are a lot of moving parts, all of which need to fit together and continue moving like a hot knife through butter. This post will attempt to explain some of those moving parts, and show you what you need to be aware with with Link Shortening and Click Tracking.

Table of Contents

• Private Key Errors
  • Is my private key in the wrong format or syntax?
  • Can I manually edit my private key to convert it?
  • How do I convert a PKCS #12 private key to a PKCS #8 private key?
• Certificate Errors
  • Can I use a wildcard certificate like *.example.com?
  • Are Subject Alternative Names on TLS Certificates supported?
  • How can I determine what domain names are on my certificate?
  • Does certificate syntax really matter?
• Other Common Errors
  • Can I use AWS ACM?

Private Key Errors

Is my private key in the wrong format or syntax?

There are many private key formats available. However, the Link Shortening and Click Tracking features currently only support PKCS #8 formatted keys i.e., private keys that start with BEGIN PRIVATE KEY. A common mistake is trying to upload a PKCS #12 formatted key which instead begins with BEGIN RSA PRIVATE KEY.

Can I manually edit my private key to convert it?

Manually replacing BEGIN RSA PRIVATE KEY with BEGIN PRIVATE KEY in a text editor does not change the format of your private key and will continue to result in errors. See below to learn how to convert your private key.

How do I convert a PKCS #12 private key to a PKCS #8 private key?

If you’re starting with a PKCS #12 private key, you can follow this 2-step process to convert it to a useable PKCS #8 private key:

1. Convert PKCS12 to PEM
   • openssl pkcs12 -in {input PKCS #12 file} -nocerts -nodes -out privkey.pem
2. Convert PEM to PKCS8
   • openSSL pkcs8 -in privkey.pem -topk8 -nocrypt -out {output PKCS #8 file}

If that doesn’t work, you can instead try this approach:

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in {input PKCS #12 file} -out {output PKCS #8 file}

You can now use your output file, for example: certname.pk8, in your private key upload.

Certificate Errors

Can I use a wildcard certificate like *.example.com?

If your certificate has been generated for a wildcard domain such as *.example.com, the certificate will be rejected during upload. Your domain name must be explicitly defined on the certificate.

Are Subject Alternative Names on TLS Certificates supported?

The Common Name (or CN) listed on your certificate must match the domain name for which you’re attempting to upload. If the certificate only lists the domain name you’d like to use in the “Subject Alternative Name” (SAN) list, your certificate will not be accepted.

How can I determine what domain names are on my certificate?

If you need to check which domain names are listed on your certificate, you can run the following command:

sudo openssl x509 -in {path_to_cert.pem} -noout -text | grep "Subject: CN"

This should give you back something like this:

Subject: CN=ls.owlshoesinc.com

If you get an unable to load certificate error, you may be trying to inspect the wrong file, a “certificate request” instead of the actual certificate.

Does certificate syntax or format really matter?

It does! The TLS certificate and private key must be generated in a PEM format to upload properly.

Other Common Errors

Can I use AWS ACM?

Unfortunately, since AWS ACM cannot export private keys, you won't be able to use them with Twilio’s Link Shortening and Click Tracking offerings.

Still have questions?

If you’ve reached another error not listed above, or you’d like some clarification before moving forward, please contact our support team.

Brian Mgrdichian is a Principal Solutions Engineer at Twilio. When he’s not helping clients unearth the most optimal integrations to fulfill their needs, he loves to tinker with 3D design and printing, work on electronics, and go for hikes in the mountains of Colorado. He can be reached at bmgrdichian[at]twilio.com.