I bought a wildcard ssl certificate with Combell which I need to install in my Microsoft Power App. Combell uses AES-256 encryption and Microsoft want 3DES so I downloaded the .pem file and converted it to a .pfx with 3DES encryption with this openssl command:
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_encrypted_pem.pem -out my_new_pkcs12.pfx -name “my-name”
So now I have a pfx certificate file, and it uses the 3DES encryption that Microsoft wants.
Microsoft requirements for ssl certificate
And still I can't upload the certificate in my admin center, it tells me that the password is incorrect or that the encryption used by the certificate is not supported (It's in Dutch but see image with error here: link to img)
Don't know what's the problem because the password is 100% correct and the encryption used is 3DES. Can someone please help
Related
I have a TLS certificate received from a public CA that is in pem format without the intermediate certs included. I need the certificate in PFX format with intermediate certs in Azure KeyVault to use with an Application Gateway.
I am able to successfully add the intermediate certs and convert to PFX format with the following:
$apiCertSecret | openssl pkcs12 -export -nodes -out /tmp/cert.pfx -CAfile /tmp/certchain.pem -chain `
-macalg sha256 -certpbe aes-256-cbc -keypbe aes-256-cbc
Where $apiCertSecret is the raw text of the original cert and /tmp/certchain.pem is the root and intermediate cert in PEM format.
The resulting PFX cert checks out AFAICT as valid with both certutil and openssl. Both certutil cert.pfx, run on Windows, and openssl pkcs12 -info -nokeys -in /tmp/cert.pfx, run in WSL, run without error and show all the intermediate certs.
When I take the cert.pfx file and upload it to Azure KeyVault via the portal or via Import-AzKeyVaultCertificate, I end up with an unusable cert. If I reference it from KeyVault in the Application Gateway configuration, I get an unrecognized name error when connecting to that listener. This is the full error from using openssl s_client -connect to test:
error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1584:SSL alert number 112
If I retrieve the secret from KeyVault with Get-AzKeyVaultSecret -AsPlainText and pipe it to | openssl pkcs12 -info -nokeys I get the following error:
140606285837632:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
140606285837632:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=PKCS12
Importing this same cert directly into the Application Gateway works without issue. It also imports into the Windows cert store without issue although I haven't attempted to use it on a site there. I am looking to complete the automation of a cert upgrade, but I'm at a loss for what else to try. I would prefer to reference the cert from Azure KeyVault so the Application Gateway will automatically pick up changes, but right now that appears to be the issue.
My questions.
Are there any other commands I should use to inspect the certificate I have that might shed a little more light on the issue?
Is there another way I should attempt to upload the certificate to Azure KeyVault that would avoid the "corruption"?
Any chance someone has seen this as a known issue in Azure KeyVault?
In case it matters, the version of openssl in use is OpenSSL 1.1.1f 31 Mar 2020
I am troubleshooting an SSL certificate issue where after the.PFX conversion to.PEM file using the OpenSSL.
The certificate is from Azure App Service Managed Certificate (GoDaddy) for 1-year validity with auto-renewal.
https://azure.github.io/AppService/2021/05/25/App-Service-Managed-Certificate-GA.html
According to https://developer.americanexpress.com/documentation#certificate-requirements I just need to execute:
openssl pkcs12 -in certificatename.pfx -out certificatename.pem
Which I have done with no issue or error.
However, it is always throwing errors when uploaded to the Amex portal.
Error:
Please upload a valid leaf certificate in PEM format
jww's answer to the question "How do you sign a Certificate Signing Request with your Certification Authority?" Original question was very useful to me and I created my own CA key and cert and used it to sign a server cert.
I have a linux server that I want to reach from an MS Edge browser. I found that the Microsoft Management Console application would not accept the .pem format certs so I converted them into .p12 (PKCS12) format and combined them in a single file also using material that I found on the stackoverflow site. (file attached)
My question is does openssl create pkcs12 certs natively or is the conversion stage necessary?
I've currently encountered a unique issue. To help understand the predicament I'll provide some background. Our company hired a third-party to develop an application, apart of this web application package was the purchase of an SSL Certificate.
After they purchased the SSL they exported it into a Personal Information Exchange (.pfx).
The issue now occurs here...
Our company web-server utilizes the Plesk Panel 11. Which complicates matters for two reasons.
The first is that if I directly install the certificate Plesk will
not recgonize the certificate and will eventually overwrite the
contents in our Microsoft Certificate Store within the Windows
Server MMC Certificate Snap-In.
The second issue is sheer bad luck, Plesk doesn't recognize the .pfx extension. It apparently only understands the following:
Private Key (.key)
Certificate (.crt)
CA Certificate (-ca.crt)
So my original thought was to simply convert the file into a valid format, which resulted in an error. The second attempt was to follow a command line control to export the file format to the valid extension. The results are still disappointing:
Error: Invalid Certificate Format
Since the file installed was a .pfx it does not allow me to convert it to anything else. Unfortunately when utilizing Open SSL it only converted to a .pem. Which to my dismay is also unsupported-
Any assistance would be terrific.
Update:
I attempted to follow this question on Stack Overflow. Unfortunately Windows Server 2012 doesn't appear to do the conversion as well. It does convert it into a valid format, but then the Private Key can't be found.
In order to solve this issue I followed this blog here.
So I attempted to utilize Open SSL again, with these steps:
// Extract Private Key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
// Extract Certificate
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
// Encrypted Private Key
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Again you need to enter an import password. This time you need to enter the new password that you created in step 1. After that you’re done. You decrypted your private key. In the folder you ran OpenSSL from you’ll find the certifcate (.crt) and the two private keys (encrypted and unencrypted).
That is how I solved my question.
I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.
Installing the certificate and trying to access the restricted area in various browsers gives the following results:
IE6 - Works fine and I can retrieve the WSDL
IE7 - Prompts for the certificate but then fails with a 403.7 from the server
Firefox3 - Set to ask, but no prompt and fails with a 403.7
Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7
Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.
Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?
Any help would be greatly appreciated.
This really works! If you're confused by the -inkey and -in options, they are the private key and certificate from the p12 file. You can convert the p12 file to pem format with:
openssl pkcs12 -in file.p12 -clcerts -out file.pem
and use the above command with "-in file.pem" only.
Also, you can import the root CA cert into your trusted certs store, here is the description how to do that: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl, and then you don't have to manually copy the certificates. After installing the cert use the command above without the "-CAfile chain.pem".
Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:
openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12