get .key file from a .p12 - ssl

I need to extract the .key from the .p12 container of a certificate, I have its password and I have tried to use openssl in windows, putting the .p12 in the bin folder, I run the windows console in administrator mode. I go to the location:
C:\Users\usuario\Desktop\openssl-1.0.2j-fips-x86_64\OpenSSL\bin
then i execute
openssl pkcs12 -in miarchivo.p12 -nocerts -out miclave.key
but it gives me the following error:
Error opening output file miclave.key
miclave.key: Permission denied
At no time has he asked me for the password he has or anything...
I need it to be able to install my .crt and .key certificate on my jitsi server...
Thank you.

Related

LetsEncrypt generates fullchain.pem and privkey.pem files. I need .crt and .key files. How can I get them?

After running sudo certbot --nginx -d mydomain.io -d www.mydomain.io
I'm getting:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.io/privkey.pem
For my app to work, I need private.key and certificate.crt files.
I have tried converting .pem files like so:
openssl x509 -outform der -in /etc/letsencrypt/live/mydomain.io/fullchain.pem -out certificate.crt
openssl rsa -outform der -in /etc/letsencrypt/live/mydomain.io/privkey.pem -out private.key
When trying to run my app, I'm getting this error in the browser dev tools:
WebSocket connection to 'wss://<my-ip>:<my-port>/' failed:
Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
On server I'm getting this error (apparently it means that my app couldn't parse the key file):
mbedtls error: returned -0x7780
So it looks like an issue with the certificate. Can you help me to figure out what I have done wrong? What could be causing this issue? Are there other ways to generate .crt and .key files, so I could double check that I didn't make a mistake?
Turns out my problem wasn't related to generating the keys, I was doing it correctly.
But the client version of my app was trying to connect to wss://<my-ip>:<my-port>/, and instead I was supposed to connect to wss://<my-domain-name>:<my-port>/.

How do I use OpenSSL in the terminal to convert a .pem file to other formats?

I am trying to use OpenSSL in the terminal. I have installed OpenSSL using brew install openssl. I want to convert a .pem file to another format that my hosting provider will accept.
I have tried several different formulations of the code and plying the certificate from different places but none seem to work and all give me various error messages including permission denied.
This is what I tried last...
openssl pkcs12 -in /Users/myname/fullchain.pem -inkey /Users/myname/privkey.pem -out /Users/myname/fullchain.pfx -cacerts
This is my output
4552226412:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.250.1/libressl-2.6/crypto/asn1/tasn_dec.c:1125:
4552226412:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.250.1/libressl-2.6/crypto/asn1/tasn_dec.c:306:Type=PKCS12
What might this mean and what code should I be using?
Edit: I am getting output files but they are of course empty.
That error message is usually when the certificate format you pass to the command is not what it is expecting. The following command should solve it for you.
openssl pkcs12 -export -out /Users/myname/fullchain.pfx -inkey /Users/myname/privkey.pem -in /Users/myname/fullchain.pem
It should prompt you to enter an export password to encrypt the .pfx files content if it has succeeded.

How to convert .crt cetificate file to .pfx

I want to install the '.crt' certificate I received from a certificate provider to my IIS 7.5 server.
I have tried many times to install the .crt file by clicking on the 'certificates', and it states that it is installed correctly. So I open IIS, select "my server", open "server certificate" which is available on the menu on the right side, click "complete certificate request", select the .crt certificate on my computer and click ok. However, when I refresh IIS the certificate disappears automatically.
Our hosting provider mentions that I need to use a '.pfx' file which I do not have.
I have solved this issue by converting this .crt file into a .pfx file using following method.
To convert .crt to .pfx, we need CSA certificate (Private Key) provided by hosting provider. Below are the steps to convert this:
Download and install OpenSSL software from below link based on your system type
https://slproweb.com/products/Win32OpenSSL.html
Run the following command on command prompt:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OR
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crt
Here:
Certificate.crt = Your-domain-Name.crt
CACert.crt = NetworkSolutions_CA.crt
certificate.pfx is the new name of generated file.
PrivateKey can be in .key or .txt format
After completing this process now we have certificate.pfx file so go to IIS Server certificates in IIS Manager.
There is an import link button on right side, click on this and select the converted certificate and enter password which is enter at the time of creation of the .pfx file and complete the process.
Now select your site on IIS and right click on this, select "Edit Binding" and on the new popup window select type as https:// and "Hosting name" is your domain name and all other field is as it is, click on ok to complete this process.
Now restart IIS and your certificate is working fine with your site.
Small update to the super-useful answer above:
The OpenSSL versions have been updated, so the links no longer work. Here's the full download page from which to download any version:
https://slproweb.com/products/Win32OpenSSL.html
I used Win64OpenSSL_Light-1_1_0j.exe for my Windows 10 IIS installation. Worked perfectly.
Installed into default location C:\OpenSSL-Win64\
For sslforfree.com's cert files, here's the command line for your convenience run from the folder containing the three files they provided by sslforfree.com:
C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Couldn't able to connect to APNS Sandbox server

I am trying to connect to Apple APNS server with the following observations:
1)port 2195 is open 2)With Valid key passphrase for APNS_SSLCertificate_Key.pem 3)Entrust certificate (2048) downloaded from https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
4)With the successful telnet response as below :
$ telnet gateway.sandbox.push.apple.com 2195 Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net. Escape
character is '^]'.
But when i run the following openssl command in my server to test the APNS connectivity :
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert APNS_SSLCertificate_Key.pem -debug -showcerts -CAfile server-ca-cert.pem
I am getting error as follows:
unable to load certificate 57013:error:0906D06C:PEM
routines:PEM_read_bio:no start
line:/SourceCache/OpenSSL098/OpenSSL098-35/src/crypto/pem/pem_lib.c:650:Expecting:
TRUSTED CERTIFICATE
So please suggest how to resolve this problem
Thanks in advance ......
I ran into this same issue; what eventually resolved the error was to re-export the Entrust certificate from System Roots of OS/X Keychain Access application.
To be complete, I'll give a complete explanation of how I created the key/cert files (something which should have been in Apple's TechNote 2265: https://developer.apple.com/library/content/technotes/tn2265/_index.html)
Creating your APN-cert-and-key:
Run Keychain Access; select "login" Keychain and "My Certificates" category
Select the certificate with the name format of "Apple Development IOS Push Services: ..."
Export the certificate (in the menu, under "File" .. "Export Items")
Export to .p12 format.
This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file
Using terminal, execute the following command (using your own filenames, of course):
openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem
(You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)
If you really really really don't want a passphrase on the .pem file, try:
openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes
Creating CA Certificate file:
List item
Run Keychain Access application
Go to System Roots
Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.
Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work.
Make sure you export to .pem format; the default is .cer and this step is easy to miss.
Run the verification command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem"
This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.
For more information on openssl, I suggest the following pages:
https://www.madboa.com/geek/openssl/
https://www.sslshopper.com/article-most-common-openssl-commands.html
http://gagravarr.org/writing/openssl-certs/general.shtml
SSL problems: Step wise fix.
Most of the problems are due to the private key issues, which can be resolved as follows.
Follow the following commands and create the .p12 using openssl.
You will need
developer_identity.cer <= download from Apple
mykey.p12 <= Your private key
Run these commands in your terminal where openssl is configured,installed or working:
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
openssl pkcs12 -export -inkey mykey.pem -in developer_identity.pem -out iphone_dev.p12
Final p12 that you will require is iphone_dev.p12 file and the passphrase that you had set.
Try again, hope your problem is fixed, as it always does for me. :)

Unable to use libcurl to access a site requiring client authentication

I’m using the below snipped for setting the certificate and key for client authentication.
curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem");
curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit");
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
curl_easy_setopt(curl,CURLOPT_SSLKEY,"privateKey.pem");
curl_easy_setopt(curl,CURLOPT_SSLKEYPASSWD,"changeit");
curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");
The certificate doesn’t have a password, I don’t know why on earth the option SSLCERTPASSWD exists, I just provided a dummy value.
When I run the program on Linux I get an error code of 58 and an error message
unable to set private key file: 'privateKey.pem' type PEM
On Windows however I get
unable to use client certificate (no key found or wrong pass phrase?)
It seems to suggest the certificate and the key don’t match but I don’t know how. I have extracted both the cert and the key from a p12 file using openssl commands.
The command I used to extract the key is
openssl.exe pkcs12 -in client.p12 -nocerts -out privateKey.pem
and the command used to extract the cert is
openssl.exe pkcs12 -in client.p12 -nokeys -out clientCert.pem
The p12 file has been successfully used in a browser to access the client authentication url.
Please help before I shoot myself.
Edit:
Here is proof that the private key and the certificate correspond to each other:
[debugbld#nagara ~/curlm]$ openssl x509 -noout -modulus -in clientCert.pem | openssl md5
d7207cf82b771251471672dd54c59927
[debugbld#nagara ~/curlm]$ openssl rsa -noout -modulus -in privateKey.pem | openssl md5
Enter pass phrase for privateKey.pem:
d7207cf82b771251471672dd54c59927
So why can’t it work?
Using the command line curl, I've got the same error using a .pem file that was also obtained with openssl from a p12 file, The p12 was also able to working properly doing client authentication when imported in a browser. Just like you described, I think.
My problem was caused because the .pem file was not listing the certificates in the proper order: seems that each certificate in the file has to be followed by its issuer certificate. I edited the file and changed the order of the sections and curl was happy.
For the record, my original .p12 file was obtained by backing up a certificate from Firefox.
Also note that in my case, I was not getting prompted for the password and was getting the
curl: (58) unable to set private key file: 'alice.pem' type PEM
before the password prompt
I was facing similar issues, I found out the problem was related to file permissions of the certificate and private key files. The process running PHP did not have read access to those files.
One thing you can try (and that helped me figuring this out) is to run the following code:
$result=openssl_get_privatekey('file://path/to/private/key.pem','password');
and check if the returned value is not false and there are no errors. I was getting:
file_get_contents(/path/to/private/key.pem): failed to open stream: Permission denied
Thanks Hugh for the thread and raugfer for the openssl hint. The later: both helpful and misleading. ;-)
Actually, I solved the problem by making sure that the path of the key file is correct. And here is why the openssl hint was misleading, dispite helping me to check if my PEM file was ok:
cURL needs the complete path, but without 'file://' prefix. While fopen is happy with a relative path, cURL is not. So, all my tests to open the key file had been successful, while cURL was not.
Btw.:
curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit");
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM");
curl_easy_setopt(curl,CURLOPT_SSLKEYTYPE,"PEM");
are not needed, as the password is only used to decrypt the private key and PEM is the default.