Using IIS on Windows Server 2016.
The reason I'm asking if a .pfx file expires is because today I can no longer successfully use a certificate that I had exported yesterday.
I have a wildcard certificate that I installed on one server, and then I exported it from that server in order to import it into two other servers. All this was done yesterday and this worked perfectly fine.
Today I want to import that same .pfx file into a fourth server but it doesn't work. I can import it and I can bind the site to it but the browser is still showing a "this site is not secure" error.
I also made a note last year when I did the same thing that I had the same problem. Apparently last year I was able to re-export from the first server and then import and it was fine, but this year even that doesn't work.
So my question is, why was I able to import the pfx onto two servers yesterday, but today it doesn't work? Are pfx files only valid for the same day they were exported?
A pfx file does not expire, i.e. it does not simply vanish after some time. Certificates though have an explicit life time when they are valid, i.e. a start date and an expiration date. A pfx file is a container which includes certificates, but also a private key. The private key cannot expire, the certificates do. There can be multiple certificates within the same pfx file (leaf and chain certificates) with different expiration times. Certificates can also be stored in other formats than PFX.
Related
I'm using https://github.com/fszlin/certes to generate an SSL PEM file and private key, but throughout the process I can't seem to see where to get the certificates expiry date (or even if it's in there). I have found the order expiry date which is 7 days from now.
Does anyone know if it's a property I can extract in some method or maybe later read the PEM to get the data out from there?
I know I can get it from the https url once the certificate is installed, or just simply add on 90 days onto the created date, but it would be handy to get it from the certificate itself in some form during the creation process.
I recently joined a company and we have been asked by one of our clients to share our certificate so that they can establish a connection with us. We are working on getting an SSO between us. So I pulled up our environment on the browser and when I clicked the certificate, I got a multi-level certificate setup. The certificates are in three levels, the first is Trustwave, second is Trustwave <> Level 1 and the last level is *.<>
I am able to click and open the first two ones, but not the last one. I just have a basic idea on certificates. How do I share this with the client? Do I have to share both the certificates separately or is there a way to combine them and share it as a single file?
Thanks!
I finally figured out how to this a couple of days back. IE does not allow to export the certificate in the last level, but chrome does. So using chrome, I exported all three certificates to my computer. I exported them in Base-64 encoded format, so when I open them using a text editor, I could see the contents of it. The way to share all three would be to paste the complete contents of the root certificate, followed by the certificate in the next level and so on. So finally I had three certificate entries in one file. Save it as a .pem file and share with the client!
I have obtained a free Open Source Developer certificate (with Code Signing as only usage) from Certum in reply to a web form instead of a regular CSR file. The Certificate has no installation issues on Windows and forms a trusted chain along with the corresponding intermediate and root CA certificates in any keystore management tool I have tried. No problems so far.
Nevertheless, besides the bright side of becoming somewhat acquainted with the subject after frustrating studying it for several days (my only purpose was to sign jar files for my online solfège school), I haven't been able to import the certificate to any keypair on neither toolkey, KeyStore Explorer, CERTivity, nor OpenSSL, because the public keys don't match, (I think) obviously.
I (probably mis)understand that the public key from a requesting keypair is conveyed to the CA by the CSR file and included back in the certificate reply, but in my case there is no CSR file.
I plainly admit my ignorance, and would just like to know:
If is it even possible (with all security risks involved) the procedure of tailoring a keypair to match an existing such a certificate (an Openssl command, perhaps), and
if, as I'm afraid of, the answer is no, what is such a "CSR-file-orphan" certificate useful for?
Any enlightment will be greatly appreciated.
Jesús Díaz
Certum probably have created the CSR for you if you didn't submit one.
In that case, a (public-private) key pair would have been installed on your computer.
You will probably have to export the key pair from Windows keystore to a file so that you can import it to another keystore.
guide from microsoft
with screenshots
another way
To answer your questions:
since the certificate has been created, you won't be able to create a key pair for it.
it is actually not a CSR orphan certificate
You might want to make another request from Certum and inform them that you would like to provide a CSR
I use Windows XP SP3. I resell digital signature certificates. I get the clients data, key them into a portal and download the dsc onto my machine. I use Internet Options and export the certificate to a pfx file with a password and send it off to the client. Since, this is being done over and over again, during export to pfx, inadvertently the wrong certificate is selected. Once the pfx file is generated, is there any way of knowing the common name in the pfx file without having to reinstall the certificate. I have looked into openssl, but not sure if it can be achieved by a batch file as a password has to be physically entered. Ideally, after exporting say 10 pfx files, I would like to run a batch file which would display only the common names. Once I confirm that the names are correct (I have exported correctly), I can delete the certificates from the store.
You should write your own application, that will perform batch processing of PFX files.
The pseudo code using CryptoAPI are as follows.,
Read the pfx files from disk one by one using PFXImportCertStore. You will get the certificate store context.
Acquire the certificate context PCCERT_CONTEXT phPfxCertCtx = CertEnumCertificatesInStore
Get the subject name. phPfxCertCtx->pCertInfo->Subject
You can have a predefined list of subjects to compare the subject names that are read now.
Close the context and certificate store, CertCloseStore with CERT_CLOSE_STORE_FORCE_FLAG.
I currently have a wildcard SSL certificate running on IIS 6 and needs to be renewed. The new certificate bit-strength is now 2048 (the current one that needs to be renewed is 1024). Is there any easy way to get a certificate request file that is 2048 bit when renewing from a 1024?
I don't see the option to change bit strength for renewing an SSL certificate (I only see this when creating a totally new one from scratch).
I recently had to do this very same thing, and the way I did it was I had to remove the current certificate completely, then add a new certificate fresh, otherwise, I could not figure out how to update the CSR from 1024 to 2048, which is now a requirement.
So, to answer your question, remove the current certificate first (this might be tricky if it's a busy online store), then go through the wizard and switch the CSR from 1024 to 2048.
Not the best answer, I know, but the only one I could seem to find right off (and the easiest)
Be warned about trying to get clever with this one. I just got myself in a big mess trying to do exactly this same thing without any downtime.
What I did was :
create another website and generate a cert request for that. made sure to put in the correct common name when generating the request.
I downloaded the certificate that was generated and installed it in my 'Personal' certificates for the Local Computer account (after adding certificate snap in).
Did 'replace' on the main website for the certificate and chose the new updated one.
I ended up getting this error (as reported by Chrome) when accessing the https site.
(net::ERR_SSL_PROTOCOL_ERROR): Unknown error
After playing around and switching back to the original certificate I ended up just removing it and re-keying the certificate. It only led to 1-2 minutes of downtime.
I do think that if you do what I was attempting in the correct order you'd be fine. I think you need to export the .pfx file and then import that. I think whats happening is the original server didnt have the correct private key or something like that and was getting confused.
So I'm upvoting calweb :-)