I have a trusted certificate chain, a certificate issued by this chain and private key file for this certificate.
I want to create a P12 / PFX for this, so I can put it as client certificate in the windows store:
OpenSsl Pkcs12 -export -nokeys
-certfile mytrustedCertifcates.pem^
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
Alas, the resulting file contains all trustedCertificates. If I import the P12 in my windows certificate store, I import the complete certificate chain, although they are already in the certificate store.
I also tried options: (from OpenSsl command line utilities, also in -help)
-nocerts don't output certificates.
-clcerts only output client certificates.
Alas, the P12 still contains the complete certificate chain, and importing the P12 imports the complete chain again.
BartonJs gave the answer in a comment (thank you BartonJs!):
leave out the --certfile parameter:
OpenSsl Pkcs12 -export -nokeys
-name some friendly name
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
nokeys: leaves out the PEM password
name: the friendly name that will appear in column friendly name of the winstore
inkey and in are the input certficate with its private key
out is the name of the file to produce.
After importing it in the windstore (command: certlm.msc), It propertly says:
Issued to:
Issued by:
Expiration date
Intended purposes
Friendly name:
I'm sure that this has been asked you several times, but solutions to that cases didn't work for me. So I need your help.
Consider x.root.cer is CA's certificate, x.app.cer is Application's certificate signed by CA's certificate, and x.app.private.pem is Application's private key.
I'm using following command in order to create pfx file (want to include both private key and certificate of application).
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx -certfile x.root.cer
Even though I know (can see) that 3 files are there, I'm getting the following error:
unable to load certificates
Can you please help me about this error?
Well, finally I suceeded with this command
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx
That means I shouldn't use -certfile parameter.
I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12
How can I create a PEM file from an SSL certificate?
These are the files that I have available:
.crt
server.csr
server.key
Your keys may already be in PEM format, but just named with .crt or .key.
If the file's content begins with -----BEGIN and you can read it in a text editor:
The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.
If the file is in binary:
For the server.crt, you would use
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa in place of openssl x509.
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.
I needed to do this for an AWS ELB. After getting beaten up by the dialog many times, finally this is what worked for me:
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
Thanks NCZ
Edit: As #floatingrock says
With AWS, don't forget to prepend the filename with file://. So it'll look like:
aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/
http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html
A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it's as simple as this:
cat server.crt server.key > server.pem
Additionally, if you don't want it to ask for a passphrase, then need to run the following command:
openssl rsa -in server.key -out server.key
this is the best option to create .pem file
openssl pkcs12 -in MyPushApp.p12 -out MyPushApp.pem -nodes -clcerts
I was trying to go from godaddy to app engine. What did the trick was using this line:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
And I answered all the questions pertaining to common name / organization as www.name.com
Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
All of the files (*.crt, server.csr, server.key) may already be in PEM format, what to do next with these files depends on how you want to use them, or what tool is using them and in which format it requires.
I'll go a bit further here to explain what are the different formats used to store cryptography materials and how to recognise them as well as convert one to/from another.
Standards
Standards
Content format
File encoding
Possible content
X509
X
Certificates
PKCS#1
X
RSA keys (public/private)
PKCS#7
X
Certificates, CRLs
PKCS#8
X
Private keys, encrypted private keys
PKCS#12
X
Certificates, CRLs, private keys
JKS
X
Certificates, private keys
PEM
X
DER
X
Common combinations
Content \ Encoding
PEM (*)
DER (**)
Binary
X509
X
X
PKCS#1
X
X
PKCS#7 (***)
X
X
PKCS#8
X
X
PKCS#12 (***)
X
JKS (***)
X
This is a gist explains the same thing + commands for conversion/verification/inspection.
In conclusion, typical steps to work with cryptography/PKI materials:
Understand which format they are in (use verification/inspection commands)
Understand which format they are required (read doc)
Use conversion commands to convert the files
Optional: use verification/inspection commands to verify converted files
What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file. The strict pem format says (wiki definition) that the file should start and end with BEGIN and END.
.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate,
enclosed between "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----"
So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.
Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.
Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:
grep -A 1000 BEGIN cert.crt > cert.pem
Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple. No need to convert anything to .pem. You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, e.g.
aws iam upload-server-certificate
--server-certificate-name mycert
--certificate-body file://try2/40271b1b25236fd1.crt
--private-key file://server.key
--path /cloudfront/production/
--certificate-chain file://try2/gdig2_bundle.crt
And to delete your previous failed upload you can do
aws iam delete-server-certificate --server-certificate-name mypreviouscert
Download certificate from provisional portal by appleId,
Export certificate from Key chain and give name (Certificates.p12),
Open terminal and goto folder where you save above Certificates.p12 file,
Run below commands:
a) openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes,
b) openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts
Your .pem file ready "pushcert.pem".
Open terminal.
Go to the folder where your certificate is located.
Execute below command by replacing name with your certificate.
openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts
Hope it will work!!
On Windows, you can use the certutil tool:
certutil -encode server.crt cert.pem
certutil -encode server.key key.pem
You can combine both files to one in PowerShell like this:
Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem
And in CMD like this:
copy cert.pem+key.pem cert-and-key.pem /b
is there a way to convert from a .key file to a .pfx file?
thank you.
EDIT: I only have the .key file but my hosting provider says that I could convert it to .pfx with just that file.
To check if your .key file has everything you need:
#check if file contains a valid certificate:
openssl x509 -text -in file.key
It should print out certificate details. If it prints an error including the text "unable to load certificate", then your file is not sufficient.
#check if file contains a valid key:
openssl rsa -text -in file.key
openssl dsa -text -in file.key
One of the above commands should print out valid key details. The other will give an error with the text "expecting an rsa key" or "expecting a dsa key".
If the error text says "bad decrypt", you have provided an invalid passphrase, or the file is damaged.
If the error text says "Expecting: ANY PRIVATE KEY", then your file is not sufficient.
If you got a key, and one certificate which matches the key (and optionally some other certificates), then you have enough to convert the file to a pfx. Then, as ISW said, it's just a matter of
#convert file containing key and certificate(s) to PKCS#12 pfx file.
openssl pkcs12 -export -out file.pfx -in file.key
and you're done.
You could try this
https://www.sslshopper.com/ssl-converter.html
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
According to the OpenSSL Command-Line HOWTO it should work using
# export mycert.key as PKCS#12 file mycert.pfx
openssl pkcs12 -export -out mycert.pfx -in mycert.key -name "My Certificate"
You can convert your .key file to .pvk using the tool http://www.chilkatsoft.com/p/p_347.asp and then use the instructions on GoDaddy to combine both .scp and .pvk into a .pfk. Just make sure you use a password when generating the .pvk file.