I have a DER certificate file, and using openssl I tried to extract the private key. I tried many commands but none of them would extract the key. I WAS able to extract the certificate, but not the PK.. Any ideas what to do? Many thanks.
Related
I'm trying to install an SSL Certificate on my website, I bought the certificate online but they didn't give me a private key file, I got a pem file instead. Is their any way I can generate the private key file from the pem file?
I'm using a Mac and tried OpenSSL to generate the key file:
openssl rsa -in myfile.pem -out private.key
But this gave me the following error:
unable to load Private Key
4781944428:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY
Any help is greatly appreciated!
Usually the private key is generated on your web server through the web server software or else using openssl.
When you buy a certificate online from a certificate authority, you generate a certificate request, and send it to the authority. The cert request doesn't have the private key, only a signature from the private key, so that's why you can't extract it from the pem file they sent you back.
You need to look at the software you used to generate the certificate request. If you didn't do this, and the company you bought the cert didn't require it, they may be a hosting provider who has the private keys.
This question already has answers here:
How to get .pem file from .key and .crt files?
(12 answers)
Closed 4 years ago.
I downloaded the files from a ssl purchase and got from it the following files:
ServerCertificate.cer
CACertificate-ROOT-2.cer
CACertificate-INTERMEDIATE-1.cer
PKCS7.p7b
A client requires 2 crt.pem files. One of which needs to come from the ServerCertificate.cer and another from a so called PFC file that should of been provided. Which is aparently a combination of the certificate and the key.
I have tried using:
openssl x509 -inform der -in certificate.cer -out certificate.pem to convert the first file however I get a "Unable to load certificate" error.
What am I doing wrong?
PS Please dont link me to https://www.sslshopper.com/ssl-converter.html, as this isn't working either.
If by PFC you actually mean PFX, then you can convert p7b to pfx (PKCS#7 to PKCS#12) using openssl.
ServerCertificate.cer is most likely PEM. Follow Steffen's comment:
Extensions do not matter. It is likely that your *.cer files are already in PEM format and you just have to rename these if you want a file name of *.pem but not convert. Look at the contents with some editor: if it is binary it is likely DER encoded, if it starts with something like -----BEGIN CERTIFICATE----- it is PEM encoded.
If it is not PEM, then it is binary and openssl can convert it to PEM.
Normally you need two files: the private key (ServerCertificate.key) and the certificate (ServerCertificate.cer). Sometime you also need the root and intermediate certificates depending on who issued your certificate (you don't say).
None of the file that you listed is the private key. This was created as the first step to create the CSR (certificate signing request) that you sent to the ssl vendor. PFX has the option to include the private key in its file format.
If you created the CSR on Windows (IIS) then you don't send anything to the customer, you complete the CSR on the computer that created the CSR. Then you can export the certificate package.
Can i digitally sign a pdf with a certifate (.cer) and .p7b certificates provided to me over a USB or do i need a private key to be provided as well. I have tried converting to various formats including .pem, .der, .key, .crt etc but end up with some exception or the other. Have tried converting to .pem and then .key and got 'no certificate matches private key'.
I want to know if i have incomplete information, or if i can use the available certificates and if yes how should i proceed?
You definitely need a private key to create a digital signature.
I'm am trying to create a very simple WCF client application which will send SOAP messages to a 3rd party service. All the messages must be digitally signed. It's really a proof of concept before I add the code to a larger application.
I have a .cer file containing the certificate and a .pem file containing the private key. What I have been trying to do is load the certificate using the .cer file then fire off a message. But I get the following error "The private key is not present in the X.509 certificate".
The problem, well one of the problems, is that I really know almost nothing about WCF, digital certificates, private keys and all that guff. I've done some reading, I've Googled till I'm blue in the face and I've not got anywhere.
If I open the .cert file there is a section labelled "BEGIN ENCRYPTED PRIVATE KEY" which suggests that the private key is included in the certificate. So, why am I getting a message saying that it is not present? Also, if the private key does need to be added to the certificate how do I do it?
Here basically what I'm doing. It's not my actual code, but it includes all the relevant stuff:
MyWSClient c = new MyWSClient();
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"pathToFile.cer");
c.SomeValidCall();
How are you creating this cert / key pair? You can combine them into a PKCS#12 certificate using openssl:
openssl pkcs12 -export -in yourcert.crt -inkey yourprivkey.key -out newcert.p12
You may need to play with the input format to get it to work with a .pem private key.
My colleague has found a solution. I don't know why but using a .der file rather than a .cer file solves the problem. This is the command he used to generate the .der file using a certificate, private key and root certificate as.pem files:
openssl pkcs12 -export -in cert.pem -inkey private_key.pem -certfile root_cert.cer -out pkcs12.der
The service I need to connect to has provided me three files and I'm trying to figure out what I need to create the Cert=xxx.PEM file that STUNNEL needs
I have a "keystore.jks" file. Dumping that with keytool says it's a "Private key entry"
I have a "truststore.jks" file. Dumping that says it's a "trusted certificate entry". The alias is "server"
I also have a "xyz.cer" file. That seems to be a X.509 certificate
I've got OPENSSL and a Java program called "KeytoolUI".
Bottom line is I have a bunch of files and tools and with not much knowledge of SSL I feel like I can't see the wood for the trees. Do I need all those files? The existing PEM files I have for other services just have a "Certificate" section and a "RSA Private key" section.
Any advice appreciated. Thanks!
It sounds like your provider has provided your keypair (for client side authentication) as a java keystore, and (I'm guessing) the remote server's public certificate or CA certificate in PEM format.
That's some fairly heavy guesswork, but it's strange that they've sent you a private key if you aren't doing client side auth. (Let's hope they haven't sent you the private key for their server!).
As far as I'm aware, stunnel only uses PEM certificates, so you will need to convert your JKS files into two PEM files (one for the private key, one for the public certificate). One way to do this is to convert the JKS to a PKCS#12 (aka PFX) file using keytool, and then use OpenSSL to convert the PKCS#12 files into PEM private key/certificate files.
Once you have these two files, use them with the key and cert options in stunnel.conf.
For the final (mystery) PEM certificate that you have, I'm going to guess (again) that this is the remote CA, and therefore that you should configure this against the CAfile parameter in stunnel.conf. (If it's appropriate for you to post details here, edit to include output from openssl x509 -in <filename> -text to provide more clues).
No answer I'm afraid. In the end I got the company to just send me a PEM file.
I did find quite an authoritative looking tutorial here
http://www.herongyang.com/crypto/Migrating_Keys_keytool_to_OpenSSL_2.html
The problem is for somebody who doesn't do this everyday getting a bunch of free/open source software from various sources to work together. You can find scripts to do this on various sites, but when you run them, you'll see Java tracebacks, complaints about LIBEAY32.DLL missing ordinals, etc., etc.
If you get the exact right versions of KEYTOOL, OPENSSL, etc.,, installed in the correct place, with the exact right JRE version and all the other DLLs, the PATH correct, and all the stars exactly lined up you'll be fine. Until then it's just an exercise in frustration.
openssl x509 -inform der -outform pem < xyz.cer > xyz.pem