I'm having a hard time creating a p12 key. Here are the steps I did:
1: openssl genrsa -out priv.key 4096
2: openssl req -new -sha256 -key priv.key -out priv.csr
3: Converted the csr into a priv.pem file from a website specially for this (payment gateway).
And here I'm stuck. According to this website following code can be used:
openssl pkcs12 -export -out Cert.p12 -in cert.pem -inkey key.pem -passin pass:root -passout pass:root
The problem for me is: I only have one pem key but the above requires two. So can I with only my pem key now convert it into a p12 key with password?
Related
I have generated pem and csr files using the below command.
openssl req -newkey rsa:2048 -keyout key.pem -out req.csr
After this, I sent csr file to the authority and got p7b certificate.
Now, I tried to convert p7b file to p12 format with the below commands.
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -out certificate.p12 -inkey key.pem -in certificate.cer
However, it gives the below error.
No certificate matches private key
error in pkcs12
How can I convert p7b file into p12 file format?
I think you must call privatekey file
openssl pkcs12 -export -inkey privateKey.key -out certificate.p12 -inkey key.pem -in certificate.cer
I have a PFX that I want to convert to a CRT and Key or PEM and Key to install on an NGINX endpoint. When I import the pfx to my cert store on my windows machine it creates the certificate, the intermediate chain, and the root CA.
If I take that PFX and run the following openssl commands I and bind it to the endpoint, I don't get all the certificates in the chain:
openssl pkcs12 -in ./GoDaddy.pfx -clcerts -nokeys -out pcc.crt -nodes -nokeys
openssl pkcs12 -in ./GoDaddy.pfx -nocerts -nodes -out pcc.rsa -nodes -nokeys
Is there a switch or command I can run to convert the PFX to a crt / rsa or pem /key with all of the certificates up the chain to the root CA?
Since you want everything, you just need to reduce the number of restrictions you are asking for.
so:
openssl pkcs12 -in ./GoDaddy.pfx -out ./GoDaddy.pem
If you read the documentation you will see what you are asking for:
-nocerts
No certificates at all will be output.
-clcerts
Only output client certificates (not CA certificates).
-nokeys
No private keys will be output.
-nodes
Don't encrypt the private keys at all.
You can extract ca-bundle, .crt and .key from .pfx using this.
# Extracting ca-certs..."
openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt
# Extracting key file..."
openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key
# Extracting crt..."
openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt
# combine ca-certs and cert files
cat ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt
# Removing passphrase from keyfile"
openssl rsa -in ${filename}.key -out ${filename}.key
Link:
https://gist.github.com/mediaupstream/a2694859b1afa59f26be5e8f6fd4806a
This question already has answers here:
How to generate a self-signed SSL certificate using OpenSSL? [closed]
(23 answers)
Closed 6 years ago.
Trying to convert .pem file to .der file using below command.
openssl x509 -in public_key.pem -out cert.der -outform DER
getting below error
unable to load certificate
31833:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSS
L098/OpenSSL098-52.30.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFIC
ATE
I have generated RSA private/public keys using below.
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
You are creating a RSA key pair. And you are trying to convert the public key into DER format.
openssl x509 command requires public key inside the X.509 container.
Try this command to create the Private Key and Public Cert.
Create a self signed CA Cert:
openssl genrsa -out CAkey.pem 2048
openssl req -new -x509 -key CAkey.pem -out cacert.pem -days 1095
Now create another cert which is signed by the CA created above
openssl genrsa -out serverkey.pem 2048
openssl req -new -key serverkey.pem -out server.csr
openssl x509 -req -days 1000 -in server.csr -CA cacert.pem -CAkey CAkey.pem -out server.pem -set_serial 01
Later convert the public cert in PEM to DER format.
openssl x509 -in server.pem -out server.der -outform DER
This is the sequence of commands I tried:
a. Extract an existing certificate key from the store:
keytool -v -importkeystore -srckeystore keystore -srcalias one -destkeystore temppp -deststoretype PKCS12 -srcstorepass passwordd -deststorepass passwordd
b. Extract the private key from the exported certificate:
openssl pkcs12 -in temppp -out csr_private.key -nocerts -nodes -password pass:passwordd
c. Generate csr using extracted key:
openssl req -nodes -sha256 -new -key csr_private.key -out request.csr -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla/OU=Bla/CN=BLAAAA'
d. Generate a self-signed certificate and key:
openssl req -x509 -newkey rsa:2048 -keyout ca_key.pem -nodes -sha512 -days 4096 -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla Bla/OU=BLA/CN=FOOO' -out ca.pem
e. Sign the csr with the self-signed certificate:
openssl x509 -in request.csr -out signed_cert.pem -req -signkey ca_key.pem -days 1001
f. Export the signed certificate and csr key to one p12 file:
openssl pkcs12 -export -in signed_cert.pem -inkey csr_private.key -out file.p12 -name "one"
Result:
No certificate matches private key
What am I missing? Why isn't my last command legitimate?
I planned to do "keytool -importkeystore" file.p12 (that should have been generated in the last step) to replace the "one" privateKeyEntry in "keystore". As suggested in How to import an existing x509 certificate and private key in Java keystore to use in SSL?.
Basically I'm trying to edit that entry to have the same key, but a different certificate.
The fix is to add "-nodes" to the last command (f).
In the second command that key was exported with "-nodes" (no DES encryption), and it should be the same in the last command too.
I have successfully generated .p12 file but I got a message which is a follows:
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12
Loading 'screen' into random state - done
No certificate matches private key
Could anyone tell me what is this error all about?
Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:
`Invalid Public Key Security Object File
This file is invalid for use as the following: Personal Information Exchange `
Please clarify.
Thanks
Source
OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.
Create key pair :
openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12
I also had exactly same issue. Below two commands worked like a charm.
cat domain.crt intermediate.crt ca.crt > bundle.crt
openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!
Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.
Key: openssl pkey -text_pub -in file.key -noout
CSR: openssl req -in file.csr -noout -text
These must match for 'openssl pkcs12' to create the export file.