I'm having some weird issues with generating CSRs and certificates from them which I don't fully understand.
Here's what I've done:
Generate private key and CSR (done on Ubuntu on WSL if that's of any significance)
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr
Uploaded that to CA and got back a certificate beginning with -----BEGIN CERTIFICATE----- which would indicate a PEM-encoded certificate, right?
Tried combining all of this into a PFX for ease of use
openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.cer
It then asks for the private key and then throws the error No certificate matches private key
Some people suggested reencoding the certificate from DER to PEM, but that just throws an error indicating the certificate is already X509
sudo openssl x509 -inform DER -outform PEM -in CERTIFICATE.cer -out CERTIFICATE.pem
unable to load certificate
140390322082240:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140390322082240:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
The following command generates quite sensible output, so the certificate seems to be alright to some extent
openssl x509 -in CERTIFICATE.cer -text -noout
The CA is Telia if this is of any use to anybody. I have had some issues in the past with them, for example Digicert's Certificate Utility doesn't recognize their certificates as valid for some reason (but that might of course be cause by me using the wrong file extension or something).
This issue was due to the renewal process in the Telia user interface, it allows you to upload a new CSR during renewal, but it actually ignores that and uses the old CSR without telling you.
Related
I'm trying to generate a pfx file from a crt and a private key, and I keep getting No certificate matches private key.
No idea what's going on here.
I did:
openssl pkcs12 -export -out myaudiservice.com.pfx -inkey myaudiservice.com.key -in myaudiservice.com.crt -in gd_bundle-g2-g1.crt
Which gets me:
No certificate matches private key
So, I tried deleting everything, key, crt, cert chain, and then I generated a new CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout myaudiservice.com.key -out myaudiservice.com.csr
Which generated a new key and new csr. I then uploaded the CSR to GoDaddy and requested the cert be re-keyed.
When that was done, I downloaded the new crt, and used the freshly generated key (from the openssl command used to generate the CSR), and I still get the same error.
Then, just as a sanity check I did:
mjb#bohr:~/Downloads/myaudiservice.com$ openssl x509 -noout -modulus -in myaudiservice.com.crt | openssl md5
(stdin)= 36d37e4f8f8672c127178a4a9cf32b89
mjb#bohr:~/Downloads/myaudiservice.com$ openssl rsa -noout -modulus -in myaudiservice.com.key | openssl md5
(stdin)= 36d37e4f8f8672c127178a4a9cf32b89
And they match....but I still get the:
No certificate matches private key
What can I try next?
You cannot have multiple -in arguments. It will just take the last, i.e. gd_bundle-g2-g1.crt. And no certificate in this file matches the key. Instead you should combine all certificates (and maybe even the key) into a single file and use this as argument for a single -in option.
I have created self-signed SSL certificate using OpenSSL as follow:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
This gave me certificate and private key in .pem file. I need to provide my public key to my clients in .cer or .crt format. Is there any way to get public key in .cer/.crt formats?
What I have already tried:
1. Generating public key in .pem format and trying to convert it to .cer or .crt [Didn't work]
To extract public key in .pem file [worked fine]:
`openssl x509 -pubkey -noout -in signer-cert.pem > signer-public-key-test.pem`
To convert it from .pem for .cer format
openssl x509 -inform PEM -in signer-public-key-test.pem -outform DER -out signer-public-key-test.cer
I get this error:
unable to load certificate
140067363030680:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
2. Converting my certificate to .cer (which I did fine) and trying to export public key using windows certificate export wizard as instructions given here
It didn't work either. I couldn't enable the option to export keys and the final output, when opened in notepad++ was garbage.
So my question is, is there any way to generate the certificate from scratch and have the public key in .cer or .crt file. OR generating the certificate in .pem format and later extracting public keys to .crt or .cer
Any help is deeply appreciated.
Since .cer and .crt usually mean "DER or PEM-DER X.509 certificate" I don't know what you mean by having the public key in that format.
If you mean you want a DER encoded SubjectPublicKeyInfo representing the public key, the second stage of your pipeline would be
openssl asn1parse -noout -out some.file
You can remove the intermediate with
openssl x509 -in signer-cert.pem -noout -pubkey |
openssl asn1parse -noout -out signer-public-key-test.der
(Newline added to remove scrollbar)
Or, skip the certificate middleman altogether:
openssl rsa -in key.pem -pubout -outform der -out signer-public-key-test.der
Seems pretty weird that you want that particular format, though.
I need to get a certificate from a certificate authority with .crt extension.
I used openssl commands but it generates a self-signed certificate which is not suitable for my use.
$ openssl genrsa -out client.key 4096
$ openssl req -new -x509 -text -key client.key -out client.cert
How can I obtain a certificate form a CA in Ubuntu 16.04? I need .key and .crt files.
These are the steps you would need to do to get a certificate signed by a CA.
Generate a Asymmetric Key Pair.
openssl genrsa -out localhost.key 2048
Generate a PKCS#10 (Certificate Signing Request) from the Key Pair.
openssl req -new -sha256 -key localhost.key -out localhost.csr
Send the above generated request to the CA (different CA's have different ways of receiving your request).
CA replies with a PKCS#7 (Certificate Chain) or just the signed certificate (you will usually get the entire certificate chain, but if you just got only the peer certificate, you can check with them where you can get the CA certificate chain to construct the chain yourself).
You can convert the above received PKCS#7 to PEM format
openssl pkcs7 -in localhost.p7r -inform DER -out localhost.pem
-print_certs
Associate the above PEM certificate chain to the private key you generated in the step 1.
openssl pkcs12 -export -inkey localhost.key -in localhost.pem -name
sslCertificate -out localhost.pfx
You now have a PKCS#12 keystore that you can use to secure your server.
So to answer you question, this is how you could proceed with step 3.
There are many well known Certificate Authorities out there (GeoTrust, Entrust, Verisign, GoDaddy, Comodo, etc, ...). Each CA could be different on their pricing depending on what kind of certificate you are requesting. You can visit their official web page(s) to know more about what they have to offer. Once you have decided which CA to go with, you use their service to request a certificate to be signed (usually online on their site).
I know their logical differences, their intended ways to use. What I want to know are, how both certificates differs in the procedure of generation, of their actual contents.
Suppose you'll generate a self-signed some certificate with following procedure:
generating a private CA certificate, assume that you've got "ca.crt".
generating a private key as openssl genpkey -algorithm RSA -out key.pem -outform PEM.
generating a CSR as openssl req -new -key key.pem -keyform PEM -out req.pem -outform PEM.
signing to the CSR as openssl ca -in req.pem -out cert.pem -cert ca.crt -keyfile key.pem -keyform PEM.
I searched the web a lot but I couldn't find out whether the procedure above and the contents of generated certificate get differed when I generate a server certificate and a client certificate.
Your answers are greatly appreciated. Thank you.
There is no difference in the format. Both are X.509 certificates with the use-for-SSL bit set.
I'm trying to sign a PDF in a PHP script with a certificate. Until now, I executed my test with a self-signed .crt file, generated with the command line :
openssl req -x509 -nodes -days 365000 -newkey rsa:1024 \
-keyout tcpdf.crt -out tcpdf.crt
(yes, i'm using tcpdf). It works fine.
But know, my company gave me real certificates (from tbs-certificats), and I'm a bit disappointed: I've a .cer, a .pem and a .p7b file...
I tried to use each of them in my script, but I've the error
Warning: openssl_pkcs7_sign(): error getting private key
The code I use with a self-signed certificate :
// set certificate file
$certificate = 'file://data/cert/tcpdf.crt';
// set document signature
$pdf->setSignature($certificate, $certificate);
May I change something ? I'm not very familiar with the crypto world...
We'll, first things first, you have to point your script to an existing file. In this case, the .cer file would contain the certificate, so try that instead of "/path/file.CRT".
Now the file extension vs. how the certificate is encoded is kinda unrelated I'm afraid, even if the names are inducing some confusion, see this reference.
I have no idea whether tcpdf supports both pem and der encoded files, because of the lack of documentation. They probably do, but just in case, here's how to work around it. Test commands will give you an "unable to load certificate" error if you assume the wrong encoding.
testing for pem encoded files : openssl x509 -in cert.cer -text -noout
testing for der encoded files : openssl x509 -in certificate.der -inform der -text -noout
conversion from PEM to DER openssl x509 -in cert.cer -outform der -out cert.der
conversion from DER to PEM openssl x509 -in cert.cer -inform der -outform pem -out cert.pem