I just bought an SSL cert from my domain registrar.
They only provided me:
Plaintext of the CSR
Plaintext of the intermediate and root CA(?) certs
Plaintext of my SSL cert
(no .key file)
I had to copy the plaintext from their webpage after they magically created the cert.
My SSL cert looks like:
-----BEGIN CERTIFICATE-----
MIIGJTCCBQ2gAwIBAgIQD5EJV21qWTH5W6AhivSAEzANBgkqhkiG9w0BAQsFADBZ
<more string>
-----END CERTIFICATE-----
Questions:
If I create a new "cert.pem" file and just paste the plaintext of my SSL cert in, is it fully pem encoded or do I have to further process it?
What if I create a new "cert.crt" file? Could I just paste the plaintext of my SSL cert in there as well without further encoding?
Could either file now be passed as a client cert in HTTPS requests?
Edit: As #Marc mentioned, I should have said "text" above rather than "plaintext". Aside from the headers, the cert is not in plaintext.
What you call "plaintext" is PEM encoding, which is base-64 encoding of a DER (or BER or CER) file with extra headers.
.crt is commonly used for PEM encoding. But the actual extension does not matter.
You can definitely use the shown certificate in your client (how to do so depends on the language used).
However, you will need the key. If you sent a CSR to them, the key should already be in your possession (you sent them the public key as part of the CSR, but the private key stayed with you). If you did not send them a CSR, they generated the key pair for you and should have a way to download the private key.
Related
Could someone explain, how are all certificates built?
There are many files that are generated while getting a certificate (.csr .key .cert .pem).
What each file contain?
From what I already got .key file is a file with private key.
From that .key is generated .csr, which can be send to CA.
However webhosting providers each ask for different set of files (or name it randomly?). How to distinguish which file is which?
For example .pem and .cert files, each start with -----BEGIN CERTIFICATE----- which is confusing (at last for me).
Any kind soul would care to explain how it all works?
PEM is an encoding that is also used as extension. All files that start with -----BEGIN CERTIFICATE----- are PEM encoded. Even the .key. That said, a .pem file could be a key, a certificate, a chain certificate, etc. You should name it well to know what it is.
All .crt and .cert extensions mean the file is a certificate. The Certificate Authority chooses which extension they will send the file.
The .csr is also PEM encoded, but it is a Certicate Signing Request. It is created when you generate your .key file. With it you can ask for a CA to issue a certificate for you.
---Edit---
Based on your comment, you have received three files from letsencrypt: cert.pem, chain.pem and fullchain.pem. You also might have a privkey.pem.
To configure your certificate you can bother using just the privkey.pem and fullchain.pem which is just a concatenation of cert.pem and fullchain.pem. You need to setup those files in your web server, each web server is different and you might look for their specific instructions.
I have created a self-signed certificate with makecert, exported it with private key to .pfx file and imported on the server. Then I copied one on the client and tried importing it using keytool. Got an error Input is not an X.509 certificate.
So I converted .pfx certificate to .pem using openssl and tried again - same result.
I did some research and found that I might need to convert it to .der, but it still might not work. Apparently keytool only supports single certificate PEM files. Even though mine is a single certificate, PEM file contains private key information:
-----BEGIN PRIVATE KEY----
-----END PRIVATE KEY------
----BEGIN CERTIFICATE-----
----END CERTIFICATE-------
So I am not sure what should be my next step to ensure import will work when done with keytool on the client.
Can anyone shed some light on this issue?
I bought a certificate from a CA and I don't know much about certificates. I need a PEM format certificate to use in dovecot. It could be a fool question as I don't know much about certificates. I got three files from the CA : .ca-bundle .crt .p7b I need both public and private keys
You can use this tool or the OpenSSL commands available in the same page to convert the certificate into PEM.
I'm honestly quite surprised about the files you received. Generally, the CAs already sends you the PEM encoded certificates.
The .ca-bundle and .crt are likely to be the intermediate chain and the server certificate. The .p7b is in general a bundle of both intermediate and server into a single file, if that's the case you can ignore it and use the bundle and crt files.
As for the key, you should have it as the key is used to sign the CSR you provided the CA.
You may also want to check your CA documentation to better understand the content of each these files.
Is it possible to install SSL certificate in Centos (6.5) and apache with just a .pem file? I have been told by the client that they do not have a .crt file or a .key file. It is a wildcard certificate that I need to install in one of the subdomain.
Extensions do not matter.
Usually .crt is used for a certificate in PEM format and .key for the matching key. Both are base64 encoded data with a PEM header like "---- BEGIN CERTIFICATE ---" or "----- BEGIN RSA PRIVATE KEY -----".
But you can put both certificate and key together in a single PEM file and use this inside the certificate and key parameters. But, of course, you have to make sure that your *.pem files really contains both certificate and key.
Bit of a silly question, but:
What kind of file(s) do you get when you buy an SSL certificate from a trusted CA?
Is there a .pfx file?
I'm working on a small tool to manage SSL certificates, but I'm not sure exactly what kind of certificates I'll be dealing with besides the self-signed ones that I create myself.
Thanks!
.pfx file extension is one. The below text from IBM has some indepth information.
Certificate file types
Certificates and keys are stored in several types of files.
Files that store certificates and keys can have the following formats:
.pem
A privacy-enhanced mail file, which has a file extension of .pem, begins and ends with the following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
A privacy-enhanced mail format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates.
.arm
A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm format is generated and used by the IBM® Key Management utility. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.der
A file with an extension of .der contains binary data. This format can be used only for a single certificate, unlike a file with a privacy-enhanced mail format, which can contain multiple certificates. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.pfx (PKCS12)
A PKCS12 file, which has an extension of .pfx, contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate machine. For example, you can create and install a certificate and private key using key management utility, export the certificate and key to a PKCS12 file, then import the file into another keystore. This format is also useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file on another machine using the OpenSSL CertTool utility.
The text above is a verbatim copy from IBM Eclipse Help.