Create a .cer File From the Text of a Certificate - ssl

From SSL2BUY I have the text for a certificate starting with "-----BEGIN CERTIFICATE-----" down to "-----END CERTIFICATE-----". There is no download option just an email option (but that person isn't available) how do I convert the encrypted text between the 'begin' and 'end' statements to an actual certificate?
There are also 4 sections within this page; Servers, PKCS7, Root and Intermediate. How do these all interact?
SSL has been a bane of my life for a long time and I need to conquer this once and for all -_-.
Any assistance will be much appreciated.

I would like to inform you that Servers Certificate and PKCS7 Certificate are different formats of certificate.
PKCS7 format certificate is used in java based server like Tomcat and if you are not using Tomcat you can disregard it.
If you are using a server like IIS, cPanel, Apache etc then you will need to install "Server Certificate". You need to paste the certificate in notepad and save it with .cer extension.
If you are using a windows based server(IIS) then you will need only 1 file to install there which is "server certificate". On Windows based servers, root & intermediate certificates came preinstalled so you can skip that, they are not needed to install again.
If you are servers like Apache, cPanel, Nginx, Plesk, etc then you need to install the main domain certificate and CABundle(combination of the Root and Intermediate certificate).
Please Note:
For all leading CA's (Comodo, Digicert and GlobalSign) all the Root and Intermediate certificates are different. Please suggest your product name so I am able to assist in that particular product which Root and Intermediate certificate has to be used.
Please let me know the server type you are using such as Apache, IIS, cPanel, etc.

Related

SSL Certificate Disappearing from IIS

This may seem like a duplicate of this and it kind of is but none of the solutions I tried worked for me! Here is the related Question:
Installed SSL certificate in certificate store, but it's not in IIS certificate list
My system is Windows 2016 running IIS 10. We issued a CSR file using IIS using *.mydomain.com (nothing in the Common Name, I think, because that will get named upon receiving GoDaddy's response). Our client went to GoDaddy.com, purchased a Wild Card certificate, and sent me a zip file with a .p7b and a .crt file. I installed the .p7b in the Intermediate Certificate section, per GD instructions. So now in the Certificate is in the Personal folder with info like 'issued to *.mydomain.com' and friendly name being 'gis.mydomain.com'.
But the Certificate does not have Private Key--and I think that's the problem: The Certificate disappears in IIS manager. When I try the certutil -repairstore command I get a prompt for a Card insertion.
Here is a fix I am thinking about: From the Certificate Enrollement Requests part of the console, export to a pfx file, then, using OpenSSL, make a PEM file. Then create a new pfx file to Import to IIS; problem is that the new pfx file creation gives me error "No Certificate Matches Private Key". Here is the command:
pkcs12 -export -in 1d4c26d43a4da203.crt -inkey my.pem -out final.pfx
Please note that Rekeying at GoDaddy may not help: Their .CRT file seems to be generated without the Private Key. Also, DigiCert is unable to find Private Key on the server even though the CSR file was created on the same server.
What are my options?
Thanks!
I fixed this issue by following the steps here:
https://www.namecheap.com/support/knowledgebase/article.aspx/9773/2238/ssl-disappears-from-the-certificate-list-on-windows-server/
Specifically, these steps:
Open Microsoft Management Console (MMC) as an Administrator. To open MMC, press Win+R combination, type in mmc and click OK.
Select Add/Remove Snap-in and choose Certificates and click Add.
Choose Computer account in the Certificates snap-in window, click Next.
Tick Local computer in the Select computer box, then click Finish.
Locate the certificate that was imported when completing the certificate request. The certificate should be in the Personal store. Note that the icon of the certificate next to the domain name does not have a key on it; that means that no private key is assigned to the certificate.
Double-click the certificate and go to Details tab.
In certificate details locate the Serial Number field, click on it and copy its value.
In a command prompt type: certutil -repairstore my Serial_number from the step above. Make sure the serial number of your certificate does not contain any spaces. It should be a single string of symbols.
You can now refresh the list of server certificates in IIS Manager to see the certificate. You may need to close and reopen IIS.
UPDATE
The certificate store name for Web Hosting is webHosting. Use this in place of "my" which is the Personal cert store.
If you have multiple certificates, you only need to run certutil -repairstore for the first one. Others install correctly via the Complete Certificate Request in IIS (ie, they do not disappear).
Nothing worked until I followed GoDaddy's instructions per https://www.godaddy.com/help/rekey-my-certificate-4976 and installed the Re-Keyed Certificate. I don't know what had happened to have caused the failure. I had followed the exact steps earlier but what the client provided did not work first time. My guess is that the CSR file was generated when the server machine was in some pending major Windows Update and after the Update the Private Key stored in the OS was somehow lost/inaccessible.
Oh well, moving on.
There is one more use case under which IIS server certificates gets disappear when we create the Custom CSR from MMC -> Advanced Operations -> Create Custom Request and choose the Enhanced Key Usage purpose as "Client Authentication" instead "Server Authentication" and since we are uploading the certificate to IIS under Server Certificates so it should be for "Server Authentication" to show up or not disappear on IIS -> Server Certificates
Fix -
Delete the certificate from MMC and make sure it is removed after
refreshing
Generate the CSR using MMC Custom Request option and Choose "Server
Authentication" in case of the purpose for key usage while
generating the CSR using the Custom Request Option from MMC
Generate the Cert and signed by CA for the CSR generated in Step-2
Complete the Certificate Request from IIS and certificate should be
available perfectly fine in MMC as well in IIS -> Server Certificate
This should work fine !
At last Fixed!!
Step 1 - Go to your servers IIS
Step 2 - Select your server and choose SSL Certificate from middle panel
Step 3 - From the action panel on the right choose "Create Certificate Request"
Step 4 - Fill in the necessary details (common name = domain name, rest not so important)
Step 5 - after completing the wizard you will be provided with a .CSR file open the file in notepad and CTRL-A CTRL-C.
Step 6 - Go to the product page of your godaddy account from there go to SSL and click manage.
Step 7(optional) - To check if everything's fine with your CSR file, In manage SSL page click "SSL Tools" and from there choose CSR Decoder, you'll be taken to a page where you can paste the CSR and if results are shown you are good move to step 8.
Step 8 - Go back to Step 6, choose your SSL linked to the DOMAIN.
Step 9 - From the SSL Dashboard once you scroll down a bit you'll see the REKEY option, click on it.
Step 10 - Paste the CSR texts in the space provided
Step 11 - Click "Add Change"
Step 12 - Scroll down, click "Submit All Changes"
Step 13 - After the SSL is reissued(5-10 MINS), download the zip files for IIS server.
Step 14 - That's it , you should be able to add the new .CES file into the IIS without it disappearing.
Let me know if this worked for everyone.
You need to convert the certificate to .pfx file and include your private key.
https://www.ssls.com/knowledgebase/how-to-install-an-ssl-on-a-windows-server-when-the-csr-was-generated-elsewhere/

Cloudflare SSL certificate on IIS: "Windows does not have enough information to verify this certificate"

So I am trying to make my IIS8 webserver https, yet I can't seem to get it to work.
I have tried almost anything... but nothing seems to work.
DON'T WORRY THE FILES BELOW ARE FAKE!
PICTURE 1 KEY
PICTURE 2 PEM
First of all, what do I need to do with these 2? It says to save them as .key and .pem files, so I thought they mend: put the private key in a text file and save it as .key and same for the certificate and save it as .pem.
I tried to convert them to .pfx because that is what I need, right?
First I tried using openssl, but I saw a nice site, so I started using that instead: https://www.sslshopper.com/ssl-converter.html. That gave me an error at first, but then I saw cloudflare also had something called DER:
Which gave me an .CRT file if I downloaded it, so now I had a .PEM, a .KEY and an .CRT file, I went back to the website and used the .CRT file and the .KEY file, and put in a password!
Now I've gotten my .PFX file, which I wanted! I installed it on my windows server, but got this:
Why is it not verified?!
What files do I need to verify this?
Am I saving the files correct?
Within IIS you'll need to create a Certificate Signing Request (CSR) and export it.
In the Crypto app, scroll down to the Origin Certificates card and click 'Create Certificate'. Select 'I have my own private key and CSR', add the hostnames you'd like to be covered by the certificate. Once you've completed all the steps in the Wizard you can go back to IIS and click " Complete Certificate Request".
A step-by-step breakdown of these instructions is available on the Cloudflare Knowledge Base: Managing Cloudflare Origin CA certificates
Additionally, you'll need to install the Origin CA root certificates for CloudFlare on the server outline in Step 4 of the KB tutorial. This is fix the warning message:
Windows does not have enough information to verify this certificate.
There are two locations which these certificates may be installed: Current User or Local Machine.
To target the Current User open the certmgr.msc program, otherwise open certlm.msc
Expand 'Trusted Root Certification Authorities'
Right-click 'Certificates'
Select 'Import...' from the 'All Tasks' menu
Import both the ECC and RSA .pem files

Install SSL Certificate in WorldClient, MDaemon 12

I have an issue after I installed the SSL Certificate in WorldClient, MDaemon 12.
I followed the link in installing the SSL, SSL installation was fine. Then, I followed the link to use the SSL in WorldClient. I use 888 for TCP port and 443 for https port.
When I call the webmail (http://mail.mydomain.com.sg:888) in browser, it opens properly. But, if https://mail.mydomain.com.sg:888, Secure Connection Failed error message is shown.
Any Ideas, please? Thanks.
I have solved this problem.
If you read all instruction from the link you given in your post carefully until finished, you'll get the answer.
Note: MDaemon will only display certificates that have private keys
using the Personal Information Exchange format (PKCS #12). If your
imported certificate does not appear in the list then you may need to
import a *.PEM file, which contains both a certificate key and private
key. Importing this file using the same process outlined above will
convert it to the PKCS #12 format.
You should make a PKCS#12 file from generating the (certificate) .csr and private key (.key) you have. If you on windows, install the openssl first on your PC. After successful generate the PKCS#12 file, follow the instruction again to install the SSL certification on MDaemon.
If you success, you'll see the certificate appear in the MDaemon.
Remember to restart your server or webserver to apply the changes.
Regards

OpenSSL in GitLab, what verification for self-signed certificate?

On Debian, using GitLab, I ran into issues with my self-signed certificate.
Reading through the code after a lot of searching on the Internet (I guess, it's the last resort, FOSS is helpful), I found the following lines in gitlab-shell/lib/gitlab_net.rb which left me... perplexed.
if config.http_settings['self_signed_cert']
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
Most Stack Overflow responses about the diverse issues I've had until now have led me to believe that VERIFY_NONE, as you'd expect, doesn't verify anything. VERIFY_PEER seems, based on my reading, to be the correct setting for self-signed.
As I read it, it feels like taking steps to secure my connection using a certificate, and then just deciding to not use it? Is it a bug, or am I misreading the source?
gitlab-shell (on the GitLab server) has to communicate to the GitLab instance through an HTTPS or SSH URL API.
If it is a self-signed certificate, it doesn't want any error/warning when trying to access those GitLab URLs, hence the SSL::VERIFY_NONE.
But, that same certificate is also used by clients (outside of the GitLab server), using those same GitLab HTTPS URLs from their browser.
For them, the self-signed certificate is useful, provided they install it in their browser keystore.
For those transactions (clients to GitLab), the certificate will be "verified".
The OP Kheldar point's out in Mislav's post:
OpenSSL expects to find each certificate in a file named by the certificate subject’s hashed name, plus a number extension that starts with 0.
That means you can’t just drop My_Awesome_CA_Cert.pem in the directory and expect it to be picked up automatically.
However, OpenSSL ships with a utility called c_rehash which you can invoke on a directory to have all certificates indexed with appropriately named symlinks.
(See for instance OpenSSL Verify location)
cd /some/where/certs
c_rehash .

Exporting the SSL certificate with the private Key on windows

I am in a process of generating an SSL cert for a domain name.
What I have done:
Went to the IIS management > Server Certificates and clicked on Create Request. This generated a *.com file with a hash inside it that I submitted to the GoDaddy.
From GoDaddy I got back a zip with two files: *.crt and *.p7b
I exported the certificate to a *.cer file and uploaded it to Azure, but when I try to deploy the cloud project I get an error:
Certificate with thumbprint associated with HTTPS input endpoint
does not contain private key
After reading similar issues on the Internet, I understand that my *.cer file doesnt contain the private key.
My problem is that no matter how I try to export it to a *.PFX, the PFX option is always disabled in the cert export wizard.
Also not sure if it is related, but when I Click on Complete Certificate Request in IIS and select the cert that I got from GoDaddy. I get an error:
Cannot find the certificate request that is associated with this
certificate file. A certificate request must be completed on the
computer where the request was created.
You will not have the option of exporting from IIS or exporting to PFX from Certificate Manager if you do not do the IIS "Create Certificate Request" and "Complete Certificate Request" from the same machine.
That was my problem. I did these two steps from two different machines.
I had to create a new request (in IIS), go to GoDaddy, rekey my certificate, download the new certificate, and then complete the request (in IIS).
This turned out to be something completely idiotic, as usual messed up by Microsoft.
The process of creating a cert for a domain is that you need to use [Create Certificate Request] in IIS.
Then send the created hash to the Authority and use the [Complete Certificate Request] in IIS where you provide the cert given to you by the Authority. This will install the cert into your local IIS
After the cert is installed you need to right click on it and do an export to a *.PFX file. The PFX file now can be uploaded to Azure or any other hosting...
The processes could have been very simple, if Microsoft didn't make sure to screw it up.
The thing is that when you click on [Complete Certificate Request], the file open dialog has a file type of *.CER, but this is wrong because you need to provide *.CRT!!! The solution is to change the file type select to All Files *.* and chose the *.CRT file provided by the Authority.