I am trying to use OpenSSL in the terminal. I have installed OpenSSL using brew install openssl. I want to convert a .pem file to another format that my hosting provider will accept.
I have tried several different formulations of the code and plying the certificate from different places but none seem to work and all give me various error messages including permission denied.
This is what I tried last...
openssl pkcs12 -in /Users/myname/fullchain.pem -inkey /Users/myname/privkey.pem -out /Users/myname/fullchain.pfx -cacerts
This is my output
4552226412:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.250.1/libressl-2.6/crypto/asn1/tasn_dec.c:1125:
4552226412:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.250.1/libressl-2.6/crypto/asn1/tasn_dec.c:306:Type=PKCS12
What might this mean and what code should I be using?
Edit: I am getting output files but they are of course empty.
That error message is usually when the certificate format you pass to the command is not what it is expecting. The following command should solve it for you.
openssl pkcs12 -export -out /Users/myname/fullchain.pfx -inkey /Users/myname/privkey.pem -in /Users/myname/fullchain.pem
It should prompt you to enter an export password to encrypt the .pfx files content if it has succeeded.
Related
After running sudo certbot --nginx -d mydomain.io -d www.mydomain.io
I'm getting:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.io/privkey.pem
For my app to work, I need private.key and certificate.crt files.
I have tried converting .pem files like so:
openssl x509 -outform der -in /etc/letsencrypt/live/mydomain.io/fullchain.pem -out certificate.crt
openssl rsa -outform der -in /etc/letsencrypt/live/mydomain.io/privkey.pem -out private.key
When trying to run my app, I'm getting this error in the browser dev tools:
WebSocket connection to 'wss://<my-ip>:<my-port>/' failed:
Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
On server I'm getting this error (apparently it means that my app couldn't parse the key file):
mbedtls error: returned -0x7780
So it looks like an issue with the certificate. Can you help me to figure out what I have done wrong? What could be causing this issue? Are there other ways to generate .crt and .key files, so I could double check that I didn't make a mistake?
Turns out my problem wasn't related to generating the keys, I was doing it correctly.
But the client version of my app was trying to connect to wss://<my-ip>:<my-port>/, and instead I was supposed to connect to wss://<my-domain-name>:<my-port>/.
I am having issues with converting between .P7B to .PFX using a .keystore private key file
It produces the error
unable to load private key 2388:error:0909006C:PEM
when i run the command
openssl pkcs12 -export -out cert.pfx -inkey privatekey.keystore -in cert.cer
please help
According to the Oracle Documentation, a keystore is most likely The proprietary keystore implementation provided by and nothing that openSSL can convert.
As far as I know only java implementations can do this. Here are some tools that might help:
http://portecle.sourceforge.net/
https://keystore-explorer.org/index.html
I work with certificates and occasionally need to convert a private certificate .PFX extension for .PEM extension, but I can only consume it in a webservice if it is generated without a password, that is, unprotected.
If I try to generate it with password (being the same password as or not of .PFX certificate), I can not consume it in webservice (I get the error "403 - Forbidden").
Can you tell me why this occurs?
To generate it unprotected, I use the command below (through OpenSSL):
pkcs12 -in certificate.pfx -out certificate.pem -nodes
To generate it with password, I use this one:
pkcs12 -in certificate.pfx -out certificate.pem
I can not understand why the error occurs, since OpenSSL does not indicate a failure.
I use Windows environment, so I use an OpenSSL tool I found on the internet.
I created a p12 file on my MacOS ElCaptain, using a .pem and .key file via openssl command :
openssl pkcs12 -export -in <PEM_file>.pem -inkey <PRIVATE_KEY>.key -out <FILENAME>.p12
Everything went ok. I was able to make my cURL calls using this p12.
When I did the same on my Ubuntu 14.04.5 LTS (with the same .pem and .key), I started to receive this message when I used cURL with the p12:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
What I am missing?
curl supports about a dozen different SSL/TLS implementations and how certs&keys are supplied varies depending on which implementation is used in your build. Use curl -V (upper vee) to check. I'd guess, but don't know, the MacOS build uses SecureTransport; the (standard) package on my off-in-the-corner Ubuntu 14.04.4 definitely uses OpenSSL.
Per the man page and confirmed by experiment on my Ubuntu, this build wants PEM format files, not PKCS12. These are the same two files you used as input to openssl pkcs12 -export, or you can concatenate them and just use that for --cert (this can work because PEM format marks each block separately); and if you don't have them anymore you can just use openssl pkcs12 -in foo.p12 -out foo.pem (i.e. OMIT -export) to convert back.
I've been using a certificate that's stored on the server in a myserver.pfx file.
However, behavior is not the same in all browsers and some complain on account of, I think, a missing 'intermediate' certificate.
I've downloaded the intermediate certificate from Gandi: GandiStandardSSLCA.pem
Now, my question is, how can I add that intermediate certificate into the pfx file?
Although the server is windows, I'm trying to use openssl on a linux machine to manipulate the certificates, just because that's where I have openssl available. I'm assuming this doesn't matter.
One thing I've tried, is to use openssl to export myserver.pfx to myserver.pem, a text file. Then, with a text editor, I've added the text of GandiStandardSSLCA.pem to myserver.pem in hopes of then converting back to pfx format. However, I couldn't get openssl to do that conversion back to pfx.
Is this possible? If so, at the text editing stage, does it matter if the intermediate certificate text goes at the beginning or the end? Also, would I need to manufacture 'Bag Attributes' somehow?
Or, is the whole operation done in one line with openssl?
The .pfx file can be prepared by exporting the intermediate certificate .pem file with the below command example.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Reference:
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/