OpenSsl: how to create PFX/P12 without including CA files? - ssl

I have a trusted certificate chain, a certificate issued by this chain and private key file for this certificate.
I want to create a P12 / PFX for this, so I can put it as client certificate in the windows store:
OpenSsl Pkcs12 -export -nokeys
-certfile mytrustedCertifcates.pem^
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
Alas, the resulting file contains all trustedCertificates. If I import the P12 in my windows certificate store, I import the complete certificate chain, although they are already in the certificate store.
I also tried options: (from OpenSsl command line utilities, also in -help)
-nocerts don't output certificates.
-clcerts only output client certificates.
Alas, the P12 still contains the complete certificate chain, and importing the P12 imports the complete chain again.

BartonJs gave the answer in a comment (thank you BartonJs!):
leave out the --certfile parameter:
OpenSsl Pkcs12 -export -nokeys
-name some friendly name
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
nokeys: leaves out the PEM password
name: the friendly name that will appear in column friendly name of the winstore
inkey and in are the input certficate with its private key
out is the name of the file to produce.
After importing it in the windstore (command: certlm.msc), It propertly says:
Issued to:
Issued by:
Expiration date
Intended purposes
Friendly name:

Related

Create custom certificate for dynamics portal using certbot/openssl

I need to create a custom certificate for my dynamics portal to use implicit grant flow. I create certificate with command
certbot certonly --manual --preferred-challenge dns
I then create pfx with the openssl command
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:SOMEPASSWORDHERE
However I get the error when trying to upload it to the power platform admin centre
The password entered is incorrect or the encryption method used by the
certificate is not supported.
So then tried the following command to create the pfx with triple des using
openssl pkcs12 -export -descert -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:SOMEPASSWORDHERE
But am still getting the same error. As far as I can see the certificate meets requirements of:
Signed by a trusted certificate authority.
Exported as a password-protected PFX file.
Contains private key at least 2048 bits long.
Contains all intermediate certificates in the certificate chain.
Must be SHA2 enabled; SHA1 support is being removed from popular browsers.
PFX file must be encrypted with TripleDES encryption. Power Apps portals doesn't support AES-256 encryption
The only thing I can think is the pfx isn't getting encrypted with 3des but looking at the openssl documentation the -descert command should take care of that. Am I missing something here?

I can't export any certificate to PKCS 12, Could not read private key / openssl program

I can't export domain signed certificate, with the command:
openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.pfx
It pops up for me:
Could not read private key from -inkey file from domain.key
FC210000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:..\crypto\store\store_result.c:151:
FC210000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:..\providers\implementations\ciphers\ciphercommon_block.c:124:
FC210000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:..\crypto\pkcs12\p12_decr.c:86:empty password
I have my own certification authority certificate which is valid. I would like to export my regular certificate and sign it with this CA. But I can't do that because I can't export domain signed certificate.
I use OpenSSL on Windows 11 Pro for home users. I know it should be done through the server but I don't want to install it additionally
I simply wanted to export the certificate with the private key to PFX via openssl. I received the error described exactly above:
Could not read private key from -inkey file from domain.key.
I was expecting a successful export and subsequent signing of the certificate (if I had to) by an existing self-signed (it's in the CA trusted certificate store) CA certificate

Cannot create pfx file from cer file with openssl

I'm sure that this has been asked you several times, but solutions to that cases didn't work for me. So I need your help.
Consider x.root.cer is CA's certificate, x.app.cer is Application's certificate signed by CA's certificate, and x.app.private.pem is Application's private key.
I'm using following command in order to create pfx file (want to include both private key and certificate of application).
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx -certfile x.root.cer
Even though I know (can see) that 3 files are there, I'm getting the following error:
unable to load certificates
Can you please help me about this error?
Well, finally I suceeded with this command
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx
That means I shouldn't use -certfile parameter.

How to create P12 file using openssl

I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12

After signing .mobileconfig profile it shows as "Unverified" - "The ceritifcate was signed by an unknown authority"

I'm trying to sign a configuration profile (CardDav) with my SSL certificate issued by networksolutions.com
NetworkSolutions.com should be one of the providers that's in iOS/OSX trusted ceritifcates according to this
I've also seen other configuration profiles signed by NetworkSolutions that were "Verified" just fine.
This is the Ruby code I use to sign the profile
ssl_key_str = File.read(Rails.root.join("config/ssl/server.key"))
ssl_key = OpenSSL::PKey::RSA.new(ssl_key_str)
ssl_cert_str = File.read(Rails.root.join("config/ssl/server.crt"))
ssl_cert = OpenSSL::X509::Certificate.new(ssl_cert_str)
signed_profile = OpenSSL::PKCS7.sign(ssl_cert, ssl_key, profile, [], OpenSSL::PKCS7::BINARY)
Also tried to sign with openssl:
openssl smime -sign -in apple_sync_profile-unsigned.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile server.crt -outform der -nodetach
Still getting "Unverified"
Digging deeper by trying to open the mobileconfig file on my Mac, it shows "this certificate was signed by an unknown authority"
I tried to compare with this other profile that I downloaded and shows up as Verified but could not come up with any meanigful difference.
Any recommendations?
Is there any tool I could use to sign profile other than openssl which might be able to provide more insight?
How to Sign and verify a .mobileconfig file in apple
Export certificate from the key chain
keychain access --> Certifcates(LeftPanel)--> right click the particular certificate and export the certificate.
convert .p12 file to PEM file (converting use this link www.sslshopper.com/ssl-converter.html)
Eg: InnovCertificates.p12 to InnovCertificates.pem
Download Apple Root Certificate and Apple Intermediate Certificate
(For my .mobileconfig file verification i am used Apple Inc. Root Certificate(Apple Root Certificate) and
Application Integration Certificate (Apple Intermediate Certificate) certificates.
you can also use these certificates or other certificates that have in the apple certificates www.apple.com/certificateauthority/)
The download file is combination of certificate and keys . (Read the certificate in Terminal commands are following link info.ssl.com/article.aspx?id=12149)
From this certificate file we need extract certificate.
extract certificate from Apple Root Certificate. Then extract certificate from Apple Intermediate Certificate
openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.cer -out root.crt.pem
openssl x509 -inform DER -outform PEM -in AppleAAICA.cer -out Intermediate.crt.pem
open the two extracted file in text editor,
copy and paste the Intermediate.crt.pem to beginning of the root.crt.pem and save .then your root.crt.pem file is combination of two certificate.
Sign and verify the .mobileconfig file
Once you have all the files listed above, you will run a command like the following:
openssl smime -sign -in Example.mobileconfig -out SignedVerifyExample.mobileconfig -signer InnovCertificates.pem -certfile root.crt.pem -outform der -nodetach
The result .mobileconfig file is signed and verified.
Use full links:
renren.io/questions/637349/ios-mobileconfig-walkarounds
developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/smime.1ssl.html#//apple_ref/doc/man/1/smime
www.apple.com/certificateauthority/
www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
info.ssl.com/article.aspx?id=12149
www.sslshopper.com/ssl-converter.html
wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File
stackoverflow.com/questions/9277426/ios-mobileconfig-walkarounds
stackoverflow.com/questions/991758/how-to-get-an-openssl-pem-file-from-key-and-crt-files
discussions.apple.com/thread/2363234
My certificate was signed by a sub-CA and did not contain the full certificate chain. In order for the signing to be complete, you must provide a full server.crt certificate which contains the full chain of certificates.
Download the sub-certificates from your certificate provider (e.g: Startssl) and add them to your server certificate simply by cat server.crt ca-bundle.crt > server.crt)