Convert PFX to PEM with Key INCLUDING INTERMEDIATE certificates - ssl

I have a PFX that I want to convert to a CRT and Key or PEM and Key to install on an NGINX endpoint. When I import the pfx to my cert store on my windows machine it creates the certificate, the intermediate chain, and the root CA.
If I take that PFX and run the following openssl commands I and bind it to the endpoint, I don't get all the certificates in the chain:
openssl pkcs12 -in ./GoDaddy.pfx -clcerts -nokeys -out pcc.crt -nodes -nokeys
openssl pkcs12 -in ./GoDaddy.pfx -nocerts -nodes -out pcc.rsa -nodes -nokeys
Is there a switch or command I can run to convert the PFX to a crt / rsa or pem /key with all of the certificates up the chain to the root CA?

Since you want everything, you just need to reduce the number of restrictions you are asking for.
so:
openssl pkcs12 -in ./GoDaddy.pfx -out ./GoDaddy.pem
If you read the documentation you will see what you are asking for:
-nocerts
No certificates at all will be output.
-clcerts
Only output client certificates (not CA certificates).
-nokeys
No private keys will be output.
-nodes
Don't encrypt the private keys at all.

You can extract ca-bundle, .crt and .key from .pfx using this.
# Extracting ca-certs..."
openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt
# Extracting key file..."
openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key
# Extracting crt..."
openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt
# combine ca-certs and cert files
cat ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt
# Removing passphrase from keyfile"
openssl rsa -in ${filename}.key -out ${filename}.key
Link:
https://gist.github.com/mediaupstream/a2694859b1afa59f26be5e8f6fd4806a

Related

Convert p7b file into p12 file format

I have generated pem and csr files using the below command.
openssl req -newkey rsa:2048 -keyout key.pem -out req.csr
After this, I sent csr file to the authority and got p7b certificate.
Now, I tried to convert p7b file to p12 format with the below commands.
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -out certificate.p12 -inkey key.pem -in certificate.cer
However, it gives the below error.
No certificate matches private key
error in pkcs12
How can I convert p7b file into p12 file format?
I think you must call privatekey file
openssl pkcs12 -export -inkey privateKey.key -out certificate.p12 -inkey key.pem -in certificate.cer

Convert pem key to p12 when having 1 key and 1 pem

I'm having a hard time creating a p12 key. Here are the steps I did:
1: openssl genrsa -out priv.key 4096
2: openssl req -new -sha256 -key priv.key -out priv.csr
3: Converted the csr into a priv.pem file from a website specially for this (payment gateway).
And here I'm stuck. According to this website following code can be used:
openssl pkcs12 -export -out Cert.p12 -in cert.pem -inkey key.pem -passin pass:root -passout pass:root
The problem for me is: I only have one pem key but the above requires two. So can I with only my pem key now convert it into a p12 key with password?

How to get the certificate part only and the private key part only respectively from PEM file in the command way?

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM, by, for instance:
openssl pkcs12 -in cert_and_pvt_key.pfx -out cert_and_pvt_key.pem
then I have a PEM file with both certificate and private key, now, I want to get certificate file and private key file respectively, yes, I know cert_and_pvt_key.pem is in text format, we can copy the key part and cert part as we like, but, this is not elegant, I want something sophisticated, like openssl pkcs12, is there anything available?
You can use the -nocerts and -nokeys option to openssl pkcs12 to only output the part you need. Run openssl pkcs12 with each in turn:
openssl pkcs12 -in cert_and_pvt_key.pfx -nokeys -out cert.pem
then:
openssl pkcs12 -in cert_and_pvt_key.pfx -nocerts -out pvt_key.pem
If you haven't got access to the original PKCS#12 file, then it becomes a little more difficult. The following should work:
openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nokeys -out cert.pem
and:
openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nocerts -out pvt_key.pem
However, this asks for a pass-phrase when the the PKCS#12 is created and again when it attempts to split the file to certificate and keys. OpenSSL provides the -nodes verb to disable this pass-phrase, but it doesn't seem to work with -export. Therefore, it would fail in a script.
Otherwise, you're left with splitting the file with awk or similar. There are plenty of examples on this site.

Unable to get local issuer certificate while processing chain

I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to create RA(Registration Authority) and sign it by my private key . Here is the way I tried to do that. But when I try to export private and public key as pkcs12 file I have been getting error like this unable to get local issuer certificate getting chain. No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA
SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=Nope/OU=mobile/CN=My root"
openssl genrsa -out ra.key 4096
openssl req -new -key ra.key -out ra.csr -subj "$SSL_SUBJ"
openssl x509 -req -days 365 -in ra.csr -CA my_cert.pem -CAkey my_ca.pem - set_serial 76964474 -out ra.crt
openssl rsa -in ra.key -text > ra_private.pem
openssl x509 -in ra.crt -out ra_cert.pem
openssl pkcs12 -export -out ca.p12 -inkey my_ca.pem -in my_cert.pem -name "cacert" -passout pass:password
openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem - chain -CAfile my_cert.pem -name "racert" -passout pass:password
You usually can't use a certificate issued by a public CA to sign anything but client or server traffic; you won't be able to use it for your RA.
The error message indicates that there is a problem with the intermediate certificates. Make sure that you add both of Digicert's certificates to the my_cert.pem file before exporting it to pkcs12

No certificate matches private key while generating .p12 file

I have successfully generated .p12 file but I got a message which is a follows:
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12
Loading 'screen' into random state - done
No certificate matches private key
Could anyone tell me what is this error all about?
Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:
`Invalid Public Key Security Object File
This file is invalid for use as the following: Personal Information Exchange `
Please clarify.
Thanks
Source
OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.
Create key pair :
openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12
I also had exactly same issue. Below two commands worked like a charm.
cat domain.crt intermediate.crt ca.crt > bundle.crt
openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!
Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.
Key: openssl pkey -text_pub -in file.key -noout
CSR: openssl req -in file.csr -noout -text
These must match for 'openssl pkcs12' to create the export file.