This question already has answers here:
How to get .pem file from .key and .crt files?
(12 answers)
Closed 4 years ago.
I downloaded the files from a ssl purchase and got from it the following files:
ServerCertificate.cer
CACertificate-ROOT-2.cer
CACertificate-INTERMEDIATE-1.cer
PKCS7.p7b
A client requires 2 crt.pem files. One of which needs to come from the ServerCertificate.cer and another from a so called PFC file that should of been provided. Which is aparently a combination of the certificate and the key.
I have tried using:
openssl x509 -inform der -in certificate.cer -out certificate.pem to convert the first file however I get a "Unable to load certificate" error.
What am I doing wrong?
PS Please dont link me to https://www.sslshopper.com/ssl-converter.html, as this isn't working either.
If by PFC you actually mean PFX, then you can convert p7b to pfx (PKCS#7 to PKCS#12) using openssl.
ServerCertificate.cer is most likely PEM. Follow Steffen's comment:
Extensions do not matter. It is likely that your *.cer files are already in PEM format and you just have to rename these if you want a file name of *.pem but not convert. Look at the contents with some editor: if it is binary it is likely DER encoded, if it starts with something like -----BEGIN CERTIFICATE----- it is PEM encoded.
If it is not PEM, then it is binary and openssl can convert it to PEM.
Normally you need two files: the private key (ServerCertificate.key) and the certificate (ServerCertificate.cer). Sometime you also need the root and intermediate certificates depending on who issued your certificate (you don't say).
None of the file that you listed is the private key. This was created as the first step to create the CSR (certificate signing request) that you sent to the ssl vendor. PFX has the option to include the private key in its file format.
If you created the CSR on Windows (IIS) then you don't send anything to the customer, you complete the CSR on the computer that created the CSR. Then you can export the certificate package.
Related
I want to be able to send certificates in my API requests.
Please see - Add certificate on request with RestSharp
As shown in that post. I need to convert .crt and .key to .pfx , however my current certificates are .pem, so I thought I will need to convert them into .crt and .key first and then use the openssl comand used in that post to convert them into .pfx and then carry on with the rest of the solution.
My certificates are -
CRT file -
C:\Users\JohnSmith\Downloads\certsh\client-crt.pem
Key file -
C:\Users\JohnSmith\Downloads\certsh\client-key.pem
I was able to convert the Key file to a .key , but when trying to convert the CRT file I am getting this error.
unable to load certificate 13668:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: TRUSTED CERTIFICATE error in x509
I am using this command to try and convert the .pem to .crt
x509 -outform der -in client-csr.pem -out client.crt
The extension .pem indicates that the format of the file is PEM (Privacy-Enhanced Mail) (RFC 7468). The content of the file may be a certificate, a private key, a public key, or something else. If you open a PEM file with a text editor, your will see -----BEGIN ?????----- at the top.
The extension .crt implies that the content of the file is a certificate. However, the extension does not tell anything about the file format. The format may be PEM, DER (Distinguished Encoding Rules) (X.690), or something else. If the file contains -----BEGIN CERTIFICATE-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.
The extension .key implies that the content of the file is a private key. However, the extension does not tell anything about the file format. The format may be PEM, DER, or something else. If the file contains -----BEGIN PRIVATE KEY-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.
The string csr, which is a part of the file name client-csr.pem, implies that the content of the file is CSR (Certificate Signing Request). Note that CSR is NOT a certificate. It seems you are trying to convert the file format of client-csr.pem from PEM to DER, but the CSR will never become a certificate by converting the file format. What you should give to the openssl command is not client-csr.pem but client-crt.pem, I think.
Understanding relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468) will improve the quality of your questions and help you avoid wasting time. I hope that diagrams below excerpted from "Illustrated X.509 Certificate" can help you.
I have the following files:
filename.key (RSA PRIVATE KEY)
filename.pem (CERTIFICATE REQUEST)
certificate.cer (CERTIFICATE)
CertificateChain.p7b
I have received these files from the CA including the certificate chain.
I need to generate 'keystore.p12' to configure SSL for spring boot application with the following information.
server:
port: 443
ssl:
key-store: keystore.p12
key-store-password: <your-password>
keyStoreType: PKCS12
keyAlias: <my alias>
Can anyone please help me to generate the 'keystore.p12'?
File extensions do not actually control the format or contents a file, although usually they should provide at least partial description. Similarly basenames (before the extension) should describe what is in the file, but do not always do so correctly. What matters is what is in the files.
.key is usually used for a lone privatekey, but look at it to make sure, and also to determine what format it is in because there are many. You should never get your privatekey from a CA; it should be generated locally, usually on the machine where it will be used and at least by the 'owner' or admin of that machine. There might be a sort-of exception if you are talking about a CA internal to a company, organization, agency, or office -- in that case the person running the CA may be the same person who is responsible for security on all the machines -- or vice versa, depending on your perspective -- and it may make sense for them to generate both the key and the cert.
.pem is used for lots of things in PEM format, and what the contents of that file is (or are) matters more than the fact of it being PEM. Look at the first line -----BEGIN (somewords)----- and see what the word(s) is(are). That should be followed either immediately or after a few header lines by data in base64 (a solid block of letters, digits, and the special characters + / =), then a matching -----END (somewords)----- line. If the END line is followed by a another similar block, or several, look at all of them.
.cer is commonly used for certificates in either 'DER' (binary) or 'PEM' (as above) format. .p7b is similarly used for 'dummy' PKCS7 messages containing certificates -- especially certificates used in a chain -- in either DER or PEM. More significantly, p7b is sometimes used for the whole chain including the end-entity (server) cert, and sometimes the rest of the chain excluding the EE cert, and it matters which. If you have OpenSSL -- or can get it (e.g. by installing a package, or for Windows I recommend the installer from http://www.slproweb.com/products/Win32OpenSSL.html ) or can move your data to a machine that has it -- then do:
# if the p7b file is in PEM format (you can see ----BEGIN PKCS7----- line)
openssl pkcs7 -in file.p7b -print_certs
# if the p7b file is in DER format (looks like garbage in a text editor or display)
openssl pkcs7 -in file.p7b -inform der -print_certs
# for now look only at the subject= and issuer= lines to see
# for each cert in the file who it is for, and if/how they chain
Then:
if the .key file is a privatekey in one of the PEM formats supported by OpenSSL you can use that; else if .key is a privatekey in some other format, or .pem is or includes a privatekey in some format, you'll need to convert and/or extract it: tell us more about what those files look like.
if the .p7b file is in PEM or DER format, put its expanded output (from above) in a file. If this includes the EE cert skip the next step.
if the .p7b file does not include the EE cert, but the .cer file is that cert, if in PEM format just append it to the file containing the .p7b output; if in DER format convert it with openssl x509 -in file.cer -inform der and append that.
if you now have the privatekey in one of the PEM formats supported by OpenSSL, and the cert chain including the EE cert in PEM format, do
openssl pkcs12 -export -in chain.pem -inkey key.pem -out newfile.p12 [-name x]
# the -name option provides the 'alias' used by Java
# if not specified it defaults to the numeral 1 (one)
Could someone explain, how are all certificates built?
There are many files that are generated while getting a certificate (.csr .key .cert .pem).
What each file contain?
From what I already got .key file is a file with private key.
From that .key is generated .csr, which can be send to CA.
However webhosting providers each ask for different set of files (or name it randomly?). How to distinguish which file is which?
For example .pem and .cert files, each start with -----BEGIN CERTIFICATE----- which is confusing (at last for me).
Any kind soul would care to explain how it all works?
PEM is an encoding that is also used as extension. All files that start with -----BEGIN CERTIFICATE----- are PEM encoded. Even the .key. That said, a .pem file could be a key, a certificate, a chain certificate, etc. You should name it well to know what it is.
All .crt and .cert extensions mean the file is a certificate. The Certificate Authority chooses which extension they will send the file.
The .csr is also PEM encoded, but it is a Certicate Signing Request. It is created when you generate your .key file. With it you can ask for a CA to issue a certificate for you.
---Edit---
Based on your comment, you have received three files from letsencrypt: cert.pem, chain.pem and fullchain.pem. You also might have a privkey.pem.
To configure your certificate you can bother using just the privkey.pem and fullchain.pem which is just a concatenation of cert.pem and fullchain.pem. You need to setup those files in your web server, each web server is different and you might look for their specific instructions.
I have created a self-signed certificate with makecert, exported it with private key to .pfx file and imported on the server. Then I copied one on the client and tried importing it using keytool. Got an error Input is not an X.509 certificate.
So I converted .pfx certificate to .pem using openssl and tried again - same result.
I did some research and found that I might need to convert it to .der, but it still might not work. Apparently keytool only supports single certificate PEM files. Even though mine is a single certificate, PEM file contains private key information:
-----BEGIN PRIVATE KEY----
-----END PRIVATE KEY------
----BEGIN CERTIFICATE-----
----END CERTIFICATE-------
So I am not sure what should be my next step to ensure import will work when done with keytool on the client.
Can anyone shed some light on this issue?
I am config the ssl using Mechanize, according the document I need to set the
agent.cert = 'example.cer'
agent.key='example.cer'
but how can I get these two file? I also find that ssl file has a lot of types, such as .cer .pem .crt .key, what is the relationship between them?
Let's start from PEM files, which are your digital certificates written in form encoded in only basic ASCII characters, they can be easily copy&pasted, e-mailed, printed. More about them:
Working with PEM files
How to get an OpenSSL .pem file from .key and .crt files?
The file with .crt extension is PEM or DER, which is just binary encoded certificate. This extension is recognized by Windows, while PEM or DER aren't.
The file with .key extension is just your private key. It's stored in separate file. Format not standardized.
You will find more information about all these formats in the answer on serverfault: What is a PEM file and how does it differ from other OpenSSL generated key file formats?