I know there are other similar Q/A about this but they are somewhat confusing and do not help solving my question.
I got a certificate from sslforfree: zip output contains 3 files:
ca_bundle.crt
certificate.crt
private.key
As I need to provide my maintainer with a .pfx certificate, I installed OpenSSL and tried to follow some hints on this and other forums.
The command line should be:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
OR
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt
It's not clear to me:
what does "domain.name" refers to, for even if I typed my domain's
name in creating the certificate, none of the 3 received files
contains a visible reference to it.
should I use ca_bundle.crt or certificate.crt in creating the .pfx ?
Could someone please give me a plain command line example, given above received files' names?
It came out that trying to use "ca_bundle.crt" resulted in a command line verbose error output, so I switched to "certificate.crt" and it worked just fine. Again, I have no idea what the "ca-bundle.crt" file is for, but it looked totally useless for my present needs.
Given input files the command line used was:
openssl pkcs12 -export -out xyzdomain.com.pfx -inkey private.key -in certificate.crt
and the exported .pfx was subsequently successfully installed.
The command which you have found is exactly correct I will just reframe you the code as per your file names
1) ca_bundle.crt
2) certificate.crt
3) private.key
openssl pkcs12 -export -out filename.pfx -inkey private.key -in certificate.crt -in ca_bundle.crt
As you have ca_bundle.crt you don't need to insert -in intermediate.crt -in rootca.crt commands in OpenSSL since it contains both intermediate and root
Else you can check out the alternate way here
In the second command OpenSSL pkcs12 -export -out xyzdomain.com.pfx -inkey private.key -in certificate.crt, you have not used the intermediate and root so you will get an error of intermediate missing on any SSL checker
If you get error while importing ca-bundle.crt, you need to ask your vendor to provide the correct bundle certificate file
Related
I am trying to create a p12 keystore using the following command:
openssl pkcs12 -export -out localhost.p12 -name "localhost" -inkey localhost.key -in localhost.crt
However, the generate keystore file is blank (0KB). I am unable to comprehend where I am going wrong.
I can provide the localhost.key and localhost.crt files if needed.
Thanks and regards.
I got the crt+ca bundle and private key from https://punchsalad.com/ssl-certificate-generator/, I wonder how to convert the files into PKCS12 which I can use in SpringBoot?
I found online tutorials only mention .pem format and the following instruction needs chain.pem. I wonder how to get this file.
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
Relevant links:
https://www.sslshopper.com/ssl-converter.html
Thank you.
Glad to help you,
I just ran into this problem.
The ssl files obtained from https://punchsalad.com/ssl-certificate-generator/ are txt files containing ca-bundle.txt and private-key.txt
To convert to pfx, just change the downloaded txt file ca-bundle.txt to certificate.crt, private-key.txt to private.key and enter the following command.
sudo openssl pkcs12 -export -out FILE.pfx -inkey private.key -in certificate.crt
-certfile command is options.
I am successful when uploading pfx in Azure Web App Service.
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM, by, for instance:
openssl pkcs12 -in cert_and_pvt_key.pfx -out cert_and_pvt_key.pem
then I have a PEM file with both certificate and private key, now, I want to get certificate file and private key file respectively, yes, I know cert_and_pvt_key.pem is in text format, we can copy the key part and cert part as we like, but, this is not elegant, I want something sophisticated, like openssl pkcs12, is there anything available?
You can use the -nocerts and -nokeys option to openssl pkcs12 to only output the part you need. Run openssl pkcs12 with each in turn:
openssl pkcs12 -in cert_and_pvt_key.pfx -nokeys -out cert.pem
then:
openssl pkcs12 -in cert_and_pvt_key.pfx -nocerts -out pvt_key.pem
If you haven't got access to the original PKCS#12 file, then it becomes a little more difficult. The following should work:
openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nokeys -out cert.pem
and:
openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nocerts -out pvt_key.pem
However, this asks for a pass-phrase when the the PKCS#12 is created and again when it attempts to split the file to certificate and keys. OpenSSL provides the -nodes verb to disable this pass-phrase, but it doesn't seem to work with -export. Therefore, it would fail in a script.
Otherwise, you're left with splitting the file with awk or similar. There are plenty of examples on this site.
I'm sure that this has been asked you several times, but solutions to that cases didn't work for me. So I need your help.
Consider x.root.cer is CA's certificate, x.app.cer is Application's certificate signed by CA's certificate, and x.app.private.pem is Application's private key.
I'm using following command in order to create pfx file (want to include both private key and certificate of application).
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx -certfile x.root.cer
Even though I know (can see) that 3 files are there, I'm getting the following error:
unable to load certificates
Can you please help me about this error?
Well, finally I suceeded with this command
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx
That means I shouldn't use -certfile parameter.
I have successfully generated .p12 file but I got a message which is a follows:
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12
Loading 'screen' into random state - done
No certificate matches private key
Could anyone tell me what is this error all about?
Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:
`Invalid Public Key Security Object File
This file is invalid for use as the following: Personal Information Exchange `
Please clarify.
Thanks
Source
OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.
Create key pair :
openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12
I also had exactly same issue. Below two commands worked like a charm.
cat domain.crt intermediate.crt ca.crt > bundle.crt
openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!
Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.
Key: openssl pkey -text_pub -in file.key -noout
CSR: openssl req -in file.csr -noout -text
These must match for 'openssl pkcs12' to create the export file.