Complete Certificate Request with .p7b file - ssl-certificate

In IIS 8, I created a Certificate Signing Request. After creation, I can see a certificate in "Certificate Enrollment Requests" in Microsoft Management Console (MMC), as well as the created CSR file. I took the content of the CSR file, and then enrolled with Symantec. After enrollment, a "cert.p7b" file was sent to me. This file contains my certificate, plus intermediate certificate.
At this point, I am not so sure of the correct next step. I know that I need to export out my certificate from "cert.p7b" into a .cer file first.
After that, should I take this exported .cer file, and then do a "Complete Certificate Request" in IIS 8 with it? I notice that when selecting a file in "Complete Certificate Request", the default extension is .cer. Can it take the whole "cert.p7b" file instead?
Instead of doing a "Complete Certificate Request", can I simply just open the exported .cer file, and do a "Install Certificate..."?
Thanks in advance.

Related

Go Daddy SSL certificate disappear in IIS After Installing

I am trying to install the SSL certificate on the IIS, I am following the exact step mentioned here https://pk.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-10-server-27349.
Steps I did:
I purchased the SSL certificate from Go Daddy
I configured that on Go Daddy by giving the domain name
Submit the changes for getting the certificate
After verification downloaded the certificate
Created .Cer file from the .crt file
Imported the gd-g2_iis_intermediates.p7b in MMC under the intermediate certificate authority
Create a request in IIS and import .Cer file
After refreshing that window, the certificate doesn't appear
Am I doing something wrong in this?
So the thing is I was facing an issue because I couldn't able to produce the .pfx file from my machine using MMC, but DigiCert tool helped me to create the .pfx file from the .crt file I got from the Go Daddy. Instructions to create the file are on this link
https://www.digicert.com/kb/util/pfx-certificate-management-utility-import-export-instructions.htm
Later I went to the MMC and to the intermediate certificate authority and I imported the .pfx file along with the password and the certificate got exported to the system and to the IIS and now it's visible in the IIS.

PEM file (export certificate - trusted in Postman)

I need to create a PEM file of a SSL (CA) certificate. Chrome does provide an option to view the certficate and export it as Base64 encoded X.509 (.CER)* file. In addition, the file extension can be changed to .PEM. Does the certificate only contain public information and can it safely be shared with other people (let's say colleagues)?
E.g. Stackoverflow contains a Root CA certificate. If I create the PEM file and share it with somebody, does it even matter or is there any security risk?
Background info: I need to export the SSL certificate (as .PEM) from an API endpoint in order to add it as trusted CA certificate in Postman.

How do I install SSL? No Key or CA, Only CRT

I have a VPS with Apache2.
I have installed SSL before in my websites, but always form freeSSL or ZeroSSL, they give me 3 files:
Private.key
ca_bundle.crt
certificate.crt
I replace them for the old ones and all is peachy (I configured it once and just replace the files on reactivation).
Now I have issued a year long SSL service from Comodo SSL, and they send me a mail with this information:
"Thank you for placing your order. We are pleased to announce that your PositiveSSL Certificate for * has been issued.
Attached to this email you should find a .zip file containing:
Root CA Certificate - AAACertificateServices.crt
Intermediate CA Certificate - USERTrustRSAAAACA.crt
Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - ***.crt
You can also find your PositiveSSL Certificate for ** in text format at the bottom of this email."
And I really have no Idea what to do... I tried Google but can't find any guide, they talk about CSR or other things and I just want to install this and forget about it for a year like I did before for 90 days...
Please help me, I need to have SSL running for my Magento 2 installation to work.
To use a certificate you need the certificate file itself (.crt) AND the key file (.key) ( Extensions may vary but, as you know, on linux it doesn't matter): if you're missing one of these, you're pretty much screwed.
To get a certificate, the following steps are necessary:
a key file needs to be generated
from the key file a CSR is generated
the CSR is signed by a CA (for you it's Comodo) and the result is the certificate file
The key file and the csr can be generate by you (who are requesting the new certificate) or (in this case) by Comodo during the procedure you followed. According to what you wrote, probably, during the procedure you've been asked to provide a key or let them generate one and you picked the 2nd option.
I've never used Comodo so I don't know how their interface works but IMHO you have 2 options: login with your account and look for an area where you can download the certificate and check for the possibility to download the key too OR contact them and ask for support to download the key file.
There is no way to use the certificate file without a key file.
I generated the certificate using an option of my webhosting service (Hostinger) to buy a comodo SSL certificate, as I said the email of Comodo didn't give me the key file BUT, after some hours the comodo ssl service started showing on my webhosting control center and going through some menus I reached a button called "download SSL", that downloaded a ZIP with the same files PLUS the key file. This was very random and nowhere stated, and I found it by coincidence but is solved. Thanks. The other option was to reach Comodo or Hostinger for help.

How to create a .csr file for only to a certificate that is going to expire in .jks file

One of our certificate is about to expire and by using keytool explorer i selected the .jks file and in that many certificates are there and one is expiring. To renew that certificate i have exported the certificate by using the keystore explorer and got a .cer file. when i shared the .cer file to the client he asked to send the csr file.
enter image description here
You should be selecting the Generate CSR option for that key pair. This will generate the CSR that you need to send.

Azure https with pfx file

I am trying to create an https endpoint for my azure service. I was given an p7b file that I converted into a cer file. From the cer I was able to convert with a few lines of c# to a pfx.
var cert = new X509Certificate2(#"certpath", "
var bytes = cert.Export(X509ContentType.Pfx, "password");
File.WriteAllBytes(#"certpath\cert.pfx", bytes);
Now when I upload the cert to azure everything seems ok, I copy the thumbprint and try to upgrade with the new thumbprint as part of the end point and I get an error in azure.
Certificate with thumbprint 3FA490D1D4957942CD2ED545F6E823D0008796EA2 associated with HTTPS input endpoint "endpointName" does not contain private key.
How did you convert the .p7b to a .cer? You're problem is that cer files don't contain the private key information, so when you exported it as a pfx, it doesn't have the information that it needs to work with SSL.
The easiest way to convert to a pfx is probably to import the certificate onto your local machine (using certmgr.msc), then export it making sure you select the "Yes, export the private key" option.
EDIT: After doing some more research after GregS' comment, the problem is still the same, you're pfx doesn't have the private key it needs to work with SSL, but the cause is actually that the .p7b file doesn't have a private key to begin with. You need to use a different certificate. There is already a question related to this on server fault.
I had the same problem trying to generate .pfx for Azure. The p7b certificate was generated by Thawte. After some research I was able to make it work.
Generate CSR (certificate request) from IIS. It could be your local IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO9171
Generate the certificate based on the CSR. The CA takes care of this. If you are generating a self-signed certificate you also could do that from ISS. This is important because when you import it (step 3) IIS will verify that the certificate was generated there.
Import the certificate to your local IIS. It must be a .cer file. Just open your p7b file and you will see the certificate chain in there. Export your domain certificate to a .cer file. Then you can use it to import it to IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10664
Export the certificate to .pfx from IIS. At this point the certificate contains an appropriate private key added by IIS. When you export it, IIS will ask you for a password.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10034
I had exactly the same problem as you once and here is the story of that:
Windows Azure, SSL, Self-Signed Certificate and Annoying HTTPS Input Endpoint Does Not Contain Private Key Error
Getting pfx file from SSL certificate from godaddy. Details here in case it helps.