I have created a self-signed certificate with makecert, exported it with private key to .pfx file and imported on the server. Then I copied one on the client and tried importing it using keytool. Got an error Input is not an X.509 certificate.
So I converted .pfx certificate to .pem using openssl and tried again - same result.
I did some research and found that I might need to convert it to .der, but it still might not work. Apparently keytool only supports single certificate PEM files. Even though mine is a single certificate, PEM file contains private key information:
-----BEGIN PRIVATE KEY----
-----END PRIVATE KEY------
----BEGIN CERTIFICATE-----
----END CERTIFICATE-------
So I am not sure what should be my next step to ensure import will work when done with keytool on the client.
Can anyone shed some light on this issue?
Related
This question already has answers here:
How to get .pem file from .key and .crt files?
(12 answers)
Closed 4 years ago.
I downloaded the files from a ssl purchase and got from it the following files:
ServerCertificate.cer
CACertificate-ROOT-2.cer
CACertificate-INTERMEDIATE-1.cer
PKCS7.p7b
A client requires 2 crt.pem files. One of which needs to come from the ServerCertificate.cer and another from a so called PFC file that should of been provided. Which is aparently a combination of the certificate and the key.
I have tried using:
openssl x509 -inform der -in certificate.cer -out certificate.pem to convert the first file however I get a "Unable to load certificate" error.
What am I doing wrong?
PS Please dont link me to https://www.sslshopper.com/ssl-converter.html, as this isn't working either.
If by PFC you actually mean PFX, then you can convert p7b to pfx (PKCS#7 to PKCS#12) using openssl.
ServerCertificate.cer is most likely PEM. Follow Steffen's comment:
Extensions do not matter. It is likely that your *.cer files are already in PEM format and you just have to rename these if you want a file name of *.pem but not convert. Look at the contents with some editor: if it is binary it is likely DER encoded, if it starts with something like -----BEGIN CERTIFICATE----- it is PEM encoded.
If it is not PEM, then it is binary and openssl can convert it to PEM.
Normally you need two files: the private key (ServerCertificate.key) and the certificate (ServerCertificate.cer). Sometime you also need the root and intermediate certificates depending on who issued your certificate (you don't say).
None of the file that you listed is the private key. This was created as the first step to create the CSR (certificate signing request) that you sent to the ssl vendor. PFX has the option to include the private key in its file format.
If you created the CSR on Windows (IIS) then you don't send anything to the customer, you complete the CSR on the computer that created the CSR. Then you can export the certificate package.
Could someone explain, how are all certificates built?
There are many files that are generated while getting a certificate (.csr .key .cert .pem).
What each file contain?
From what I already got .key file is a file with private key.
From that .key is generated .csr, which can be send to CA.
However webhosting providers each ask for different set of files (or name it randomly?). How to distinguish which file is which?
For example .pem and .cert files, each start with -----BEGIN CERTIFICATE----- which is confusing (at last for me).
Any kind soul would care to explain how it all works?
PEM is an encoding that is also used as extension. All files that start with -----BEGIN CERTIFICATE----- are PEM encoded. Even the .key. That said, a .pem file could be a key, a certificate, a chain certificate, etc. You should name it well to know what it is.
All .crt and .cert extensions mean the file is a certificate. The Certificate Authority chooses which extension they will send the file.
The .csr is also PEM encoded, but it is a Certicate Signing Request. It is created when you generate your .key file. With it you can ask for a CA to issue a certificate for you.
---Edit---
Based on your comment, you have received three files from letsencrypt: cert.pem, chain.pem and fullchain.pem. You also might have a privkey.pem.
To configure your certificate you can bother using just the privkey.pem and fullchain.pem which is just a concatenation of cert.pem and fullchain.pem. You need to setup those files in your web server, each web server is different and you might look for their specific instructions.
I'm trying to renew my code signing certificate, which is used as a PFX (and password).
Godaddy, our cert provider provides instructions on generating a CSR, however this appears to be outdated for Windows 10.
I called godaddy and they told me to use csrgenerator.com to generate something like:
-----BEGIN CERTIFICATE REQUEST-----
foo
-----END CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
bar
-----END PRIVATE KEY-----
I then pasted the CSR into godaddy's site and they said once the cert is rekeyed, I can download .pem and .spc files.
How am I supposed to create a PFX with password from this? If I understand correctly, I need to generate a CSR from my machine. The godaddy rep assure me that csrgenerator.com is generating a csr for my machine, but I've no idea how it is getting added to my certificates using MMC, much less how am I going to export the cert to a PFX. Even though I have the private key section, I don't see it being applied anywhere.
I know this question was asked several months ago, but I wanted to include a reply in case it helps anyone in the future. (I came across this post when I was trying to accomplish the same thing)
Follow these instructions to create a PFX file from the GoDaddy certificate:
https://www.godaddy.com/help/windows-install-codedriver-signing-certificate-and-create-pfx-file-2698
If you cannot complete these steps because the PFX option is greyed out, then the CSR generated does now allow the private key to be exported. I'm pretty sure the GoDaddy instructions linked in the question above are only for Windows Server. However, I was able to complete the following instructions on Windows 10 to generate a CSR that allowed the private key to be exported: http://www.entrust.net/knowledge-base/technote.cfm?tn=8924
I am attempting to integrate with Apple PNs and I currently have a p12 certificate that has both the Sandbox and Production certs within it. But I have read that Java SSL will only read the first one, and that for JavaPNS (the APN client I am using), says to use separate certs for this reason.
So using something like openssl, how can take my current cert and separate it out into 2 new certs, one for the Sandbox and one for Production.
This has nothing to do with APN, it's just about splitting a p12 cert.
As you previously mentioned you can use OpenSSL to change the p12 format to a PEM format, the PEM format would be accepted but also not secure with a password so make sure you get what you need.
openssl pkcs12 -in yourcertificates.p12 -out certificates.pem -nodes
This will put everything in one file, so you will have to open the PEM file in a text editor and take out the required files.
Certificates are separated by
-----BEGIN CERTIFICATE-----
Content
-----END CERTIFICATE-----
Keys would be separated by
-----BEGIN RSA PRIVATE KEY-----
Content
-----END RSA PRIVATE KEY-----
Please update your question if you need anymore information.
Bit of a silly question, but:
What kind of file(s) do you get when you buy an SSL certificate from a trusted CA?
Is there a .pfx file?
I'm working on a small tool to manage SSL certificates, but I'm not sure exactly what kind of certificates I'll be dealing with besides the self-signed ones that I create myself.
Thanks!
.pfx file extension is one. The below text from IBM has some indepth information.
Certificate file types
Certificates and keys are stored in several types of files.
Files that store certificates and keys can have the following formats:
.pem
A privacy-enhanced mail file, which has a file extension of .pem, begins and ends with the following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
A privacy-enhanced mail format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates.
.arm
A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm format is generated and used by the IBM® Key Management utility. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.der
A file with an extension of .der contains binary data. This format can be used only for a single certificate, unlike a file with a privacy-enhanced mail format, which can contain multiple certificates. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.
.pfx (PKCS12)
A PKCS12 file, which has an extension of .pfx, contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate machine. For example, you can create and install a certificate and private key using key management utility, export the certificate and key to a PKCS12 file, then import the file into another keystore. This format is also useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file on another machine using the OpenSSL CertTool utility.
The text above is a verbatim copy from IBM Eclipse Help.