I'm sure that this has been asked you several times, but solutions to that cases didn't work for me. So I need your help.
Consider x.root.cer is CA's certificate, x.app.cer is Application's certificate signed by CA's certificate, and x.app.private.pem is Application's private key.
I'm using following command in order to create pfx file (want to include both private key and certificate of application).
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx -certfile x.root.cer
Even though I know (can see) that 3 files are there, I'm getting the following error:
unable to load certificates
Can you please help me about this error?
Well, finally I suceeded with this command
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx
That means I shouldn't use -certfile parameter.
Related
I have a bunch of .Pem files.
One is (as far as I can tell) the CACert
mycacert.pem
the other is the certificate
mycert.pem
and finally what I am led to believe is the key file which is confusingly called the same as the certificate (but for this example I will call it something different)
key.pem
How do I form a PFX file from these?
I have tried to run the following command
openssl pkey -in C:\Temp\key.pem -out C:\Temp\my.key
however I get the following error
unable to load key 2147581984:error:0909006C:PEM routines:get_name:no
start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
If I open the file in notepad I see the following
-----BEGIN NEW CERTIFICATE REQUEST-----
many characters
-----END NEW CERTIFICATE REQUEST-----
Basically I just need to create a pfx from the files I have but I seem to need a *.key file, a *.crt file and another *.crt file for the CACert, non of which I have.
One more thing to note. The two certificate pem files contain multiple certificates in each.
The command you are looking for is:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out pkcs12.pfx -certfile cacert.pem
Where cert.pem is your certificate, key.pem is the private key, cacert.pem is the CA certificate and pkcs12.pfx is the pkcs12 file that will be created.
The command may asks for a password to decrypt the private key and will ask for a new password to encrypt the private key inside the pkcs12.
You can find the openssl pkcs12 command documentation, here.
I have a trusted certificate chain, a certificate issued by this chain and private key file for this certificate.
I want to create a P12 / PFX for this, so I can put it as client certificate in the windows store:
OpenSsl Pkcs12 -export -nokeys
-certfile mytrustedCertifcates.pem^
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
Alas, the resulting file contains all trustedCertificates. If I import the P12 in my windows certificate store, I import the complete certificate chain, although they are already in the certificate store.
I also tried options: (from OpenSsl command line utilities, also in -help)
-nocerts don't output certificates.
-clcerts only output client certificates.
Alas, the P12 still contains the complete certificate chain, and importing the P12 imports the complete chain again.
BartonJs gave the answer in a comment (thank you BartonJs!):
leave out the --certfile parameter:
OpenSsl Pkcs12 -export -nokeys
-name some friendly name
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
nokeys: leaves out the PEM password
name: the friendly name that will appear in column friendly name of the winstore
inkey and in are the input certficate with its private key
out is the name of the file to produce.
After importing it in the windstore (command: certlm.msc), It propertly says:
Issued to:
Issued by:
Expiration date
Intended purposes
Friendly name:
I know there are other similar Q/A about this but they are somewhat confusing and do not help solving my question.
I got a certificate from sslforfree: zip output contains 3 files:
ca_bundle.crt
certificate.crt
private.key
As I need to provide my maintainer with a .pfx certificate, I installed OpenSSL and tried to follow some hints on this and other forums.
The command line should be:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
OR
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt
It's not clear to me:
what does "domain.name" refers to, for even if I typed my domain's
name in creating the certificate, none of the 3 received files
contains a visible reference to it.
should I use ca_bundle.crt or certificate.crt in creating the .pfx ?
Could someone please give me a plain command line example, given above received files' names?
It came out that trying to use "ca_bundle.crt" resulted in a command line verbose error output, so I switched to "certificate.crt" and it worked just fine. Again, I have no idea what the "ca-bundle.crt" file is for, but it looked totally useless for my present needs.
Given input files the command line used was:
openssl pkcs12 -export -out xyzdomain.com.pfx -inkey private.key -in certificate.crt
and the exported .pfx was subsequently successfully installed.
The command which you have found is exactly correct I will just reframe you the code as per your file names
1) ca_bundle.crt
2) certificate.crt
3) private.key
openssl pkcs12 -export -out filename.pfx -inkey private.key -in certificate.crt -in ca_bundle.crt
As you have ca_bundle.crt you don't need to insert -in intermediate.crt -in rootca.crt commands in OpenSSL since it contains both intermediate and root
Else you can check out the alternate way here
In the second command OpenSSL pkcs12 -export -out xyzdomain.com.pfx -inkey private.key -in certificate.crt, you have not used the intermediate and root so you will get an error of intermediate missing on any SSL checker
If you get error while importing ca-bundle.crt, you need to ask your vendor to provide the correct bundle certificate file
I have .crt file and .key file and I want to use SSL for my web application. I have tried with option "Complete Certificate Request" to import certificate in IIS, but it show certificate imported and actually it is, but when I edit binding, it won't display in selection in IIS.
My certificate does not have private key, I have it separately, in a .key file.
Can you help me to fix this? Is there any way to combine key and certificate?
You need to make p12 (pfx) file from .key and .crt. You can use openssl do make it.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -name "friendlyname_for_certificate"
Then import certificate.pfx into LocalMachine\My store. It should be available in IIS.
IIS display certificate in selection if certificate has private but my certificate doesn't contain it and I have it in separate file. So I combined both using OpenSSL given below command. It creates new pfx file and we need to import it in IIS and it display that certificate in selection.
openssl pkcs12 -export -in cert.crt -inkey privatekey.key -out mycert.pfx
I am having some serious problems with regards to being able to create a p12 file to place on my windows server.
I have used two different websites to be able to help me work out what i need to do:
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
The second website i used was a comment from within the website was the following:
http://arashnorouzi.wordpress.com/2011/06/19/sending-apple-push-notifications-in-asp-net-and-c-–-part-4-apns-sharp-c-wrapper-class/
First of all i create a Certificate signing request.
I then upload this to my app ID which alows me to generate a ape_dev certificate.
I then go to my key chain and navigate to the "keys" i export the .p12 certificate that i just created.
I now have three different files
My p12 file, my development certificate and my certificate signing request.
I then open terminal and i type the following:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
This then creates a new pem certificate.
The thing i type is the following
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
It prompts for the password which i enter, i use the same password as the one when i created the certificates.
After i have done this I'm left with 2 new files both of which are PEM files.
I need to combine both of these PEM files into one p12 file for it to be able to work on my windows server.
I have tried combining it using the following line
openssl pkcs12 -export \
-in aps_developer_identity.pem \
-out aps_developer_identity.p12 \
-inkey APSCertificates.pem
This in fact works and gives me a p12 file.
I then switched back to he raywenderlich website and i typed the following:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
It loads but i recieve the following error:
error:num=20:unable to get local issuer certificate
Please does any one know what im doing wrong im so fed up of going round in circles.
When i upload the certificate to the server and put the ad-hoc version off the application on the device im still not receiving any notifications that i am sending
Thanks in advance.
See if this answer helps Creating .pem file for APNS?
In short: openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
When you first generated your CSR, you did it with a private key. This can be opaque depending on how you did it. What I do is generate the key with openssl and then make the CSR using that key. That key is then the 'in key' when you make the p12.
Here are my steps
The first step is to generate a Certificate Signing Request. This is the same as it would be for any SSL cert. You will need a private key for this.
openssl genrsa -out aps_development.key -passout pass:foobar 2048
Then you can make the CSR using that key you just created
openssl req -new -key aps_development.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
From here you will go to developer.apple.com and revoke the current APN cert and make a new one. It will ask for your CSR and when its done it will give you a .cer file.
Convert the .cer file into a DER formatted .pem file (assuming aps_development.cer is the file you got in the download from the Apple developer site).
openssl x509 -in aps_development.cer -inform DER -outform PEM -out aps_development.pem
Convert the .pem to a .p12. You'll note that you are supplying the key file you made at the beginning of step 1. You will need the password you supplied there.
openssl pkcs12 -export -in aps_development.pem -inkey aps_development.key -out aps_development.p12