I want to use GnuTLS certtool to convert a PEM public and private key to a PKCS12 pfx bundle. I don't have openssl available to me on the target system. The equivalent command with openssl is:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
$ certtool --load-certificate certificate.pem --load-privkey certificate.pem --to-p12 --outder --outfile certificate.pfx
Related
I know how to generate a .jks file from .crt & .key file . But the ssl that I have received contains three file (.crt,.p7b ,ca bundle file). How would I generate .jks file from these file for tomcat. Thanks in advance
Try sth like this:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
I have generated pem and csr files using the below command.
openssl req -newkey rsa:2048 -keyout key.pem -out req.csr
After this, I sent csr file to the authority and got p7b certificate.
Now, I tried to convert p7b file to p12 format with the below commands.
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -out certificate.p12 -inkey key.pem -in certificate.cer
However, it gives the below error.
No certificate matches private key
error in pkcs12
How can I convert p7b file into p12 file format?
I think you must call privatekey file
openssl pkcs12 -export -inkey privateKey.key -out certificate.p12 -inkey key.pem -in certificate.cer
I have a PFX that I want to convert to a CRT and Key or PEM and Key to install on an NGINX endpoint. When I import the pfx to my cert store on my windows machine it creates the certificate, the intermediate chain, and the root CA.
If I take that PFX and run the following openssl commands I and bind it to the endpoint, I don't get all the certificates in the chain:
openssl pkcs12 -in ./GoDaddy.pfx -clcerts -nokeys -out pcc.crt -nodes -nokeys
openssl pkcs12 -in ./GoDaddy.pfx -nocerts -nodes -out pcc.rsa -nodes -nokeys
Is there a switch or command I can run to convert the PFX to a crt / rsa or pem /key with all of the certificates up the chain to the root CA?
Since you want everything, you just need to reduce the number of restrictions you are asking for.
so:
openssl pkcs12 -in ./GoDaddy.pfx -out ./GoDaddy.pem
If you read the documentation you will see what you are asking for:
-nocerts
No certificates at all will be output.
-clcerts
Only output client certificates (not CA certificates).
-nokeys
No private keys will be output.
-nodes
Don't encrypt the private keys at all.
You can extract ca-bundle, .crt and .key from .pfx using this.
# Extracting ca-certs..."
openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt
# Extracting key file..."
openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key
# Extracting crt..."
openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt
# combine ca-certs and cert files
cat ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt
# Removing passphrase from keyfile"
openssl rsa -in ${filename}.key -out ${filename}.key
Link:
https://gist.github.com/mediaupstream/a2694859b1afa59f26be5e8f6fd4806a
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM, by, for instance:
openssl pkcs12 -in cert_and_pvt_key.pfx -out cert_and_pvt_key.pem
then I have a PEM file with both certificate and private key, now, I want to get certificate file and private key file respectively, yes, I know cert_and_pvt_key.pem is in text format, we can copy the key part and cert part as we like, but, this is not elegant, I want something sophisticated, like openssl pkcs12, is there anything available?
You can use the -nocerts and -nokeys option to openssl pkcs12 to only output the part you need. Run openssl pkcs12 with each in turn:
openssl pkcs12 -in cert_and_pvt_key.pfx -nokeys -out cert.pem
then:
openssl pkcs12 -in cert_and_pvt_key.pfx -nocerts -out pvt_key.pem
If you haven't got access to the original PKCS#12 file, then it becomes a little more difficult. The following should work:
openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nokeys -out cert.pem
and:
openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nocerts -out pvt_key.pem
However, this asks for a pass-phrase when the the PKCS#12 is created and again when it attempts to split the file to certificate and keys. OpenSSL provides the -nodes verb to disable this pass-phrase, but it doesn't seem to work with -export. Therefore, it would fail in a script.
Otherwise, you're left with splitting the file with awk or similar. There are plenty of examples on this site.
I have successfully generated .p12 file but I got a message which is a follows:
C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12
Loading 'screen' into random state - done
No certificate matches private key
Could anyone tell me what is this error all about?
Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:
`Invalid Public Key Security Object File
This file is invalid for use as the following: Personal Information Exchange `
Please clarify.
Thanks
Source
OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.
Create key pair :
openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12
I also had exactly same issue. Below two commands worked like a charm.
cat domain.crt intermediate.crt ca.crt > bundle.crt
openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!
Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.
Key: openssl pkey -text_pub -in file.key -noout
CSR: openssl req -in file.csr -noout -text
These must match for 'openssl pkcs12' to create the export file.