I have a certificate from GoDaddy, which I've previously used for an IIS hosted website. I've now converted the site over to an OWIN self-hosted WebAPI project and would like to use the same certificate for the new site on a brand new machine.
Do I need to install IIS just to import the certificate or is there a way to import it directly into the certificate store like you can with self-signed certificates?
Or does this need to be handled directly in the new OWIN project somehow?
You don't need IIS to import a certificate, you use certmgr (Certificate Manager). You should be able to import the certificate directly with the Windows certificate manager and then use netsh to register it for OWIN using its thumbprint.
SignalR with Self-Signed SSL and Self-Host
Just ignore the part where they import into Root Certification Authorities, GoDaddy is already a trusted CA (although you can download the cert chain/bundle and manually import that as well).
You can create a certificate manager snap-in by running MMC (start->run->MMC), then Add-Remove Snap-ins, choose Certificates. Save to Desktop.
Figured out my problem (though, I don't know if it will help anyone else if they encounter this). Turns out GoDaddy's "Download Certificate" page only downloads certificates without the private key. I had to export the certificate previously imported by IIS, then import it into my Personal store. I assume there's a way to get the private key w/o importing into IIS, but I personally don't know what it is (maybe I just missed a step somewhere this time around).
Yes, certificate must be installed with private key for it work with OWIN. I had to go through the same pain as most(all?) CA issue certificates without private keys. However you must have received the private key before hand. You must have your certificate in .crt format. This does not include the private key in it. So you need to create a certificate of .pfx format with private key in it.
If your private key is in plain text, then create .key file with plain text in as its content.Note that your .key file should have the standard first and last lines of private key else it'll complain about invalid key.
-----BEGIN PRIVATE KEY-----
<key-content>
-----END PRIVATE KEY-----
Now create a .pfx certificate using OpenSSL tool.
openssl pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt
To import this certificate just double click on .pfx file. In the import wizard choose 'Local Computer - Personal' as certificate store. After successful import you'd also notice a small (lock)key icon appearing on top of installed certificate icon.
Assuming you have bounded the server port with your OWIN application using netsh http add sslcert, it should start working!
Related
I have a working local website which I enabled via IIS Manager on Windows 10 Home. Now I want to serve my website via HTTPS instead of HTTP. I have created and added self-signed SSL cert using OpenSSL and MMC (following this blog). However, when I tried to add the HTTPS binding to my website using the IIS Manager, there is NO cert displayed for me to add for the binding. See screen shot. Can someone suggest what I might be missing? How do I bind the key/cert to my local website under Windows 10?
It looks like you forgot to import .pfx file to your IIS server certificate.
Please go to IIS manager->server side->server certificates.
Then click import.. button to upload your certificate.
After uploading the certificate, you should be able to select your certificate in IIS binding.
OK, so it turns out the self-signed cert in the procedure is in the .cer/.pem format, whereas Windows IIS expects a .pfx. The confusion part is the fact the tutorial also demonstrates using Windows MMC and IIS, and that MMC "accepts" the .cer when I did the certificate import.
Bottomline: I need to package my .key and .cer files into a .pfx file using the following command before importing the cert into my Personal store:
openssl pkcs12 -export -out my.pfx -inkey my.key -in my.crt
During cert import using MMC, I did need to change the file extension using the dropdown list. Now this cert would show up when I add the website binding via IIS Manager.
I would like to import an SSL certificate on an Microsoft Azure Website.
I generated the .csr request file using the windows command "certreq" direclty on mylaptop (not on the server).
I retrieved an CER certificate using this .csr file.
But know I'm blocked, the Azure websites page wants a .pfx file and refuse the .cer file.
I tried to use www.sslshopper.com to transform my .cer certificate into a .pfx file but it needs the private key...
So Here are my questions :
* Can I transform a .cer to .pfx without a the private key ?
* how can I get the private key used by the certreq command of my laptop ?
Thanks !
As I known, certreq would store your private keys in your certificate store when it generates CSRs. And you need to finish the certificate request on the same computer where you generated the CSR request. There is issue about finding the private key after using certreq for CSR generation.
Based on your description, you could follow this tutorial to import your signed certificate into the windows local computer certificate store by using certreq, then click "Start > Run", type certmgr.msc to manage computer certificates, right click the certificate root node and choose "Find Certificates" to find your certificate as follows:
Click export your certificate, choose the option "export the private key", then export your certificate to .pfx file. Also, you could leverage DigiCertUtil to export your certificates.
Additionally, for more flexibility over your private key than certreq, you could use OpenSSL command line tool to generate your private keys and your certificate signing request instead of certreq. Also, for a simple way, you could use this GUI tool startcomtool to generate your CSR and export the certificates.
You need to associate private key with issued certificate. Depending on context used in certreq (current user or local machine context) run appropriate command:
certreq -user -accept path\certfile.cer
Or
certreq -accept path\certfile.cer
I need to set up SSL for my Netty server for which I am planning to use a self signed certificate. I wanted to know what are the steps involved in doing so ?
Use openssl to get a .key & .csr file.
Do I need to convert the .csr file into pem ?
How do I import the the certificate in the keystore? Is that cacerts on a linux machine?
Do I also need to import the keys into the keystore?
This tutorial shows the steps for using a certificate signed by StartSSL:
http://blog.hintcafe.com/post/33709433256/https-server-in-java-using-netty-and-keystore
I think the steps can be modified for using your self-signed certificate (or you could sign it for free using StartSSL.
We use IIS 6.0 (Win2003 SP2) at work and needed to renew our SSL certificate.
I created a certificate request by using openssl. Therefor I'd created a 2048 bit key with openssl first. I did not use that certreq.txt request file, since that produced format errors at the website of our used CA.
That request has been accepted meanwhile and I got a .pem file from our organization's CA. So far so good. I even was able to import the certificate. But unfortunately the private key is missing now. I think, windows (or IIS) just doesn't know, where to look for it. The private key of course lives in a *.key file, that I used for creating the request.
But how may I integrate the key into the certificate or make Windows/IIS using it?
You should be able to build a PKCS#12 file using OpenSSL using:
openssl pkcs12 -export -in cert.pem -inkey file.key -out cert.p12
Then, using the .p12 file, import both the cert and its private key at the same time.
More info on openssl https://www.openssl.org/docs/apps/pkcs12.html
Since your running Windows Server take advantage of DigiCert's free utility (http://www.digicert.com/util).
You can create the CSR from OpenSSL if you plan to import it back to OpenSSL and were using Apache.
Otherwise you'll make the CSR request from IIS or running DigiCert Utility and clicking 'Create CSR' option. Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS.
Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC.
Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
If you happen to need the private key, you can use the 'Export' function to create a .key file or a PFX file which includes both your domain certificate and the private key.
Some firewall devices require a PKCS#12 file over the PFX. If so, rename file extension from .pfx to .p12
I am trying to create an https endpoint for my azure service. I was given an p7b file that I converted into a cer file. From the cer I was able to convert with a few lines of c# to a pfx.
var cert = new X509Certificate2(#"certpath", "
var bytes = cert.Export(X509ContentType.Pfx, "password");
File.WriteAllBytes(#"certpath\cert.pfx", bytes);
Now when I upload the cert to azure everything seems ok, I copy the thumbprint and try to upgrade with the new thumbprint as part of the end point and I get an error in azure.
Certificate with thumbprint 3FA490D1D4957942CD2ED545F6E823D0008796EA2 associated with HTTPS input endpoint "endpointName" does not contain private key.
How did you convert the .p7b to a .cer? You're problem is that cer files don't contain the private key information, so when you exported it as a pfx, it doesn't have the information that it needs to work with SSL.
The easiest way to convert to a pfx is probably to import the certificate onto your local machine (using certmgr.msc), then export it making sure you select the "Yes, export the private key" option.
EDIT: After doing some more research after GregS' comment, the problem is still the same, you're pfx doesn't have the private key it needs to work with SSL, but the cause is actually that the .p7b file doesn't have a private key to begin with. You need to use a different certificate. There is already a question related to this on server fault.
I had the same problem trying to generate .pfx for Azure. The p7b certificate was generated by Thawte. After some research I was able to make it work.
Generate CSR (certificate request) from IIS. It could be your local IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO9171
Generate the certificate based on the CSR. The CA takes care of this. If you are generating a self-signed certificate you also could do that from ISS. This is important because when you import it (step 3) IIS will verify that the certificate was generated there.
Import the certificate to your local IIS. It must be a .cer file. Just open your p7b file and you will see the certificate chain in there. Export your domain certificate to a .cer file. Then you can use it to import it to IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10664
Export the certificate to .pfx from IIS. At this point the certificate contains an appropriate private key added by IIS. When you export it, IIS will ask you for a password.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10034
I had exactly the same problem as you once and here is the story of that:
Windows Azure, SSL, Self-Signed Certificate and Annoying HTTPS Input Endpoint Does Not Contain Private Key Error
Getting pfx file from SSL certificate from godaddy. Details here in case it helps.