I got certificate for domain from www.startssl.com. I downloaded a copy of this cert and saved it as .p12 file.
Then using windows console, I exported certificate including private key to .pfx file, and after that I selected option "without private key", and exported public key to .cer file (using Base-64 algorythm).
Next, I converted .pfx to .pem file using OpenSSL. Now I've got two files - public and private key, and they can be both opened by notepad.
SSL on my domain can be established only by pasting two strings - public and private key. I done it and it didn't work - there was a warning saying that privat key is wrong. So I tried to merge both keys in startssl tool "Create PKCS#12 (PFX) File" - an error again. The same when I used OpenSSL to get pfx.
Why one p.12 file can be split into - finally - two keys, but after that they can't be merged again into one file?
What did I do wrong?
I'm going mad with it.
Many thanks for any help
p12 and pfx are actually same pkcs#12 format. usually, they don't just contain a private and a public keys, but also intermediate/root certificates. you can check this links out:
https://www.sslshopper.com/ssl-converter.html
http://fusesource.com/docs/esb/4.3/cxf_security/i298613.html
Related
I was under the impression that the PEM file was just another public key as in SSH PubKeyAuthentication but I was completely wrong.
I didn't want to add the identity file in my ssh command each time, so I tried to do an ssh-copy-id into my azure vm so I can directly authenticate and log in with a simple ssh user#ip command
However, this command failed saying All keys were skipped because they already exist on the remote system. and when I checked /etc/ssh/sshd_config the PubKeyAuthentication line was commented out.
This led me to wonder, which line is enabling the IdentityFile/PEM key to be used to login?
Is it safe for me to enable PubKeyAuthentication on this public server?
Is PEM more secure?
In public key authentication, client has a private key that he uses to authenticate to server's public key.
There is no difference in security if you are using a private key (.ppk file) or a pem file to authenticate to your server.
I guess you are seeing something like this "#PubkeyAuthentication yes" in the sshd_config file, and this does not mean that it is commented out. It is a config file and this means that public key authentication has been enforced.
In short to answer your question, SSH with PEM file is no different from Public Key authentication (PKA). In PKA, you have the private key to yourself which you use to authenticate to the server's public key. With PEM file, it is nothing but the private key itself along with certificates. So, there is actually no such difference. You can convert a pem file to a .ppk file as well.
I want to download Cpanel auto-generated SSL as key.pem and cert.pem, I don't find any download link in Cpanel, Any suggestion?
I have tried copying the certificate text in a text file and using it, but didn't work.
I have found the solution here:
How to get .pem file from .key and .crt files?
Summary: Cpanel offers to read the certificate and its key as a text in binary and in ascii formats.
Just copy the ASCII format ( starts with --begin ) and paste it in a text file, name this file as cert.pem, and you are done.
Same goes for the key.
It worked fine for me.
So I am trying to make my IIS8 webserver https, yet I can't seem to get it to work.
I have tried almost anything... but nothing seems to work.
DON'T WORRY THE FILES BELOW ARE FAKE!
PICTURE 1 KEY
PICTURE 2 PEM
First of all, what do I need to do with these 2? It says to save them as .key and .pem files, so I thought they mend: put the private key in a text file and save it as .key and same for the certificate and save it as .pem.
I tried to convert them to .pfx because that is what I need, right?
First I tried using openssl, but I saw a nice site, so I started using that instead: https://www.sslshopper.com/ssl-converter.html. That gave me an error at first, but then I saw cloudflare also had something called DER:
Which gave me an .CRT file if I downloaded it, so now I had a .PEM, a .KEY and an .CRT file, I went back to the website and used the .CRT file and the .KEY file, and put in a password!
Now I've gotten my .PFX file, which I wanted! I installed it on my windows server, but got this:
Why is it not verified?!
What files do I need to verify this?
Am I saving the files correct?
Within IIS you'll need to create a Certificate Signing Request (CSR) and export it.
In the Crypto app, scroll down to the Origin Certificates card and click 'Create Certificate'. Select 'I have my own private key and CSR', add the hostnames you'd like to be covered by the certificate. Once you've completed all the steps in the Wizard you can go back to IIS and click " Complete Certificate Request".
A step-by-step breakdown of these instructions is available on the Cloudflare Knowledge Base: Managing Cloudflare Origin CA certificates
Additionally, you'll need to install the Origin CA root certificates for CloudFlare on the server outline in Step 4 of the KB tutorial. This is fix the warning message:
Windows does not have enough information to verify this certificate.
There are two locations which these certificates may be installed: Current User or Local Machine.
To target the Current User open the certmgr.msc program, otherwise open certlm.msc
Expand 'Trusted Root Certification Authorities'
Right-click 'Certificates'
Select 'Import...' from the 'All Tasks' menu
Import both the ECC and RSA .pem files
How do you transfer a Godaddy SSL certificate to the Google Cloud Platform?
I am trying to setup an HTTPS load balancer on Google Cloud. I have an SSL certificate from Godaddy, but I'm not sure how to input it into Google Cloud. Google has a form to enter a public key, a certificate chain, and a private key all in .pem format (see screenshot below). Godaddy provides me with three files: (1) a file called #####.crt, (2) a file called gd_bundle-g2-g1.crt, and (3) an RSA private key.
I've seen other SO questions on converting .crt to .pem, but I'm not sure what what to do with the .pem files when I have them or which of these three files go into which box in the GCE console below.
This happened to me, good to know I'm not alone!
Plain and simple answer: Godaddy will give you a certificate file and a bundle file. They all come already on PEM format (as long as it says BEGIN CERTIFICATE you know it's PEM).
Copy and paste the contents of the #####.crt file on the "Public key certificate" field, it should display the correct information on the right side of the field.
Copy and paste the contents of the certificate bundle on the "Certificate chain". This file usually has 3 certificates on it.
Finally, copy and paste the contents of your private key on the last field.
Double check that your certificate is working correctly on both desktop and mobile. If it works on desktop but not mobile try again, it means you made a mistake filling the "Certificate chain" field.
Hope this helps!
AFAIK you dont need to convert the file to PEM, quite sure it is already a PEM file, to be sure do file gd_bundle-g2-g1.crt or file #####.crt the output should be something like PEM certificate, you copy you private key into the "Private Key", you take .crt file and copy to the "Public key Certificate" once you do this some information will appear on the right side of these box, in my case, I copied the same .crt file on the "Certificate Chain".
We are migrating from Thales 8000 to Thales Payshield 9000. We generated an RSA Key Pair in 8000 (with EI - Generate a Public/Private Key Pair command). We stored the public key on the host and loaded the private key to the HSM's tamper-protected memory (with EK - Load a Private Key command).
The problem is we didn't keep the private key and we don't want to create a new key pair because we have to start a new certification process with the vendor if we do this. Is there a solution like storing this key on a smartcard and moving to the new version like LMK.
I read the Thales console - command reference and programmers manual but wasn't able to find a solution.
The private key that is returned from a Thales HSM keypair generation command (this is command EI on the Payshield 9000 that I have access to) is encrypted under LMK keypair 34-35. You will never see this in the clear i.e unencrypted form.
The only way you could extract this from the HSM would be if you knew that LMK keypair; you could then use this to decrypt it. This is often possible in a test environment where a set of known test LMK keypairs are sometimes used.
In a production environment, however, doing this would obviously compromise the security of the entire HSM and any system dependent upon it.
In your situation, you really have little option but to generate a new keypair and then store the encrypted private key bytes.
The problem, however, with only ever having the private key encrypted under this LMK key pair is that you need to use the HSM to sign a CSR, instead of an established tool like openssl.
I did this by using the EI command (generate an RSA keypair) to generate a keypair, storing the raw encrypted private key bytes returned in a file, constructing an unsigned CSR structure, sending that to the HSM with the private key bytes under command EW (Generate a signature), and then appending the signature to my CSR structure.
If you did not save the output (key block) of the EI command, then the chances of getting that key out of there are practically non-existant. Sorry!
Yes, on two conditions only you can Export an RSA Private Key from payshield 9000 HSM to another payshield 9000 HSM:
1st condition: by purchasing certain license which is HSM9-LIC016 and using the host command L8 which is used to export an RSA Private Key under ZMK. Please refer to
"1270A548-037 Card & Mobile Issuance LIC011,016" manual to see detailed steps of host command L8
2nd condition:You should have recorded the Private Key in a secure manner, which you firstly generated it by EI host command, it is generated encrypted under the old LMK, so you can document it securely for future usage like your critical situation you face now.
The Host command L8 function supports the export of an RSA Private Key from encryption under the LMK to encryption under a Zone Master Key.
The following security settings must be configured by console command CS to allow use of this command:
1- 'Enable import / export of RSA Private Keys?' MUST be set to 'YES' (defaults to NO).
2- 'Key export and import in trusted format only?' MUST be set to 'NO' (defaults to YES)
On the other HSM2:
Import an RSA Private Key using the Host command L6
Although, I can send you the steps in deep details if you want.
Refer to manual:
1270A548-037 Card & Mobile Issuance LIC011,016,018,023 v3.4 Release:October 2018