I need to create a custom certificate for my dynamics portal to use implicit grant flow. I create certificate with command
certbot certonly --manual --preferred-challenge dns
I then create pfx with the openssl command
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:SOMEPASSWORDHERE
However I get the error when trying to upload it to the power platform admin centre
The password entered is incorrect or the encryption method used by the
certificate is not supported.
So then tried the following command to create the pfx with triple des using
openssl pkcs12 -export -descert -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:SOMEPASSWORDHERE
But am still getting the same error. As far as I can see the certificate meets requirements of:
Signed by a trusted certificate authority.
Exported as a password-protected PFX file.
Contains private key at least 2048 bits long.
Contains all intermediate certificates in the certificate chain.
Must be SHA2 enabled; SHA1 support is being removed from popular browsers.
PFX file must be encrypted with TripleDES encryption. Power Apps portals doesn't support AES-256 encryption
The only thing I can think is the pfx isn't getting encrypted with 3des but looking at the openssl documentation the -descert command should take care of that. Am I missing something here?
I have create .pem file from .cert file using the below line in openssl.exe :
OpenSSL> x509 -inform der -in C:\Certificate\Binary_Certificate_245568.cer -out C:\Certificate\Binary_Cert.pem
It worked without any issues.
Then when I try to generate the pfx file from .cert and .pem file using the following statement I get error:
OpenSSL> pkcs12 -inkey C:\Certificate\Binary_Cert.pem -in C:\Certificate\Binary_Certificate_245568.cer -export -out C:\Certificate\SGS_VS_CERT.pfx
unable to load private key
34359836736:error:08064066:object identifier routines:OBJ_create:oid exists:crypto/objects/obj_dat.c:698:
34359836736:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:
error in pkcs12
Can anyone please advise what I am doing wrong as I need to generate .pfx file. Thanks
You can follow steps given below in order to create .pfx certificate by combining the external CA issued server(.cer), intermediate(.cer) and root(.cer) certificates into one file (.pfx) on redhat linux server using openssl tool :
A) To run below command for generating the CSR in linux using openssl tool -
[user#machine]$ openssl req -new -nodes -newkeys rsa:2048 -keyout myapp.mydomain.com.key -out myapp.mydomain.com.csr -sha256
Note : -nodes means 'NOT TO USE DES ALOGORITHM' and create multiple backup of this key file, which will be used again during certificate renewal.
B) To generate .pfx ( certificate chain sequence to be SERVER-CER --> INTERMEDIATE-CERT --> ROOT-CERT ) in linux using openssl.
SERVER-CERT myapp.mydomain.com.cer
INTERMEDIATE-CERT myintermediatecert.com.cer
ROOT-CERT myrootcert.cer
KEY FILE myapp.mydomain.com.key
STEP 1 - To combine all certificates in one pem certificate(myapp.mydomain.pem) using command 'cat' in redhat.
[user#machine]$ cat myapp.mydomain.com.cer myintermediatecert.com.cer myrootcert.cer > myapp.mydomain.com.pem (output pem cert)
STEP 2 - To convert PEM to PFX by importing the private key with password configured.
[user#machine]$ openssl pkcs12 -export -out myapp.mydomain.com.pfx -inkey myapp.mydomain.com.key -in myapp.mydomain.com.pem
Note : you will get an option to set the password to output .pfx file.
STEP 3 : To verify .pfx file using openssl by entering the password.
[user#machine]$ openssl pkcs12 -in myapp.mydomain.com.pfx -info
I'm sure that this has been asked you several times, but solutions to that cases didn't work for me. So I need your help.
Consider x.root.cer is CA's certificate, x.app.cer is Application's certificate signed by CA's certificate, and x.app.private.pem is Application's private key.
I'm using following command in order to create pfx file (want to include both private key and certificate of application).
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx -certfile x.root.cer
Even though I know (can see) that 3 files are there, I'm getting the following error:
unable to load certificates
Can you please help me about this error?
Well, finally I suceeded with this command
openssl pkcs12 -export -in x.app.cer -inkey x.app.private.pem -out x.app.pfx
That means I shouldn't use -certfile parameter.
i am trying to do push notification in my app and following this link
http://www.raywenderlich.com/3443/apple-push-notification-services-tutorial-part-12
my system has been successfully connected with telnet but when i enter the query for connecting ssl certificate and private key then found a error
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -key apns-dev-key.pem
unable to load client certificate private key file
1301:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
any one can tell me what type of error and what's the solution of it?
Thanks in advance
The following command is good enough to verify the key/cert:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert push_development.pem
The key part is to select both certificate and private key when exporting the .p12 from Keychain Access (you will be asked for 3 passwords, one for the .p12, one for the cert, one for the private key).
To convert .p12 to .pem, follow the instruction from Apple:
openssl pkcs12 -in CertificateName.p12 -out CertificateName.pem -nodes
At first i was facing this problem too.
We have two files
1) one is aps_development.cer from apple
2) Another 1 is from the keychain access with the common name that we just created.
After that, both convert it to .pem files.
For example, cert.pem and key.pem.
After that combine this two files using below command
cat cert.pem key.pem > ck.pem
At first I openssl using below command.
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key key.pem
Which returns me the error you mentioned.
After that I try using
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key ck.pem
Then its working already. Hope this helps.
I was facing the same issue while I was generating a PEM file for Enterprise Distribution, but i figured out later that I generated a p12 file against the iPhone Distribution Certificate key though i should had generated the p12 against Apple Production iOS Push Servies key. Hope this may resolve the issue if any one had used the Distribution key.
Hello Please follow below commands.
step1
openssl pkcs12 -clcerts -nokeys -out developer_key.pem -in developer_key.p12
Note: just drag the file path on terminal...
step2
openssl pkcs12 -nocerts -out apns_key.pem -in apns_key.p12
step3
openssl pkcs12 -in developer_key.p12 -out developer_key.pem -nodes -clcerts
step4
openssl pkcs12 -in apns_key.p12 -out apns_key.pem -nodes -clcerts
step 5
cat apns_key.pem developer_ket.pem >developer.pem
DO the same step For Distribution certificates
After creating developer.pem and distribution.pem
Please verify both file in to below commands.
Step6
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert developer.pem -debug -showcerts -CAfile "Entrust.net.Certification Authority (2048).pem
A Notice is Pass Phrase must longer than 3 characters.
I have just fixed with pass Phrase is 1234 :D
How can I create a PEM file from an SSL certificate?
These are the files that I have available:
.crt
server.csr
server.key
Your keys may already be in PEM format, but just named with .crt or .key.
If the file's content begins with -----BEGIN and you can read it in a text editor:
The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.
If the file is in binary:
For the server.crt, you would use
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa in place of openssl x509.
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.
I needed to do this for an AWS ELB. After getting beaten up by the dialog many times, finally this is what worked for me:
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
Thanks NCZ
Edit: As #floatingrock says
With AWS, don't forget to prepend the filename with file://. So it'll look like:
aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/
http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html
A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it's as simple as this:
cat server.crt server.key > server.pem
Additionally, if you don't want it to ask for a passphrase, then need to run the following command:
openssl rsa -in server.key -out server.key
this is the best option to create .pem file
openssl pkcs12 -in MyPushApp.p12 -out MyPushApp.pem -nodes -clcerts
I was trying to go from godaddy to app engine. What did the trick was using this line:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
And I answered all the questions pertaining to common name / organization as www.name.com
Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
All of the files (*.crt, server.csr, server.key) may already be in PEM format, what to do next with these files depends on how you want to use them, or what tool is using them and in which format it requires.
I'll go a bit further here to explain what are the different formats used to store cryptography materials and how to recognise them as well as convert one to/from another.
Standards
Standards
Content format
File encoding
Possible content
X509
X
Certificates
PKCS#1
X
RSA keys (public/private)
PKCS#7
X
Certificates, CRLs
PKCS#8
X
Private keys, encrypted private keys
PKCS#12
X
Certificates, CRLs, private keys
JKS
X
Certificates, private keys
PEM
X
DER
X
Common combinations
Content \ Encoding
PEM (*)
DER (**)
Binary
X509
X
X
PKCS#1
X
X
PKCS#7 (***)
X
X
PKCS#8
X
X
PKCS#12 (***)
X
JKS (***)
X
This is a gist explains the same thing + commands for conversion/verification/inspection.
In conclusion, typical steps to work with cryptography/PKI materials:
Understand which format they are in (use verification/inspection commands)
Understand which format they are required (read doc)
Use conversion commands to convert the files
Optional: use verification/inspection commands to verify converted files
What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file. The strict pem format says (wiki definition) that the file should start and end with BEGIN and END.
.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate,
enclosed between "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----"
So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.
Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.
Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:
grep -A 1000 BEGIN cert.crt > cert.pem
Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple. No need to convert anything to .pem. You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, e.g.
aws iam upload-server-certificate
--server-certificate-name mycert
--certificate-body file://try2/40271b1b25236fd1.crt
--private-key file://server.key
--path /cloudfront/production/
--certificate-chain file://try2/gdig2_bundle.crt
And to delete your previous failed upload you can do
aws iam delete-server-certificate --server-certificate-name mypreviouscert
Download certificate from provisional portal by appleId,
Export certificate from Key chain and give name (Certificates.p12),
Open terminal and goto folder where you save above Certificates.p12 file,
Run below commands:
a) openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes,
b) openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts
Your .pem file ready "pushcert.pem".
Open terminal.
Go to the folder where your certificate is located.
Execute below command by replacing name with your certificate.
openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts
Hope it will work!!
On Windows, you can use the certutil tool:
certutil -encode server.crt cert.pem
certutil -encode server.key key.pem
You can combine both files to one in PowerShell like this:
Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem
And in CMD like this:
copy cert.pem+key.pem cert-and-key.pem /b