How to convert .crt cetificate file to .pfx - ssl-certificate

I want to install the '.crt' certificate I received from a certificate provider to my IIS 7.5 server.
I have tried many times to install the .crt file by clicking on the 'certificates', and it states that it is installed correctly. So I open IIS, select "my server", open "server certificate" which is available on the menu on the right side, click "complete certificate request", select the .crt certificate on my computer and click ok. However, when I refresh IIS the certificate disappears automatically.
Our hosting provider mentions that I need to use a '.pfx' file which I do not have.

I have solved this issue by converting this .crt file into a .pfx file using following method.
To convert .crt to .pfx, we need CSA certificate (Private Key) provided by hosting provider. Below are the steps to convert this:
Download and install OpenSSL software from below link based on your system type
https://slproweb.com/products/Win32OpenSSL.html
Run the following command on command prompt:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OR
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crt
Here:
Certificate.crt = Your-domain-Name.crt
CACert.crt = NetworkSolutions_CA.crt
certificate.pfx is the new name of generated file.
PrivateKey can be in .key or .txt format
After completing this process now we have certificate.pfx file so go to IIS Server certificates in IIS Manager.
There is an import link button on right side, click on this and select the converted certificate and enter password which is enter at the time of creation of the .pfx file and complete the process.
Now select your site on IIS and right click on this, select "Edit Binding" and on the new popup window select type as https:// and "Hosting name" is your domain name and all other field is as it is, click on ok to complete this process.
Now restart IIS and your certificate is working fine with your site.

Small update to the super-useful answer above:
The OpenSSL versions have been updated, so the links no longer work. Here's the full download page from which to download any version:
https://slproweb.com/products/Win32OpenSSL.html
I used Win64OpenSSL_Light-1_1_0j.exe for my Windows 10 IIS installation. Worked perfectly.
Installed into default location C:\OpenSSL-Win64\
For sslforfree.com's cert files, here's the command line for your convenience run from the folder containing the three files they provided by sslforfree.com:
C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Related

get .key file from a .p12

I need to extract the .key from the .p12 container of a certificate, I have its password and I have tried to use openssl in windows, putting the .p12 in the bin folder, I run the windows console in administrator mode. I go to the location:
C:\Users\usuario\Desktop\openssl-1.0.2j-fips-x86_64\OpenSSL\bin
then i execute
openssl pkcs12 -in miarchivo.p12 -nocerts -out miclave.key
but it gives me the following error:
Error opening output file miclave.key
miclave.key: Permission denied
At no time has he asked me for the password he has or anything...
I need it to be able to install my .crt and .key certificate on my jitsi server...
Thank you.

Problems converting a .PFX certificate to .PEM

I work with certificates and occasionally need to convert a private certificate .PFX extension for .PEM extension, but I can only consume it in a webservice if it is generated without a password, that is, unprotected.
If I try to generate it with password (being the same password as or not of .PFX certificate), I can not consume it in webservice (I get the error "403 - Forbidden").
Can you tell me why this occurs?
To generate it unprotected, I use the command below (through OpenSSL):
pkcs12 -in certificate.pfx -out certificate.pem -nodes
To generate it with password, I use this one:
pkcs12 -in certificate.pfx -out certificate.pem
I can not understand why the error occurs, since OpenSSL does not indicate a failure.
I use Windows environment, so I use an OpenSSL tool I found on the internet.

Using SSL with IIS

I have .crt file and .key file and I want to use SSL for my web application. I have tried with option "Complete Certificate Request" to import certificate in IIS, but it show certificate imported and actually it is, but when I edit binding, it won't display in selection in IIS.
My certificate does not have private key, I have it separately, in a .key file.
Can you help me to fix this? Is there any way to combine key and certificate?
You need to make p12 (pfx) file from .key and .crt. You can use openssl do make it.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -name "friendlyname_for_certificate"
Then import certificate.pfx into LocalMachine\My store. It should be available in IIS.
IIS display certificate in selection if certificate has private but my certificate doesn't contain it and I have it in separate file. So I combined both using OpenSSL given below command. It creates new pfx file and we need to import it in IIS and it display that certificate in selection.
openssl pkcs12 -export -in cert.crt -inkey privatekey.key -out mycert.pfx

Couldn't able to connect to APNS Sandbox server

I am trying to connect to Apple APNS server with the following observations:
1)port 2195 is open 2)With Valid key passphrase for APNS_SSLCertificate_Key.pem 3)Entrust certificate (2048) downloaded from https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
4)With the successful telnet response as below :
$ telnet gateway.sandbox.push.apple.com 2195 Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net. Escape
character is '^]'.
But when i run the following openssl command in my server to test the APNS connectivity :
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert APNS_SSLCertificate_Key.pem -debug -showcerts -CAfile server-ca-cert.pem
I am getting error as follows:
unable to load certificate 57013:error:0906D06C:PEM
routines:PEM_read_bio:no start
line:/SourceCache/OpenSSL098/OpenSSL098-35/src/crypto/pem/pem_lib.c:650:Expecting:
TRUSTED CERTIFICATE
So please suggest how to resolve this problem
Thanks in advance ......
I ran into this same issue; what eventually resolved the error was to re-export the Entrust certificate from System Roots of OS/X Keychain Access application.
To be complete, I'll give a complete explanation of how I created the key/cert files (something which should have been in Apple's TechNote 2265: https://developer.apple.com/library/content/technotes/tn2265/_index.html)
Creating your APN-cert-and-key:
Run Keychain Access; select "login" Keychain and "My Certificates" category
Select the certificate with the name format of "Apple Development IOS Push Services: ..."
Export the certificate (in the menu, under "File" .. "Export Items")
Export to .p12 format.
This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file
Using terminal, execute the following command (using your own filenames, of course):
openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem
(You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)
If you really really really don't want a passphrase on the .pem file, try:
openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes
Creating CA Certificate file:
List item
Run Keychain Access application
Go to System Roots
Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.
Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work.
Make sure you export to .pem format; the default is .cer and this step is easy to miss.
Run the verification command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem"
This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.
For more information on openssl, I suggest the following pages:
https://www.madboa.com/geek/openssl/
https://www.sslshopper.com/article-most-common-openssl-commands.html
http://gagravarr.org/writing/openssl-certs/general.shtml
SSL problems: Step wise fix.
Most of the problems are due to the private key issues, which can be resolved as follows.
Follow the following commands and create the .p12 using openssl.
You will need
developer_identity.cer <= download from Apple
mykey.p12 <= Your private key
Run these commands in your terminal where openssl is configured,installed or working:
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
openssl pkcs12 -export -inkey mykey.pem -in developer_identity.pem -out iphone_dev.p12
Final p12 that you will require is iphone_dev.p12 file and the passphrase that you had set.
Try again, hope your problem is fixed, as it always does for me. :)

Client SSL authentication causing 403.7 error from IIS

I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.
Installing the certificate and trying to access the restricted area in various browsers gives the following results:
IE6 - Works fine and I can retrieve the WSDL
IE7 - Prompts for the certificate but then fails with a 403.7 from the server
Firefox3 - Set to ask, but no prompt and fails with a 403.7
Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7
Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.
Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?
Any help would be greatly appreciated.
This really works! If you're confused by the -inkey and -in options, they are the private key and certificate from the p12 file. You can convert the p12 file to pem format with:
openssl pkcs12 -in file.p12 -clcerts -out file.pem
and use the above command with "-in file.pem" only.
Also, you can import the root CA cert into your trusted certs store, here is the description how to do that: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl, and then you don't have to manually copy the certificates. After installing the cert use the command above without the "-CAfile chain.pem".
Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:
openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12