I have a JKS keystore in client application and I have been given one PEM file containing both private key and certificate to use for SOAP signature. PEM file looks like this:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
First question is how to import correctly this PEM to JKS?
Second question: given private key isn't password protected, it's possible to add a password to it before importing it to JKS keystore?
Thanks!
If you prefer a GUI solution I would take Portecle. This simple key store management tool allows to create a JKS and then import cert and private key.
I am not sure if you can import cert and key from the same combined PEM file as you have it but may be the command "Import Key pair" of Portecle works with such a file.
If not you can simply split the PEM file directly after the -----END RSA PRIVATE KEY----- line into two PEM files and import them separately.
After importing, when you save the JKS Portecle will ask you for a password.
Related
I want to create a website in my IIS server, (website already has ssl certificate).
So i created a site, I have the certificate details which contains certificate, private key , CA certificate (all in one text file).
I havent created a csr request for this, But i need to install this certififcate in my system.
When i followed the steps in complete cerififcate request, first it got added, but when i refresh and came back it was gone.
Please help me how to install certififcate from other server, without creating csr request.?
i have:
1)Certificate:
2)Private key (.key)
3)CA certificate (-ca.crt)
in the text file.
You can do this with just built-in tool certutil.exe which is shipped with every Windows installation.
make sure SSL certificate file and private key file are stored in the same folder and have same name: mycert.cer and mycert.key, for example. Certificate will have .cer file extension, key file will have .key file extension.
run the following command: certutil -mergepfx path\mycert.cer path\mycert.pfx
this command will merge SSL certificate and private key into PFX container. Enter password when prompted.
You need to convert the text file into *.pfx file so that you can import it on IIS
Open the .key via notepad copy the content and save it in a new notepad say abc.txt
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJl/Dwe2tzd5Z6
L4fWpUDVP6FDE9Tc0ViHlICsopxPumysltLwuLFCsc9gCOOURc6n0ej2XQoBJeuetqTIRZQ3VOlHqcmxdBTaAxw5iQ==
-----END PRIVATE KEY-----
Now open the certificate via notepad copy the content and paste it in the same abc.txt notepad
-----BEGIN CERTIFICATE-----
MIIG5jCCBc6gAwIBAgIQUERflom9AJ4ssjDKLPM3SDANBgkqhkiG9w0BAQsFADBB
bS9jcHMwLwYIKwYBBQUHAgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBv
SzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdGouc3ltY2QuY29tMCYGCCsGAQUFBzAC
B7MDaIXp7iniBRfFT3MOMm2Bs3Mju2Hwfhrgg7sf96iQzZkzAU6Mxdux
-----END CERTIFICATE-----
Open the -ca.crt via notepad copy the content and paste it in the same abc.txt file (this file will contain intermediate and root certificates)
-----BEGIN CERTIFICATE-----
MIIG5jCCBc6gAwIBAgIQUERflom9AJ4ssjDKLPM3SDANBgkqhkiG9w0BAQsFADBB
bS9jcHMwLwYIKwYBBQUHAgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBv
SzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdGouc3ltY2QuY29tMCYGCCsGAQUFBzAC
B7MDaIXp7iniBRfFT3MOMm2Bs3Mju2Hwfhrgg7sf96iQzZkzAU6Mxdux
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
jVaMaA==
-----END CERTIFICATE-----
At the end, your abc.txt file will have something like this
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJl/Dwe2tzd5Z6
L4fWpUDVP6FDE9Tc0ViHlICsopxPumysltLwuLFCsc9gCOOURc6n0ej2XQoBJeue
tqTIRZQ3VOlHqcmxdBTaAxw5iQ==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIG5jCCBc6gAwIBAgIQUERflom9AJ4ssjDKLPM3SDANBgkqhkiG9w0BAQsFADBB
bS9jcHMwLwYIKwYBBQUHAgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBv
SzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdGouc3ltY2QuY29tMCYGCCsGAQUFBzAC
B7MDaIXp7iniBRfFT3MOMm2Bs3Mju2Hwfhrgg7sf96iQzZkzAU6Mxdux
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIG5jCCBc6gAwIBAgIQUERflom9AJ4ssjDKLPM3SDANBgkqhkiG9w0BAQsFADBB
bS9jcHMwLwYIKwYBBQUHAgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBv
SzBJMB8GCCsGAQUFBzABhhNodHRwOi8vdGouc3ltY2QuY29tMCYGCCsGAQUFBzAC
B7MDaIXp7iniBRfFT3MOMm2Bs3Mju2Hwfhrgg7sf96iQzZkzAU6Mxdux
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
jVaMaA==
-----END CERTIFICATE-----
Download OpenSSL from here
Ones installed copy the abc.txt and paste it in the bin path of OpenSSL (e.g. C:\OpenSSL\bin)
Open the CMD, change directory to the bin folder of OpenSSL and paste the below command in CMD
openssl pkcs12 -export -in abc.txt -out xyz.pfx
give any password
You can use the xyz.pfx to import on IIS by using the same set of password
I'm having .crt and .pem file with
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
and I want RSA key from this file.
anyone is having any idea that how we can do that.
I have used below command one by one
openssl rsa -in XXX.crt -out input1.der -outform DER
openssl rsa -in input1.der -inform DER -out key.pem -outform PEM
But, It gives error:
unable to load Private Key 140331982231200:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY
PRIVATE KEY
and I have also used different command but it give above error.
-----BEGIN CERTIFICATE-----
MIIFSDCCBDCg........................................
-----END CERTIFICATE-----
This is a certificate in pem format which is a wrapper over public key. A Certificate is supposed to be public and can be distributed, but private key (as the name suggest) is supposed to be kept secret. So a certificate can never contain a private key.
You mentioned, you have a ´.pem´ file too. What is it's content? Does it start with -----BEGIN RSA PRIVATE KEY-----. If yes, it would be your private key.
The command you are trying:
openssl rsa
It expects a private key in input, but you are supplying it a certificate. Hence the error.
You can't get a private key from a certificate, because the private key isn't in the certificate, and you can't get it from a PEM file unless the PEM file contains it, which ain't necessarily so,
According to the answer to this server-fault question almost all certificate file formats can contain private key alongside public key, as such how can I identify whether a certificate contains private key?
This is important because I do not want to unknowingly send the private key to the remote client.
Following the structure of the link:
.csr. Only public keys in pem or der format
.pem. keys and/or certificates. Look for -----BEGIN PRIVATE KEY---- or -----BEGIN RSA PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY-----
.key keys in pem format
.pkcs12 .pfx .p12 keys and/or certificates. List keys with openssl pkcs12 -info -nocerts -in keystore.p12
.jks keys and/or certificates. Java specific format.
.der pem content without base64 encoding. Look for KEY in openssl x509 -inform DER -in cert.der
.cert .cer .crt keys and/or certificates. Content can be pem or der
.p7b. Only certificates
.crl. No keys
I am working on CentOS 7. I have three blocks in text :
CSR:
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
Public key:
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
Private key:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Also, I have archieve with:
mydomain.crt
mydomain.ca-bundle
and
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
As I understand I need to convert CSR,Private Key, Public Key to right format files ?
Than, add :
CSR and Private Key to /etc/nginx.conf
And set it via .conf by names ?
But could anyone help me convert CSR,Private Key and Public Key to right formats ?
Thank you !
You can discard the CSR or keep it for your reference. A CSR (Certificate Signing Request) is a document asking for a certificate, you already have the certificate, so the request is now only of historical interest.
You should put the private key text, including that header and footer, but no blank lines, into a file, let's call that privkey.pem. The private key is very important, you web server software needs to be able to read it in order to function, but nobody else should ever see this file and you should not keep copies of it where they may be stolen.
You also need the mydomain.crt file, and the mydomain.ca-bundle, you should concatenate them together, you can do this (carefully) with a text editor and save the result as fullchain.pem, or if you're comfortable on a Unix command line you can write
cat mydomain.crt mydomain.ca-bundle > fullchain.pem
In your nginx.conf you should find or create a server block, and set parameters as follows, but with the correct full path names.
ssl_certificate /full/path/to/fullchain.pem
ssl_certificate_key /full/path/to/privkey.pem
I have been given a x.509 certifcate and a private key.
The certificate looks like:
-----BEGIN CERTIFICATE-----
MIICdzCCAeCgAwIBAgIGAOH4vsPYMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT
AlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT
GEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0wODEwMzExMjQyNDBaFw0wOTEw
MzExMjQyNDBaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw
LOTS OF LETTERS
SO MANY LETTERS
r8AmrDQ9VfrocQIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww
K9gtkPlKRDCaBDQ2xukycq4bv+EhEQPzPY+VeWGYzizl91K8knpI3VLLiJD0CNkb
UvSoj/wZv0zWf13oMgMyUbrFygpHVmA2uYwi6kFKXy/D2vGXUsrEgFqP6xFvgUA3
JDIblstGT383+IY=
-----END CERTIFICATE-----
and the private key looks like
-----BEGIN PRIVATE KEY-----
Lots of letters here as well
-----END PRIVATE KEY-----
I believe I need this certificate because I must use a plugin called Elastic Fox in order to properly connect to our AWS account. I am confused on how to add this certificate to firefox / how to use the certificate and private key.
I attempted to save both the certificate and private key in one .pem file and import that to FF via: Edit > Preferences > Advanced > View Certificates > Your Certificates > Import, but I was told to enter some password that I do not know/have:
I attempted to save just the private key portion as a .key file in ~/.ssh/id_rsa , but that did not work.
Can someone ELI5 to me how to add this certificate properly and what to do with the private key? Ubuntu 12.04