I am trying to create an https endpoint for my azure service. I was given an p7b file that I converted into a cer file. From the cer I was able to convert with a few lines of c# to a pfx.
var cert = new X509Certificate2(#"certpath", "
var bytes = cert.Export(X509ContentType.Pfx, "password");
File.WriteAllBytes(#"certpath\cert.pfx", bytes);
Now when I upload the cert to azure everything seems ok, I copy the thumbprint and try to upgrade with the new thumbprint as part of the end point and I get an error in azure.
Certificate with thumbprint 3FA490D1D4957942CD2ED545F6E823D0008796EA2 associated with HTTPS input endpoint "endpointName" does not contain private key.
How did you convert the .p7b to a .cer? You're problem is that cer files don't contain the private key information, so when you exported it as a pfx, it doesn't have the information that it needs to work with SSL.
The easiest way to convert to a pfx is probably to import the certificate onto your local machine (using certmgr.msc), then export it making sure you select the "Yes, export the private key" option.
EDIT: After doing some more research after GregS' comment, the problem is still the same, you're pfx doesn't have the private key it needs to work with SSL, but the cause is actually that the .p7b file doesn't have a private key to begin with. You need to use a different certificate. There is already a question related to this on server fault.
I had the same problem trying to generate .pfx for Azure. The p7b certificate was generated by Thawte. After some research I was able to make it work.
Generate CSR (certificate request) from IIS. It could be your local IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO9171
Generate the certificate based on the CSR. The CA takes care of this. If you are generating a self-signed certificate you also could do that from ISS. This is important because when you import it (step 3) IIS will verify that the certificate was generated there.
Import the certificate to your local IIS. It must be a .cer file. Just open your p7b file and you will see the certificate chain in there. Export your domain certificate to a .cer file. Then you can use it to import it to IIS.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10664
Export the certificate to .pfx from IIS. At this point the certificate contains an appropriate private key added by IIS. When you export it, IIS will ask you for a password.
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO10034
I had exactly the same problem as you once and here is the story of that:
Windows Azure, SSL, Self-Signed Certificate and Annoying HTTPS Input Endpoint Does Not Contain Private Key Error
Getting pfx file from SSL certificate from godaddy. Details here in case it helps.
Related
I have a VPS with Apache2.
I have installed SSL before in my websites, but always form freeSSL or ZeroSSL, they give me 3 files:
Private.key
ca_bundle.crt
certificate.crt
I replace them for the old ones and all is peachy (I configured it once and just replace the files on reactivation).
Now I have issued a year long SSL service from Comodo SSL, and they send me a mail with this information:
"Thank you for placing your order. We are pleased to announce that your PositiveSSL Certificate for * has been issued.
Attached to this email you should find a .zip file containing:
Root CA Certificate - AAACertificateServices.crt
Intermediate CA Certificate - USERTrustRSAAAACA.crt
Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - ***.crt
You can also find your PositiveSSL Certificate for ** in text format at the bottom of this email."
And I really have no Idea what to do... I tried Google but can't find any guide, they talk about CSR or other things and I just want to install this and forget about it for a year like I did before for 90 days...
Please help me, I need to have SSL running for my Magento 2 installation to work.
To use a certificate you need the certificate file itself (.crt) AND the key file (.key) ( Extensions may vary but, as you know, on linux it doesn't matter): if you're missing one of these, you're pretty much screwed.
To get a certificate, the following steps are necessary:
a key file needs to be generated
from the key file a CSR is generated
the CSR is signed by a CA (for you it's Comodo) and the result is the certificate file
The key file and the csr can be generate by you (who are requesting the new certificate) or (in this case) by Comodo during the procedure you followed. According to what you wrote, probably, during the procedure you've been asked to provide a key or let them generate one and you picked the 2nd option.
I've never used Comodo so I don't know how their interface works but IMHO you have 2 options: login with your account and look for an area where you can download the certificate and check for the possibility to download the key too OR contact them and ask for support to download the key file.
There is no way to use the certificate file without a key file.
I generated the certificate using an option of my webhosting service (Hostinger) to buy a comodo SSL certificate, as I said the email of Comodo didn't give me the key file BUT, after some hours the comodo ssl service started showing on my webhosting control center and going through some menus I reached a button called "download SSL", that downloaded a ZIP with the same files PLUS the key file. This was very random and nowhere stated, and I found it by coincidence but is solved. Thanks. The other option was to reach Comodo or Hostinger for help.
I would like to import an SSL certificate on an Microsoft Azure Website.
I generated the .csr request file using the windows command "certreq" direclty on mylaptop (not on the server).
I retrieved an CER certificate using this .csr file.
But know I'm blocked, the Azure websites page wants a .pfx file and refuse the .cer file.
I tried to use www.sslshopper.com to transform my .cer certificate into a .pfx file but it needs the private key...
So Here are my questions :
* Can I transform a .cer to .pfx without a the private key ?
* how can I get the private key used by the certreq command of my laptop ?
Thanks !
As I known, certreq would store your private keys in your certificate store when it generates CSRs. And you need to finish the certificate request on the same computer where you generated the CSR request. There is issue about finding the private key after using certreq for CSR generation.
Based on your description, you could follow this tutorial to import your signed certificate into the windows local computer certificate store by using certreq, then click "Start > Run", type certmgr.msc to manage computer certificates, right click the certificate root node and choose "Find Certificates" to find your certificate as follows:
Click export your certificate, choose the option "export the private key", then export your certificate to .pfx file. Also, you could leverage DigiCertUtil to export your certificates.
Additionally, for more flexibility over your private key than certreq, you could use OpenSSL command line tool to generate your private keys and your certificate signing request instead of certreq. Also, for a simple way, you could use this GUI tool startcomtool to generate your CSR and export the certificates.
You need to associate private key with issued certificate. Depending on context used in certreq (current user or local machine context) run appropriate command:
certreq -user -accept path\certfile.cer
Or
certreq -accept path\certfile.cer
I have a certificate from GoDaddy, which I've previously used for an IIS hosted website. I've now converted the site over to an OWIN self-hosted WebAPI project and would like to use the same certificate for the new site on a brand new machine.
Do I need to install IIS just to import the certificate or is there a way to import it directly into the certificate store like you can with self-signed certificates?
Or does this need to be handled directly in the new OWIN project somehow?
You don't need IIS to import a certificate, you use certmgr (Certificate Manager). You should be able to import the certificate directly with the Windows certificate manager and then use netsh to register it for OWIN using its thumbprint.
SignalR with Self-Signed SSL and Self-Host
Just ignore the part where they import into Root Certification Authorities, GoDaddy is already a trusted CA (although you can download the cert chain/bundle and manually import that as well).
You can create a certificate manager snap-in by running MMC (start->run->MMC), then Add-Remove Snap-ins, choose Certificates. Save to Desktop.
Figured out my problem (though, I don't know if it will help anyone else if they encounter this). Turns out GoDaddy's "Download Certificate" page only downloads certificates without the private key. I had to export the certificate previously imported by IIS, then import it into my Personal store. I assume there's a way to get the private key w/o importing into IIS, but I personally don't know what it is (maybe I just missed a step somewhere this time around).
Yes, certificate must be installed with private key for it work with OWIN. I had to go through the same pain as most(all?) CA issue certificates without private keys. However you must have received the private key before hand. You must have your certificate in .crt format. This does not include the private key in it. So you need to create a certificate of .pfx format with private key in it.
If your private key is in plain text, then create .key file with plain text in as its content.Note that your .key file should have the standard first and last lines of private key else it'll complain about invalid key.
-----BEGIN PRIVATE KEY-----
<key-content>
-----END PRIVATE KEY-----
Now create a .pfx certificate using OpenSSL tool.
openssl pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt
To import this certificate just double click on .pfx file. In the import wizard choose 'Local Computer - Personal' as certificate store. After successful import you'd also notice a small (lock)key icon appearing on top of installed certificate icon.
Assuming you have bounded the server port with your OWIN application using netsh http add sslcert, it should start working!
I am trying to move a website into Azure (Azure Website). I have everything moved, except the ssl isn't working. The error that comes up says
You attempted to reach [subdomain].[domain].com, but instead you actually reached a server identifying itself as *.azurewebsites.net ...
I think it may have something to do with my certificate. The cert is a UCC cert (multiple SAN) through GoDaddy. I did not rekey the cert when I moved the site from the old server to the Azure Website. The old server was managed using Parallels. Here is what I did to move the cert:
I logged into Parallels on the old server. I opened the SSL screen, where I could see the 4 parts of the cert (csr, private key, certificate, CA certificate). I copied the text for each of those (including the ---Begin Certificate--- and ---End Certificate--- lines. EDIT: the private key began with ---Begin RSA Private Key--- and ended with ---End RSA Private key), and I pasted the data to create 4 .txt files. I then renamed the txt files so that I had 4 files named CAcertificate.cer, certificate.cer, privateKey.pem, and cert.cer. They were all saved in the c:\ directory (root).
I then pulled up OpenSSL and ran the following command:
pkcs12 -export -in c:\certificate.cer -inkey c:\privateKey.pem -out c:\certificate.pfx -certfile c:\CAcertificate.cer
I entered a password twice, and out popped a certificate.pfx file.
I uploaded that file to my Azure Website. The UCC Cert applies to 4 subdomains. I have my Azure Website set up with only one of those subdomains as a domain name. After uploading the file, I went to SSL Binding, and chose that subdomain, matched it with the cert I just uploaded, and chose "SNI SSL." I saved it, and all looked good.
Unfortunately, when I browse to the subdomain, I get the error I listed at the beginning.
I have a CName set up to forward from that subdomain to the Azure Website. I also have an A record set up to point from that subdomain to the IP Address of the Azure Website. The site is pulling up as I would expect, except for the ssl certificate error.
Did I generate the .pfx file incorrectly? Is there something I need to change in Azure or my domain registrar? I noticed that I could download a .pem file from the parallels panel. It contained all 4 parts of the cert in one file. I didn't know what I could do with that.
A missing root or intermediate certification authority can cause this behavior as documented in this article (written by a Microsoft MVP).
This answer shows how to export the full certificate chain including the private key using OpenSSL for Windows.
If the certificate is already installed in your local Windows machine you can follow this guide and be sure to select
Yes, export the private key and
Include all certificates in the certification path if possible.
This will create a .pfx file containing your certificate, its private key as well as all intermediate and root CAs.
I am trying to prepare for the switch in the SSL certificate vendors.
For the the SSL validation, Our Tomcat web application uses a JKS file created from a DigiCert certificate ( *.cer files). Our company is now switching to VeriSign next week. Since they have already provided the new *.cer files, can I simply add the new cert ( using keytool) to the existing JKS so that it works for both certificates. I am trying to avoid any downtime during the switch and prepare the server beforehand?
Any helps will be much appreciated.
You must install the certificate onto the same keystore you created the CSR from as the private key resides there. Otherwise it will not work. Please reference the article below on instructions on how to import into a tomcat server:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR234&actp=search&viewlocale=en_US&searchid=1369174910074