How To Create Pfx File From Cer Certificate
- Home
- Security
- General IT Security
Please I need some help. Customer has purchased an SSL cert via Network Solutions and I need to convert the crt file to pfx so it can be imported onto the remote desktop services server. I have tried the online converter here https://www.sslshopper.com/ssl-converter.html and even using openssl for windows but I cant get it converted, I get an error on the site and another on openssl.
openssl says I need a private key file which is a file that ends in .key, I do not have a .key. I do have the CSR file that I created which is can be viewed with notepad. Other than that the 4 files from Network Solutions are:
domainname.com.crt
NetworkSolutions_CA.crt
UTNAddTrustServer_CA.crt
AddTrustExternalCARoot.crt
What the heck do I do with those? I don't even know if I Am using the open ssl parameter correctly, considering part of the param is entering a key file!
someone please shed some light on this pain in the rear....8 hours of work on this is just too much.
This probably what you want:
https:/
To summarize, run the mmc, add Certificates (for Local computer if on the IIS server).
Under "Personal" is "Certificates". In there you should see your SSL cert. Right click on the cert -> All Tasks -> Export
Select "Yes, export the private key."
*** DO NOT CHECK THE BOX FOR "Delete the private key if the export is successful"! This will break the SSL installed on that IIS server (you might do this if you were moving the cert to another IIS server).
Give the private key a password.
Give the filename and path of the exported file(s).
Hth,
17 Replies
The private key would have been generated at the same time as the CSR.
This site may help:
http:/
* Note, edited to correct the first sentence.
is the key the CSR file that I Created via ISS where you click on Create Certificate Request and then save the file as a txt with the -----BEGIN NEW CERTIFICATE REQUEST----- AND -----END NEW CERTIFICATE REQUEST----- with the encrypted gibberish on the middle? if so, I tried renaming to ssl_csr.key and it still said that it could not find a key.
I guess that my lack of knowledge on ssl terminology is not helping me out very well.
No, the CSR is a separate file. The private key is literally the key to the kingdom. You can generate a CSR from an existing private key or generate them both at the same time (at least with openssl).
I have always generated my own private key (or used a previous one) when generating a CSR. Using a web site to create a CSR and private key means that I ultimately cannot trust that private key.
Where/how did you generate the CSR in the first place?
Crypto can be hard since there is a lot of jargon to get your head around but it is not too bad.
openssl spits out the following "unable to load private key" - where the heck is my private key!
You can try install the cert and export it out using Microsoft Mmc certificate snapin.
Just find a windows PC close to you and use the Mmc
so this key is an EXTRA step that I must take?
I should follow this command:
Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
this may or may not work...
open MMC
File-> Add/Remove Snap Ins. Add the certificate manager
import the current cert file. after importing, attempt to export the certificate as a pfx
make sure you mark the private key as exportable!
The private key originates with and corresponds to the original requesting server. The server they requested the certificate from should have a pending certificate request. Import the CRT to complete that request first (if you are given an option to allow the certificate to be exportable, be sure you choose that option!).
If they have already imported the certificate into that server, then you should be able to export the certificate as PFX from that server (Unless they didn't choose to allow export).
If all else fails, you can return to the SSL vendor and submit an updated certificate request using the new server you wish to import into -- though some require a grace period of a day or so before processing.
Continuing what CellNetixIT said, if you created the request from IIS, you can complete it there with the .crt file without any of the complications of conversion. Did you look at the following document for completing the request?
http:/
Try just going through the wizard as suggested. The onyl time I've ever had to involve openssl in something was when trying to deal with a Domino server.
They also show you how to handle the intermediate certificates in the bundle, which are the other three files you mentioned.
thank you for the guidance everyone, I am about to continue hitting the brick wall today..
domainname.com.crt
NetworkSolutions_CA.crt
UTNAddTrustServer_CA.crt
AddTrustExternalCARoot.crt
I assume I should use the domainname.com.crt to import either using mmc or IIS. Ignore the other 3 crt files that were provided to us. If I use openssl I should do it also from the server itself? I have the CSR and the 4 crt files on workstation, does it make a difference?
thanks again.
You need to retrieve your private key from wherever it was generated, If you don't have it or can't find it your SOL and will need to generate a new key & csr and buy a new certificate from NS.
domainname.com.crt is what you pair with your private key using the MMC or OpenSSL.
The other certs are intermediate certificates in the chain which also must be present. You will need to import them into the Intermediate keystore so they can be presented along with your certificate for validation.
Follow the link tcannelongo posted, it shows exactly what to do with what you have, assuming the private key still exists.
How was the private key and CSR generated? That will help us help you locate it.
@Kyle, I followed the link and was able to figure out what key was what. I successfully imported it onto IIS. I was then able to select the cert via remote desktop services - I assume it just works after that.
I just generated the CSR by following these steps: http:/
After I had the notepad (CSR) with the gibberish, logged onto network solutions, pasted the gibberish onto their page and then filled in the company information. Then eventually received the email that the ssl was ready. There is no word about a KEY file anywhere.
This probably what you want:
https:/
To summarize, run the mmc, add Certificates (for Local computer if on the IIS server).
Under "Personal" is "Certificates". In there you should see your SSL cert. Right click on the cert -> All Tasks -> Export
Select "Yes, export the private key."
*** DO NOT CHECK THE BOX FOR "Delete the private key if the export is successful"! This will break the SSL installed on that IIS server (you might do this if you were moving the cert to another IIS server).
Give the private key a password.
Give the filename and path of the exported file(s).
Hth,
meganerd, man if I would have found that yesterday it would have saved me so many headaches, I was able to generate the pfx file I needed and imported it via the rd gateway manager properties. even though I had already imported earlier via iis as suggested by tcannelongo's link.
but yet the rds best practice analyzer still says that the gateway must be configured with a valid ssl! shoot me now!
Check the hostname. If your cert is for serverx.domain.tld, but you are connecting to serverx.ActiveDirectory.local then the SSL check will fail (the hostname and cert do not match).
Crypto is very unforgiving and can have a bit of a steep learning curve at first. Having said that, it should not take you very long to get up to speed.
Going forward, cryptographic literacy should be a must have IT skill. As more services are outsourced (aka hosted services aka "the cloud"), knowing how to secure data in flight and at rest is not really optional. Fortunately everything you need can be found for free (both in terms of cost and "openness"). Openssl can seem pretty cryptic at first, but I have it on every machine I own and use. It is great for checking out exactly what cert is in use.
For example, need to test a mail server with ssl?
openssl s_client -connect my.mailserver.tld:465
or for IMAPS or POPS
openssl s_client -connect my.mailserver.tld:993
openssl s_client -connect my.mailserver.tld:995
To check to see what cert is installed on a web server:
openssl s_client -connect my.webserver.tld:443
Hth,
PS - Sorry for straying OT.
Sigh...this entire process of Certs is overly complex and begging for someone to revamp and make it usable by normal humans. Please, someone do for Certs what Square has done for credit card processing.
This is a fundamental tension, usability vs security. If anyone tells you that they have made security and crypto easy, I would be willing to bet that they broke something along the way (in other words their solution is likely not secure).
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
How To Create Pfx File From Cer Certificate
Source: https://community.spiceworks.com/topic/367133-i-cant-convert-a-ssl-crt-to-pfx-i-need-help-with-this
Posted by: mooreforgerd.blogspot.com
0 Response to "How To Create Pfx File From Cer Certificate"
Post a Comment