Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

convert p7b to pfx for Azure

I am trying to setup endpoints for Azure.

I was given an .p7b file but I need a .pfx file with private key for Azure.

Is there a way to convert my .p7b to .pfx?

like image 736
dtucker1914 Avatar asked Jul 15 '11 14:07

dtucker1914


People also ask

How do I create a PFX file in Azure?

In the Azure portal, from the left menu, select App Services > <app-name>. On your app's navigation menu, select TLS/SSL settings. On the pane that opens, select Private Key Certificates (. pfx) > Create App Service Managed Certificate.

Does P7B have private key?

A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.


1 Answers

Ok, here is a rundown on the whole Azure SSL certificate rigmarole. I've done this with GoDaddy (and more than a bit of help from one of their knowledgeable tech support guys). Also note that I've done this on Windows 8 Pro; your experience might be slightly different and/or your mileage may vary ;-)

Pay your money to a CA (Certificate Authority) to buy an SSL certificate.

Create CSR (Certificate Signing Request)

Now you need to create a CSR , which is text that you must supply to the CA in order for them to create your certificate. The CSR contains a couple of pieces of information:

  1. The name of the domain associated with the certificate.
  2. A public key to associate with the certificate. Note that the CSR that you give to the CA does NOT contain the associated private key.

You create the CSR locally on your PC using IIS Manager. Note: IIS is included with Windows, but is not installed by default. [I'll leave the details of installing IIS as an exercise for the student. Maybe some kind person will edit this answer and fill in those details.]

EDIT: rather than installing IIS on your local machine, you can RDP into the cloud service in Azure (very easy to do) and use IIS on that machine to create the CSR and Complete the Signing Request. If you do this, be sure to do this entire process in one sitting. If you generate the CSR and then wait to complete the request till sometime later, the cloud service may not be on the same machine and you won't have the "Export" option in IIS.

To create a CSR:

  1. Run IIS Manager
  2. Select (double-click) Server Certificates
  3. In the Actions pane on the right side of the window, click on Create Certificate Request. Common Name is the domain name associated with the certificate. The rest of the fields identify your company.
  4. IIS Manager will ask for the Cryptographic Service Provider and Bit Length. You must select at least a bit length of at least 2048.
  5. IIS Manager will create a public/private key pair. The public key is included in the CSR text file that IIS Manager creates for you. The private key is stashed away somewhere on your PC (I assume in the personal key store).

To create CSR - you can also refer the detailed steps at godaddy site. quite helpful.

Now, go back to your CA's website and find the online tool that lets you create the certificate that you purchased. The first thing it will want you to do is to paste (or upload) the CSR text. After you jump through your CA's hoops, you will receive one or more certificate files back from them.

Install certificate files into IIS

GoDaddy gives you two files: a p7b file and a crt file.

The crt file contains your public certificate. But you can't (yet) upload it to your web hosting provider because it doesn't include the associated private key. The web host needs the private key as well as the public key because it will be doing end-to-end encryption on your behalf.

The p7b file contains the certificates that comprise the "certificate chain" that allows your certificate to be verified up to your CA. In other words, when someone comes to your website and gets your certificate that claims that your website is run by Acme.com, this certificate chain lets that person's browser verify that your CA vouches for your identity. We'll get back to this file later...

Now you need to combine your public certificate with your private key and store the result in a password-protected pfk file.

Get back into IIS Manager on the same machine that created the CSR, navigate back to the Server Certificates page, and click on Complete Certificate Request (in the Actions pane on the right side of the screen).

  1. Tell the wizard to use the certificate file that you received from your CA (in my case it was a crt file, but it might be a different file type if your CA used a different encoding method).
  2. Friendly Name should probably be your domain name, but you can also add "SSL" in as well to help distinguish it (e.g. ContosoSSL)
  3. Tell the wizard to store the key in your Personal store

To install the certificates into IIS, these detailed steps from godaddy site help may be helpful.

Get the pfx file

You should now see your new certificate listed on the Server Certificates page in IIS Manager. Select that certificate and export it as a pfx file (via the Actions pane on the right side of the screen).

Now you can go to https://manage.windowsazure.com (the Windows Azure management portal), select your website or cloud service, and upload the pfx file to the Azure certificate store.

Whew. Good luck...

EDIT

The above instructions only deal with installing the SSL certificate in your Azure web role, but not the intermediate certificates (i.e. the "certificate chain"). This works for most clients (browsers) because most browsers have the intermediate certificates for major CAs baked into them. In other words, the browsers know how to get from your SSL certificate up to the CA that issued it. But some clients require that the website itself publish not only the SSL certificate but also all of the intermediate certificates.

See this SO answer for details on how to do this.

like image 116
6 revs, 3 users 88% Avatar answered Oct 07 '22 18:10

6 revs, 3 users 88%