Menu
I have been struggling for the last three hours trying to create an .pfx file using OpenSSL. I have been following this document and have been following the instructions under the Get a certificate using OpenSSL header.
I am at the step here: openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt and am using the OpenSSL.exe console.
I get the error: unable to load certificates
I have also tried this: x509 -text -in myserver.key and received the error: 0906D06D06C:PEM_read_bio:no start line:.\crypto\pem\pem_lib.b.c:703:Expecting: TRUSTED CERTIFICATE I also get that error if I try myserver.crt.
I seem to get it no matter what I do.
Can someone please help?
801
Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil). In the Certificate Export wizard, select Yes, export the private key, select pfx file, and then check Include all certificates in the certification path if possible, and finally, click Next. A . pfx file uses the same format as a .
Start Windows Explorer and select and hold (or right-click) the . pfx file, then select Open to open the Certificate Import Wizard. Follow the procedure in the Certificate Import Wizard to import the code-signing certificate into the Personal certificate store.
A PFX file indicates a certificate in PKCS#12 format; it contains the certificate, the intermediate authority certificate necessary for the trustworthiness of the certificate, and the private key to the certificate. Think of it as an archive that stores everything you need to deploy a certificate.
I get the error: unable to load certificates
myserver.crt needs to be in PEM format. Does it have ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----?
myserver.crt should actually be a chain of certificates (and not just the one server certificate). The chain should include all intermediate certificates needed by the client to verify the chain.
You send all the intermediate certificates to solve the "which directory" problem. The "which directory" is a well know problem in PKI. Essentially, the client does not know where to go to fetch the missing intermediate cert. To avoid the problem, you send all intermediates.
I often use Startcom because they offer free Class 1 certificates. When I get the signed server certificate from them (for example, www-example-com.crt), I add their Class 1 Server Intermediate to it. I get their Class 1 Server Intermediate from their website at Startcom CA certs. The one I use is sub.class1.server.ca.pem.
With the www-example-com.crt, my server certificate looks like:
$ cat www-example-com.crt
-----BEGIN CERTIFICATE-----
< My Server Certificate >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< Startcom Intermediate >
-----END CERTIFICATE-----
For completeness, the private key (for example, www-example-com.key) is also in PEM format. It uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.
With my server certificate in PEM format (and with the required intermediates) and private key, I then issue the following (which looks like the same command you are using):
openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12
When clients connect, they use the Startcom CA. So, to test the connection (after loading into IIS):
openssl s_client -connect www.example.com:443 -CAfile startcom-ca.pem
The command should complete with "Verify OK":
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 37E5AF0EE1745AB2...
Session-ID-ctx:
Master-Key: 7B9F8A79D3CC3A41...
Key-Arg : None
Start Time: 1243051912
Timeout : 300 (sec)
Verify return code: 0 (ok)
I have also tried this: x509 -text -in myserver.key and received the error...
x509 is for certificates. If you want to dump a key, use OpenSSL's pkey command. See the docs on OpenSSL's pkey(1) command.
57
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
