I'm having trouble understanding how to get/generate a private key for some certificates I requested.
I've created a CSR using the DigiCert Certificate Utility for Windows, which gave me a csr.txt file as an output but no .key file.
Then I proceeded to request the certificates by inserting the above mentioned CSR in the Certificate Management portal of my company.
Now I have received the p7b files and the related CSRs, but no private keys: is it possible to generate it now?
Thanks in advance,
Tommaso
Use the import function of the DigiCert Certificate Utility for Windows. The key is stored on software in the machine where the CSR was created. After the import the key and the certificate are associated and should be in the Windows certificate Store. If the key was generated with the exportable flag, you can export a PKCS#12 and convert that to a key file using openSSL.
Related
A little bit of context:
I used to generate CSRs from IIS "Create certificate request", import that in my provider (GoDaddy) and get a .crt in return. Then I used to go again to IIS to "Complete certificate request" and generate the .pfx
I want to automate this process as much as possible including importing the CSR to GoDaddy and downloading the .crt file.
Right now I was able to automate the CSR creation with certreq.exe but note sure how to complete the request using powershell to create the .pfx when I have the .crt file from GoDaddy. I know I can do it with openssl but I'm missing the private key.
I think when I create the CSR request with certreq.exe, it generates the .pfx on "MMC > Certificate Enrollment Requests" which has the private key so I was wondering if every time I request the CSR, I have to export that .pfx and with openssl extract the private key to use it with my.crt file from GoDaddy?
Hopefully I was able to explain correctly what I'm trying to accomplish and somebody can help me with this.
We are using IdentityServer4 and our version loads the signing key from a PFX file in file system or from the windows certificate store. Using the certificate works. The question is - which certificate issuer should be used in production?
Is a certificate from a public CA recommended? Or is it enough to have a self-signed certificate (without a CA at all) such as it can be created with IIS Manager?
In our tests we have found that the client could still validate the signature in the access token, even if the signing certificate would not have a valid CA chain on the client.
In the docs, it says that you can also use raw key material instead of a certificate:
http://docs.identityserver.io/en/latest/topics/crypto.html#token-signing-and-validation
In this scenario there would be no CA chain whatsoever.
That leads me to the assumption, that when the client loads the public signing key (via the HTTP(s) endpoint), the CA chain information might not be passed anyways. Is that right? Through the loading mechanism via HTTPs you also have a combined security mechanism.
So my conclusion is that for the signing credential a self-signed cert is just as safe as one from VeriSign. Can this be confirmed?
There is no certificate involved in signing and verifying the tokens. Only a private and public key (RSA or ECDSA key).
However a certificate can be useful to "import/transport" the keys into .NET. So, because of that we don't care about who issued the certificate.
When importing the key, one approach is to bundle the certificate that holds the public key + the private key and store it in a PKCE#12 file (.pfx/.p12 extension). Then load that file into .NET. Before .NET 5 working with keys was a bit hard.
The more important thing is that you can manage and deploy the private key in a secure way and that it is persisted over time.
Optionally, you can add support for key-rotation.
I ONLY have .crt file with me which I purchased from Comodo. No private key or any thing. How can I use this to sign my code and get rid of "publisher unknown" issue in my installer. I have used Inno-Setup for creating the installer too. Code is in C Sharp. I tried to use sign tool and openssl but I don't have any other file than this user.crt file. I just can get .cer format using .crt and thats all. Appreciate any help
Usually, you need sign the application from PC where you are registered Comodo certificate. The private key saved by your browser in the local storage.
You cannot sign files with a public key only.
You need the private key.
If it were possible to sign files with a public key only, anyone could sign malicious content with your public key.
What is the utility of .p12 file/certificate? I am not getting any correct definition when searching the internet:
In one site I got "it stores server side certificates along with intermediate certificates and private key in one file. Its mostly used in Windows Machine"
In another site i got "it binds a organizations public key with its name.
My question is whether its public key or private key which is included in the .p12 certificate.
The .p12 contains both the private and the public key, and also information about the owner (name, email address, etc. ) all being certified by a third party. With such certificate, a user can identify himself and authenticate himself to any organization trusting the third party.
You should be able to see the content of the p12 file with
openssl pkcs12 -info -in filename.p12
provided openssl is installed in your system.
I purchased a wildcard certificate from GoDaddy and I want to associate this certificate with a website on AppHarbor.
AppHarbor only allows me to upload a PFX certificate. So, how do I convert a .CRT to a .PFX?
If the contents of the .CRT files is a base-64 encoded certificate and it starts with BEGIN CERTIFICATE, you can dispense with the .pfx file and use keypair certificate entry method on AppHarbor.
PFX is the private information exchange format (Windows calls them like this) and is actually the PKCS12 keystore.
All you have to do is import the certificate in your keystore that already has your private key and use that. You don't need to transform the certificate