I am trying to convert a .crt file to a .pfx file.
openssl pkcs12 -export -inkey privkey.pem -out my.pfx -in my.crt
The privkey.pem file is what I got when I created the .csr file.
When I execute the above openssl command I get that error:
No certificate matches private key
Interesting thing is that for another csr I request a certificate I could export the pfx.
But for this 2nd certificate its not possible.
Of course I created both csr in separated folders...
my.crt:
-----BEGIN CERTIFICATE-----
stuff
-----END CERTIFICATE-----
privkey.pem:
-----BEGIN PRIVATE KEY-----
stuff
-----END PRIVATE KEY-----
What is wrong?
Related
I created a private key (pem) file using following command
openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-priv-key.pem
here is the file content.
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEINpbPusf6E6YXk6E8Y0o56T35Pmyv4F6pIdjuxOsBeu/oAcGBSuBBAAK
oUQDQgAEHir/UGtp0N4xD5gKiMlgVS7infNl4fpq+CDPSRasA8jHSfACho5asgwv
0gZ4K9WMXPSGtI7Yflz5YXSYgAoUwQ==
-----END EC PRIVATE KEY-----
I tried to decode the above string sing this website. (https://redkestrel.co.uk/products/decoder/)
But getting an error:
Sorry, we were unable to fully decode the data provided
I'm trying to import a certificate into AWS, the problem is my private key is not in pem format. I'd rather not have to create a new certificate as I've already had a CA sign mine. I've generated the key using this following command
keytool -genkey -alias info -keyalg RSA -keysize 2048 -keystore info
Which leaves me with a private key in binary format named info. I'm able to use this command to convert the private key into base64 I believe.
openssl rsa -inform DER -outform PEM -in info -out info.pem
The header and footer are missing
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Which I append to their appropriate locations. Now when I'm attempt to upload my cert, it fails because the private key is not in pem format. AS per other questions regarding binary to pem format, I've tried this command.
openssl rsa -inform der -in info -outform pem -out info.pem
which results in this error "unable to load Private Key
140594255303104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:"
How should go about converting a binary key generated from keytool into pem format?
I was able to convert it from jks to pem using these following commands.
keytool -importkeystore -srckeystore info -destkeystore info.p12 -srcalias info -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in info.p12 -out info.pem
I have created private key and public key using below commands,
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
Seems like both are in different format.
I need to convert rsa privatekey.pem to x509 format.
Is there any way i can do that?
Probably, you meant a conversion of the RSA private key to the PKCS8 format.
From starting with:
-----BEGIN RSA PRIVATE KEY-----
To:
-----BEGIN PRIVATE KEY-----
If so, use the following command:
openssl pkcs8 -topk8 -in rsa.private.key -out pkcs8.private.key -nocrypt
When creating public-private key pair and certificate, usually we see that the certificate looks like this:
-----BEGIN CERTIFICATE-----
XXX
XXX
...
XXX
-----END CERTIFICATE-----
If I understand correctly, the certificate should contain a lot of information like issuer, time, algorithm, public key, etc.
Can anybody tell me how we can a browser decode this certificate?
Most programming languages will have functions to do this, or you can use the OpenSSL command line utility.
For example, in PHP, you could use the openssl_x509_parse() function,
Here's a list of OpenSSL commands for getting certificate info. Most programming languages let you call system commands like openssl.
Here's the linked info incase the page is removed:
# Using the -text option will give you the full breadth of information.
openssl x509 -text -in cert.pem
# who issued the cert?
openssl x509 -noout -in cert.pem -issuer
# to whom was it issued?
openssl x509 -noout -in cert.pem -subject
# for what dates is it valid?
openssl x509 -noout -in cert.pem -dates
# the above, all at once
openssl x509 -noout -in cert.pem -issuer -subject -dates
# what is its hash value?
openssl x509 -noout -in cert.pem -hash
# what is its MD5 fingerprint?
openssl x509 -noout -in cert.pem -fingerprint
And here is the output of the -text full info option when run on the PayPal API public key:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Mountain View, O=PayPal Inc., OU=live_certs, CN=live_api/emailAddress=re#paypal.com
Validity
Not Before: Feb 13 10:13:15 2004 GMT
Not After : Feb 13 10:13:15 2035 GMT
Subject: C=US, ST=CA, L=Mountain View, O=PayPal Inc., OU=live_certs, CN=live_api/emailAddress=re#paypal.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:47:4e:dd:fc:44:cc:4b:5c:9c:8e:d9:29:92:
f8:d7:65:ef:64:fb:a0:a2:78:bb:8b:b0:fb:a6:b0:
9e:d0:0b:5a:1d:37:3d:ec:26:20:9b:b3:6c:02:d2:
72:c4:d2:e2:c6:68:4b:57:ca:72:20:46:a2:1d:75:
80:87:c7:cf:29:6f:91:d3:5e:fe:12:65:eb:af:d1:
1a:aa:e3:e6:b1:5b:d3:cb:00:00:13:53:cc:34:e2:
aa:a3:69:25:e0:6c:62:cf:dc:d9:a8:86:a3:3a:6d:
5f:64:65:9c:19:2d:1f:e4:94:36:90:1a:8d:6e:f6:
e0:db:f6:5a:f8:62:7f:ab:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:9F:7C:BB:C6:6F:17:BD:59:3F:52:D7:0A:1B:EC:10:D6:64:94:6B
X509v3 Authority Key Identifier:
keyid:96:9F:7C:BB:C6:6F:17:BD:59:3F:52:D7:0A:1B:EC:10:D6:64:94:6B
DirName:/C=US/ST=CA/L=Mountain View/O=PayPal Inc./OU=live_certs/CN=live_api/emailAddress=re#paypal.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
81:5f:3a:56:9a:80:5a:e5:ef:5f:a3:ab:a3:8a:89:d6:d6:15:
21:3e:43:81:6a:44:eb:dd:80:83:8d:b6:1f:bc:91:22:bf:fd:
8f:f8:8a:1b:84:e1:89:af:ce:7e:5c:78:4d:d2:fe:20:52:41:
03:23:ca:f6:fe:b3:64:d6:6d:06:03:c1:ca:75:db:d3:8f:21:
b0:fd:7a:97:6b:e2:d2:4e:50:d8:92:a2:3c:3b:04:7c:18:46:
23:e1:e7:c4:b5:c4:69:45:80:71:57:c2:b1:01:6f:77:60:35:
b3:14:6b:eb:b8:a9:e7:2d:b0:c0:17:a5:51:e7:0f:dc:08:c9:
f9:87
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQ
YXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9h
cGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20wHhcNMDQwMjEzMTAxMzE1
WhcNMzUwMjEzMTAxMzE1WjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEG
A1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0B
CQEWDXJlQHBheXBhbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMFH
Tt38RMxLXJyO2SmS+Ndl72T7oKJ4u4uw+6awntALWh03PewmIJuzbALScsTS4sZo
S1fKciBGoh11gIfHzylvkdNe/hJl66/RGqrj5rFb08sAABNTzDTiqqNpJeBsYs/c
2aiGozptX2RlnBktH+SUNpAajW724Nv2Wvhif6sFAgMBAAGjge4wgeswHQYDVR0O
BBYEFJaffLvGbxe9WT9S1wob7BDWZJRrMIG7BgNVHSMEgbMwgbCAFJaffLvGbxe9
WT9S1wob7BDWZJRroYGUpIGRMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
FjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMw
EQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3
DQEJARYNcmVAcGF5cGFsLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4GBAIFfOlaagFrl71+jq6OKidbWFSE+Q4FqROvdgIONth+8kSK//Y/4ihuE
4Ymvzn5ceE3S/iBSQQMjyvb+s2TWbQYDwcp129OPIbD9epdr4tJOUNiSojw7BHwY
RiPh58S1xGlFgHFXwrEBb3dgNbMUa+u4qectsMAXpVHnD9wIyfmH
-----END CERTIFICATE-----
To answer my own question: It is just a Base64 encoding.
I have a GoDaddy-issued code signing certificate in a .spc file. Also, I have a private key in .key file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc file was issues.
Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx (or .cer?) file suitable for installation into the Windows certificate store.
The command I'm trying is:
openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export
However, I'm getting an error message that reads “No certificate matches private key”.
I've followed this answer on SO to verify the .key file is a valid private key. However, when I try to verify that .spc is a valid certificate, I just get
unable to load certificate
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
What's the correct way of producing an .pfx file from my inputs? I'm using OpenSSL 0.9.8k.
In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:
Obtain your new CodeSign.spc certificate from GoDaddy.
Export a PEM-formatted private key from the expired PFX:
openssl.exe pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Convert the PEM-formatted private key into the PVK format:
pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk
Combine the PVK and SPC into PFX:
pvk2pfx.exe -pvk CodeSign.pvk -pi <passphrase> -spc CodeSign.spc -pfx CodeSign.pfx -po <passphrase> -f
Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
Export it from the certificate store into the binary CER format as CodeSign.cer.
Optionally delete the certificate from the Windows certificate store.
In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).
UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:
openssl crl2pkcs7 -nocrl -certfile CodeSign.crt -outform DER -out CodeSign.spc
Sources:
http://www.tech-pro.net/export-to-pvk-spc.html
http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/
http://www.drh-consultancy.demon.co.uk/
https://www.sslshopper.com/ssl-converter.html
http://russenreaktor.wordpress.com/2010/06/10/solved-convert-signing-certificate-crt-to-spc/
The tools you will need:
OpenSSL
pvk.exe — see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)
pvk2pfx.exe — part of Microsoft SDKs, installs with Visual Studio 2010
I had the similar issue and I spent at least few hours searching around for a solution. GoDaddy provided me with .spc and .pem file and I couldn't create .pfx file out if it using OpenSSL. Finally, I imported .spc file within my local computer using MMC. Once the certificate was imported in my local machine, I noticed that it brought in GoDaddy's chain file along with the Code Sign Cert file itself. MMC View
Now, select both files and right click to export as .pfx file. Supply a password to protect the file and you're done. By far, this is the simplest and straight forward solution. Hope this post helps many people.
You can create PFX with openssl only.
Export a PEM-formatted private key from the expired PFX:
openssl pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Create PFX
openssl pkcs7 -in CodeSign.spc -inform der -print_certs | openssl pkcs12 -export -inkey CodeSign.pem -out CodeSign.pfx
The current answer post was extremely helpful to me in the final steps of moving from an expired certificate file (.pfx or .p12) to a new one with GoDaddy, but I found it lacking information on the initial steps of how to generate a certificate signing request (CSR) from my original certificate file.
For anyone else looking for similar information, here is what I ended up using...
Get the private key:
openssl pkcs12 -in certs-and-key.p12 -out privateKey.key
Get the certificatate:
Beware: This can give you the CA cert
openssl pkcs12 -in certs-and-key.p12 -out certificate.crt -nokeys
Better: Use this command to print only the client cert
openssl pkcs12 -in MacCossLabUW.p12 -clcerts
Then copy the output between:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save it to a file named certificate.crt
Now check that the private key and certificate match with the commands:
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5
Then generate a new CSR:
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Use the CSR to Re-Key the certificate.
Download the GoDaddy software publishing certificate (.spc) file.
Verify that the generated certificate matches the request private key:
openssl pkcs7 -inform DER -in certificate.spc -print_certs
Then copy the output between for your certificate (Note: the output will also contain CA certs):
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save to a file named certificate-new.crt
And run the command:
openssl x509 -noout -modulus -in certificate-new.crt | openssl md5
The output should match the previous call used with the private key and request certificate.
To finish the process, follow the steps outlined in the answer with pvk2pfx.
I also found the schematic diagram in this post quite helpful:
PVK2PFX Error 0x80070490 - Cannot find certificates that match the key
For anyone still looking for an answer on how to do this, I just spent a day figuring this out and had to do a mix of things listed in this post. If you are using git-bash on windows, I had to add winpty to the beginning of all calls using openssl or else it would get stuck in the void. The pseudo steps were as follows:
Generate a private key and CSR using openssl
openssl req -newkey rsa:2048 -keyout private.key -out my.csr
Generate a PVK using the private key with openssl
openssl rsa -in private.key -outform PVK -pvk-strong -out codesign.pvk
Use the CSR in the generation of the code sign certificate on Godaddy
Download the Zip from Godaddy and extract the SPC file (as mentioned by OP)
Use pvk2pfx to combine the PVK and the SPC file into a code sign certificate. This was included in the same SDK (and directory) as signtool itself:
pvk2pfx.exe -pvk codesign.pvk -spc SPC_FILEPATH_HERE -pfx codesign.pfx -pi PVK_PASSWORD -po PFX_PASSWORD
If you generated your certificate request from IIS (I did this on IIS on windows 2012 Server) follow these steps on the server/pc where you generated the request
- Open IIS
- Click on the top level node (Server node)
- Open the Server Certificates settings
- Click on "Complete certificate request" under actions on the right
- Import your spc file to the server.
From here you can then export to a PFX file