I have just private key available in a plain text file. How to import that into keystore (via keytool or some other tool) without the certificate? Or, is there a way to generate a certificate file w.r.t the given private key file?
I am working on Box service account authentication. I need to store the private key (downloadable from box as a plain text file containing the key) into my keystore via command line utility.
I have tried just putting private key into keystore via keytool. It says "unable to load certificates". I tried to see if we can generate respective certificate from the private key file. No solution. I tried just putting in private key without certificate. Don't know how to do that.
No code required here. Just importing of private key plain file into keystore.
Related
I'm having trouble understanding how to get/generate a private key for some certificates I requested.
I've created a CSR using the DigiCert Certificate Utility for Windows, which gave me a csr.txt file as an output but no .key file.
Then I proceeded to request the certificates by inserting the above mentioned CSR in the Certificate Management portal of my company.
Now I have received the p7b files and the related CSRs, but no private keys: is it possible to generate it now?
Thanks in advance,
Tommaso
Use the import function of the DigiCert Certificate Utility for Windows. The key is stored on software in the machine where the CSR was created. After the import the key and the certificate are associated and should be in the Windows certificate Store. If the key was generated with the exportable flag, you can export a PKCS#12 and convert that to a key file using openSSL.
I ONLY have .crt file with me which I purchased from Comodo. No private key or any thing. How can I use this to sign my code and get rid of "publisher unknown" issue in my installer. I have used Inno-Setup for creating the installer too. Code is in C Sharp. I tried to use sign tool and openssl but I don't have any other file than this user.crt file. I just can get .cer format using .crt and thats all. Appreciate any help
Usually, you need sign the application from PC where you are registered Comodo certificate. The private key saved by your browser in the local storage.
You cannot sign files with a public key only.
You need the private key.
If it were possible to sign files with a public key only, anyone could sign malicious content with your public key.
We are trying to implement the following workflow:
generate private key in browser, using window.crypto
create a PKCS10 certificate signing request in the browser
send the PKCS10 to a server
the server signs the request and returns an x509 certificate in PEM format
the browser stores the certificate for itself
The same thing already works using the keygen tag in the browser and using SPKAC instead of pkcs10. Now, however the browser does not store the certificate returned, just wants to save them. When we try to import the certificate to the browser by hand, we got "the private key for the certificate is missing or invalid".
We suspect that the private key generated by window.crypto.generateKey() does not get stored in the browser's keystore. How to get the private key stored in the keystore?
The implementation of the first two steps is based on http://blog.engelke.com/2014/08/23/public-key-cryptography-in-the-browser/
Update: As some browsers use the OS keystore, I am also looking into the possibility to save the key into the OS keystore through some other way.
What I have figured out so far:
Java cannot be used according to this question: Tell Java to use Windows keystore
In Windows one can use ActiveX controls.
Summary: Found no standard cross-browser and cross-OS way to generate and meaningfully use X509 certificates. There are combinations (new chrome versions (dropping keygen support) on non-windows OS) where there is no way to do this.
What is the difference between a certificate in a .cer file and one in a .p12 file? Are they just in different formats?
How do I extract the private key and public key from the .p12 file? Can this be done using Java keytool?
Thanks in advance.
You can export from PKCS12 to JKS using Java Keytool.
Please check this link: https://www.tbs-certificates.co.uk/FAQ/en/626.html.
If you want something else. I can provide Java code for getting the certifcate and private key from PKCS12.
When you need to create a new certificate for APNS, the Provisioning Portal "wizard" always gives the steps to create a new CSR which means you need to create a new public/private key as well. These can start to get out of control, so is there a way to create a CSR (Code Signing Request) in Keychain Access from an existing Private Key instead of having to create a new one every time?
Thanks
Typically, you can do this by right-clicking an existing private key in Keychain Access and choosing Request a Certificate from a Certificate Authority With "Name Of Your Key".
Unfortunately, this will fail with "The specified item could not be found in Keychain" unless you also have the corresponding public key in your keychain. There's no technical reason for this—a Certificate Signing Request (CSR) can be generated from just a private key—but Keychain Access doesn't understand this.
You have two options.
Export the private key and generate the CSR manually
This is a quick option that will just generate a CSR that you can upload to Apple.
Choose the private key in Keychain Access, then click File - Export Items….
Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.
Open Terminal and enter:
openssl req -new -key <(openssl pkcs12 -in ~/exported.p12 -nocerts -nodes -passin pass:"") > new.certSigningRequest
See [1] at the end of this post for details about what's going on.
Press Enter for each prompt (Apple doesn't care about these values). When you're finished, you'll have a .certSigningRequest suitable for upload to the Apple Developer Portal. When you download the associated certificate, it will pair up with the original private key.
Delete the exported.p12 file, as it contains private key material.
Recreate the public key so Keychain Access is happy
This option is a longer-term fix that'll let you generate CSRs from the original key straight from Keychain Access. These instructions assume you can't currently use Keychain Access to do so because you're missing the corresponding public version of your private key. You can check for this by going to the "Keys" category in Keychain Access and looking for a "private key" and "public key" with the same name.
Choose the private key in Keychain Access, then click File - Export Items….
Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.
Open Terminal and enter:
openssl pkcs12 -in ~/exported.p12 -nocerts -nodes | openssl rsa -pubout > public.pem
See [2] at the end of this post for details about what's going on.
Import this public key into Keychain Access using the security tool:
security -v import public.pem -k ~/Library/Keychains/login.keychain
You should see "1 key imported."
Change ~/Library/Keychains/login.keychain if you want to import this to another keychain. (You can see where each keychain lives by going to Edit - Keychain List in Keychain Access).
Open Keychain Access and locate the public key called "Imported Public Key." Double-click it and change its name to be the same thing as your original private key.
Delete exported.p12 and public.pem.
You can now right-click the original private key and choose Request a Certificate from a Certificate Authority With "Name Of Your Key" to generate a CSR.
Explanations
[1] This command, broken down:
openssl req -new # Generate a new certificate signing request
-key # Instead of generating a key, use an existing one
<( # Put the output of the following command in a temporary file
# (a Bash feature, not specific to OpenSSL)
openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
-nocerts # Don't output the certificate contained in the file
-nodes # Output the private key from the file
-passin pass:"" # The password for the container is blank
)
> new.certSigningRequest # Write the generated CSR to a file
[2] Second command, broken down:
openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
-nocerts -nodes # Output only the private key, no certificates
| openssl rsa -pubout # Compute the public key from a private key
> public.pem # Write the public key to a file
When you go into Provisioning Profile to Enable/Configure Push Notifications, the first thing it asks for is a CSR (Code Signing Certificate).
You can generate this with an existing private key from Keychain Access instead of creating a new one.
Just open keychain access and then scroll thru and find a previous PRIVATE KEY (probably called YOUR NAME) and then right-click (two finger click) on it and choose Request A Certificate From A Certificate Authority With "bla bla bla".
I just enter the same email address in both User Email Address and CA Email Address, and choose Saved To Disk.
Then upload that to create your .cer files