I'm trying to import a certificate into AWS, the problem is my private key is not in pem format. I'd rather not have to create a new certificate as I've already had a CA sign mine. I've generated the key using this following command
keytool -genkey -alias info -keyalg RSA -keysize 2048 -keystore info
Which leaves me with a private key in binary format named info. I'm able to use this command to convert the private key into base64 I believe.
openssl rsa -inform DER -outform PEM -in info -out info.pem
The header and footer are missing
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Which I append to their appropriate locations. Now when I'm attempt to upload my cert, it fails because the private key is not in pem format. AS per other questions regarding binary to pem format, I've tried this command.
openssl rsa -inform der -in info -outform pem -out info.pem
which results in this error "unable to load Private Key
140594255303104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:"
How should go about converting a binary key generated from keytool into pem format?
I was able to convert it from jks to pem using these following commands.
keytool -importkeystore -srckeystore info -destkeystore info.p12 -srcalias info -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in info.p12 -out info.pem
Related
I have the following files
server.csr
serverprivate.key
serverpublic.key
Provided by vendor: vendor.pem
I need to convert the certificate to a .p12 files and tried the following command via openssl
openssl pkcs12 -export -out esim.p12 -inkey private.key -in ca-preprod.crt
and i'm getting "NO CERTIFICATE MATCHES PRIVATE KEY"
How to generate a .p12 file using the files I have now?
I have created private key and public key using below commands,
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
Seems like both are in different format.
I need to convert rsa privatekey.pem to x509 format.
Is there any way i can do that?
Probably, you meant a conversion of the RSA private key to the PKCS8 format.
From starting with:
-----BEGIN RSA PRIVATE KEY-----
To:
-----BEGIN PRIVATE KEY-----
If so, use the following command:
openssl pkcs8 -topk8 -in rsa.private.key -out pkcs8.private.key -nocrypt
When I'm trying to convert pfx file, which was generated without password, to jks I get a WARNING WARNING etc... message from keytool, and an error afterwards
When I do the same with an password protected pfx, then everything is fine.
Can anyone suggest what I can do !? maybe a conversion from other formats or using other tools ?
ps. I did also conversion to pem, and pem to jks, but it failed, because it was not an x509 cert.
EDIT
keytool.exe -importkeystore -srckeystore "C:\Users\rodislav.moldovan\Projects
\ceva.pfx" -srcstoretype pkcs12 -destkeystore "C:\Users\rodislav.mol
dovan\Projects\ceva.jks" -deststoretype JKS
Enter destination keystore password: ******
Re-enter new password: ******
Enter source keystore password: // pressed enter, because there is no pass
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************
keytool error: java.security.UnrecoverableKeyException: Get Key failed: null
You can do it by making a p12 keystore first with OpenSSL and then convert it into JKS format with Keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Try to convert it to a p12 with a password before.
openssl pkcs12 -in in.pfx -out out.p12
If you just have a full PFX file that isn't password protected; for instance you downloaded the cert from Azure Key Vault like so:
az keyvault secret download -f mycert.pfx --encoding base64 --vault-name <vault name> --name <certificate name>
Then you can jump through a few hoops to add password protection (got this from here: http://www.1st-setup.nl/wordpress/howto-change-password-on-pfx-certificate-using-openssl/):
openssl pkcs12 -in mycert.pfx -out temppem.pem -nodes
openssl pkcs12 -export -out protectedcert.pfx -in temppem.pem
rm certs/mycert.pfx
rm certs/temppem.pem
Obviously you need to specify a password in the second openssl command to pw-protect the new PFX.
I have the exact problem reported in
Jarsigner: certificate chain not found for
My starting point was a .pem file. My sense is that this does have the private key also. I used the following command to import this into a keystore:
keytool -importcert -alias myalias -file myfile.pem
For "Trust this certificate? [no]", if I choose "no" the import fails. So, I went with "yes". The import does succeed. My
keytool -list
produces output similar to the one listed in Jarsigner: certificate chain not found for.
My sense is that I do have the right certificate bit am not importing this correctly. In other words, I am suspecting that a 'trusted certificate entry' is being created instead of a 'key entry' but don't know how to force keytool to create a 'key entry'.
How can I solve this problem?
Additional Info:
After further work, I am leaning towards exactly the opposite conclusion than the one above. I now think that something is wrong with my pem file. I looked at a previous keystore entry with an expired key. It clearly states PrivateKeyEntry while my import states trustedCertEntry.
You can try to create a pkcs12 from your files that would contain the entire certificate chain. You'll need your public cert and the root CA cert. Command is like this:
openssl pkcs12 -export -inkey file.pem -in file.crt -out file.p12 \
-CAfile root-CA.pem -chain -name mykey
Once you have the entire file.p12 file, you can export the full cert to pem format:
openssl pkcs12 -in file.p12 -out new-cert.pem -nodes -clcerts
Or if you want to export to a Java keystore format that has the entire chain, the command is:
keytool -importkeystore -srcstoretype pkcs12 -srckeystore file.p12 \
-srcstorepass <password> -keystore keystore.jks
I am trying to convert an Apple Push Certificate (received in .pem format from https://identity.apple.com/pushcert/) to PKCS12 on a Windows machine. I have OpenSSL installed.
Here are the steps I am trying:
Generate CSR
openssl req -out d:\cert\request.csr -new -newkey rsa:2048 -nodes -keyout d:\cert\csrPrivateKey.pem
Upload signed CSR to Apple and download issued certificate (pushCert.pem)
Convert .pem certificate to pkcs12
openssl pkcs12 -export -in d:\cert\pushCert.pem -inkey d:\cert\csrPrivateKey.pem -out d:\cert\pushCert.p12 -name "apns-cert"
When I try this last step, I get an error "No certificate matches private key" and an empty file is created. If anyone has any suggestions it would be greatly appreciated.
Thanks!