I have an X509 certificate (chain) and private key in PEM format. I need to convert them to GPG format so I can use them for signing. How can I do that?
I tried gpgsm, but the keys still don't appear on gpg list of keys.
Please, advise.
From my article
Steps
Break the pfx (p12) into pem files that can be used. For some reason, GPG can't handle standard encoding.
openssl pkcs12 -in sectigo.pfx -nokeys -out gpg-certs.pem
openssl pkcs12 -in sectigo.pfx -nocerts -out gpg-key.pem
Combine the keys into something GPG recognizes
openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
Import into GPG
gpgsm --import gpg-key.p12
At this point we have the p12 imported, and we can see it in Kleopatra, but we can’t use it for PGP operations.
cat gpg-key.pem | PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "Your Name <your#email.address>" > key.pgp
Now!!!! We have a pgp key, and when you import the key.pgp into GPG it will absolutely have the same key as your certificate.
gpg --import key.pgp
It’s separate key storage: gpg has ~/.gnupg/pubring.gpg, gpgsm has ~/.gnupg/pubring.kbx
So keys added with gpgsm aren’t usable with gpg; gpg doesn’t read ~/.gnupg/pubring.kbx.
To see they keys you added with gpgsm, use gpgsm --list-keys. And to create ciphertext from those gpgsm keys, use gpgsm --encrypt. And so on. It’s a completely separate tool from gpg.
As far as importing X.509 stuff for use by gpg, GnuPG doesn’t provide a way to do that. There’s nothing in the OpenPGP standard about it, so there’s no interoperable way to do it.
But the commercial (Symantec) PGP Desktop tool has some way of doing it, so if you can get ahold of a copy of PGP Desktop, I guess you could use that to import your X.509 stuff into PGP Desktop’s key storage, then export it as a .gpg/.asc file, then run gpg --import on that.
Related
There is a way to import a .pfx certificate in postman?
I need to send a user certificate for testing my API.
At the time of writing this answer Postman didn't support .PFX files. Ref:
Feature Request: Support for PFX
However you can extract cert and private key from the .PFX file using openSSL and configure those in Postman.
Extract key:
openssl pkcs12 -in pfxfile.pfx -nocerts -out key.pem -nodes
Extract cert:
openssl pkcs12 -in pfxfile.pfx -nokeys -out cert.pem
Postman Canary Update has support for PFX Files now. You may use that build instead.
I have the exact problem reported in
Jarsigner: certificate chain not found for
My starting point was a .pem file. My sense is that this does have the private key also. I used the following command to import this into a keystore:
keytool -importcert -alias myalias -file myfile.pem
For "Trust this certificate? [no]", if I choose "no" the import fails. So, I went with "yes". The import does succeed. My
keytool -list
produces output similar to the one listed in Jarsigner: certificate chain not found for.
My sense is that I do have the right certificate bit am not importing this correctly. In other words, I am suspecting that a 'trusted certificate entry' is being created instead of a 'key entry' but don't know how to force keytool to create a 'key entry'.
How can I solve this problem?
Additional Info:
After further work, I am leaning towards exactly the opposite conclusion than the one above. I now think that something is wrong with my pem file. I looked at a previous keystore entry with an expired key. It clearly states PrivateKeyEntry while my import states trustedCertEntry.
You can try to create a pkcs12 from your files that would contain the entire certificate chain. You'll need your public cert and the root CA cert. Command is like this:
openssl pkcs12 -export -inkey file.pem -in file.crt -out file.p12 \
-CAfile root-CA.pem -chain -name mykey
Once you have the entire file.p12 file, you can export the full cert to pem format:
openssl pkcs12 -in file.p12 -out new-cert.pem -nodes -clcerts
Or if you want to export to a Java keystore format that has the entire chain, the command is:
keytool -importkeystore -srcstoretype pkcs12 -srckeystore file.p12 \
-srcstorepass <password> -keystore keystore.jks
I am working on a project to automate extracting a public key DER encoded certificate from a users smart card, and convert it to ssh-rsa public key form. The ssh-rsa public key would then be published as a user attribute in AD. From there puppet would grab the ssh public key using an ldap query and place it in the authorized_keys file for the user in question.
The problem I am running into is that in Windows there doesn't seem to be a way to make the conversion from DER encoded .cer file to a ssh-rsa key. If the certificate is moved to the users home directory then it is possible to run:
openssl x509 -inform pem -in username.cer -noout -pubkey > username.pub
Then ssh-keygen can create the ssh-rsa public key using:
ssh-keygen -f username.pub -i -m PKCS8
So does anyone know of a way for windows to make this conversion? If you need more information please let me know.
You need to convert the DER encoded file to PEM first. Here is what you would need to do:
openssl x509 -in <your DER encoded File> -inform DER -out username.crt -outform PEM
There is a way, you need to use:
Import-Certificate
To import the certificate into the users/local machine store. You can then get the public key like so (well this gets the public key for every cert that has one, so change it to suite your needs):
((get-childitem cert:\LocalMachine -Recurse) | Where-Object{$_.PublicKey}).GetPublicKey()
This is using PowerShell 3.
Which is the terminal command line equivalent for installing the development certificate (.cer file) without having access to Keychain Access utility?
I have an cloud rented MAC which doesn't offeer me access to the Keychain utility, but I'm allowed to use the terminal.
The key is to use OpenSSL in order to convert the iOS developer certificate file into a PEM certificate file and then to generate a P12 file based on the PEM certificate and the certificate key earlier generated. source
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iOS_dev.p12
Try to see if this works for you :
http://lists.apple.com/archives/apple-cdsa/2010/Mar/msg00021.html
I have a GoDaddy-issued code signing certificate in a .spc file. Also, I have a private key in .key file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc file was issues.
Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx (or .cer?) file suitable for installation into the Windows certificate store.
The command I'm trying is:
openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export
However, I'm getting an error message that reads “No certificate matches private key”.
I've followed this answer on SO to verify the .key file is a valid private key. However, when I try to verify that .spc is a valid certificate, I just get
unable to load certificate
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
What's the correct way of producing an .pfx file from my inputs? I'm using OpenSSL 0.9.8k.
In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:
Obtain your new CodeSign.spc certificate from GoDaddy.
Export a PEM-formatted private key from the expired PFX:
openssl.exe pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Convert the PEM-formatted private key into the PVK format:
pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk
Combine the PVK and SPC into PFX:
pvk2pfx.exe -pvk CodeSign.pvk -pi <passphrase> -spc CodeSign.spc -pfx CodeSign.pfx -po <passphrase> -f
Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
Export it from the certificate store into the binary CER format as CodeSign.cer.
Optionally delete the certificate from the Windows certificate store.
In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).
UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:
openssl crl2pkcs7 -nocrl -certfile CodeSign.crt -outform DER -out CodeSign.spc
Sources:
http://www.tech-pro.net/export-to-pvk-spc.html
http://ellisweb.net/2008/08/signing-code-using-pvk-and-spc-files/
http://www.drh-consultancy.demon.co.uk/
https://www.sslshopper.com/ssl-converter.html
http://russenreaktor.wordpress.com/2010/06/10/solved-convert-signing-certificate-crt-to-spc/
The tools you will need:
OpenSSL
pvk.exe — see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)
pvk2pfx.exe — part of Microsoft SDKs, installs with Visual Studio 2010
I had the similar issue and I spent at least few hours searching around for a solution. GoDaddy provided me with .spc and .pem file and I couldn't create .pfx file out if it using OpenSSL. Finally, I imported .spc file within my local computer using MMC. Once the certificate was imported in my local machine, I noticed that it brought in GoDaddy's chain file along with the Code Sign Cert file itself. MMC View
Now, select both files and right click to export as .pfx file. Supply a password to protect the file and you're done. By far, this is the simplest and straight forward solution. Hope this post helps many people.
You can create PFX with openssl only.
Export a PEM-formatted private key from the expired PFX:
openssl pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
Create PFX
openssl pkcs7 -in CodeSign.spc -inform der -print_certs | openssl pkcs12 -export -inkey CodeSign.pem -out CodeSign.pfx
The current answer post was extremely helpful to me in the final steps of moving from an expired certificate file (.pfx or .p12) to a new one with GoDaddy, but I found it lacking information on the initial steps of how to generate a certificate signing request (CSR) from my original certificate file.
For anyone else looking for similar information, here is what I ended up using...
Get the private key:
openssl pkcs12 -in certs-and-key.p12 -out privateKey.key
Get the certificatate:
Beware: This can give you the CA cert
openssl pkcs12 -in certs-and-key.p12 -out certificate.crt -nokeys
Better: Use this command to print only the client cert
openssl pkcs12 -in MacCossLabUW.p12 -clcerts
Then copy the output between:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save it to a file named certificate.crt
Now check that the private key and certificate match with the commands:
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5
Then generate a new CSR:
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Use the CSR to Re-Key the certificate.
Download the GoDaddy software publishing certificate (.spc) file.
Verify that the generated certificate matches the request private key:
openssl pkcs7 -inform DER -in certificate.spc -print_certs
Then copy the output between for your certificate (Note: the output will also contain CA certs):
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Save to a file named certificate-new.crt
And run the command:
openssl x509 -noout -modulus -in certificate-new.crt | openssl md5
The output should match the previous call used with the private key and request certificate.
To finish the process, follow the steps outlined in the answer with pvk2pfx.
I also found the schematic diagram in this post quite helpful:
PVK2PFX Error 0x80070490 - Cannot find certificates that match the key
For anyone still looking for an answer on how to do this, I just spent a day figuring this out and had to do a mix of things listed in this post. If you are using git-bash on windows, I had to add winpty to the beginning of all calls using openssl or else it would get stuck in the void. The pseudo steps were as follows:
Generate a private key and CSR using openssl
openssl req -newkey rsa:2048 -keyout private.key -out my.csr
Generate a PVK using the private key with openssl
openssl rsa -in private.key -outform PVK -pvk-strong -out codesign.pvk
Use the CSR in the generation of the code sign certificate on Godaddy
Download the Zip from Godaddy and extract the SPC file (as mentioned by OP)
Use pvk2pfx to combine the PVK and the SPC file into a code sign certificate. This was included in the same SDK (and directory) as signtool itself:
pvk2pfx.exe -pvk codesign.pvk -spc SPC_FILEPATH_HERE -pfx codesign.pfx -pi PVK_PASSWORD -po PFX_PASSWORD
If you generated your certificate request from IIS (I did this on IIS on windows 2012 Server) follow these steps on the server/pc where you generated the request
- Open IIS
- Click on the top level node (Server node)
- Open the Server Certificates settings
- Click on "Complete certificate request" under actions on the right
- Import your spc file to the server.
From here you can then export to a PFX file