What is the utility of .p12 file/certificate? I am not getting any correct definition when searching the internet:
In one site I got "it stores server side certificates along with intermediate certificates and private key in one file. Its mostly used in Windows Machine"
In another site i got "it binds a organizations public key with its name.
My question is whether its public key or private key which is included in the .p12 certificate.
The .p12 contains both the private and the public key, and also information about the owner (name, email address, etc. ) all being certified by a third party. With such certificate, a user can identify himself and authenticate himself to any organization trusting the third party.
You should be able to see the content of the p12 file with
openssl pkcs12 -info -in filename.p12
provided openssl is installed in your system.
Related
I'm having trouble understanding how to get/generate a private key for some certificates I requested.
I've created a CSR using the DigiCert Certificate Utility for Windows, which gave me a csr.txt file as an output but no .key file.
Then I proceeded to request the certificates by inserting the above mentioned CSR in the Certificate Management portal of my company.
Now I have received the p7b files and the related CSRs, but no private keys: is it possible to generate it now?
Thanks in advance,
Tommaso
Use the import function of the DigiCert Certificate Utility for Windows. The key is stored on software in the machine where the CSR was created. After the import the key and the certificate are associated and should be in the Windows certificate Store. If the key was generated with the exportable flag, you can export a PKCS#12 and convert that to a key file using openSSL.
I ONLY have .crt file with me which I purchased from Comodo. No private key or any thing. How can I use this to sign my code and get rid of "publisher unknown" issue in my installer. I have used Inno-Setup for creating the installer too. Code is in C Sharp. I tried to use sign tool and openssl but I don't have any other file than this user.crt file. I just can get .cer format using .crt and thats all. Appreciate any help
Usually, you need sign the application from PC where you are registered Comodo certificate. The private key saved by your browser in the local storage.
You cannot sign files with a public key only.
You need the private key.
If it were possible to sign files with a public key only, anyone could sign malicious content with your public key.
When you need to create a new certificate for APNS, the Provisioning Portal "wizard" always gives the steps to create a new CSR which means you need to create a new public/private key as well. These can start to get out of control, so is there a way to create a CSR (Code Signing Request) in Keychain Access from an existing Private Key instead of having to create a new one every time?
Thanks
Typically, you can do this by right-clicking an existing private key in Keychain Access and choosing Request a Certificate from a Certificate Authority With "Name Of Your Key".
Unfortunately, this will fail with "The specified item could not be found in Keychain" unless you also have the corresponding public key in your keychain. There's no technical reason for this—a Certificate Signing Request (CSR) can be generated from just a private key—but Keychain Access doesn't understand this.
You have two options.
Export the private key and generate the CSR manually
This is a quick option that will just generate a CSR that you can upload to Apple.
Choose the private key in Keychain Access, then click File - Export Items….
Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.
Open Terminal and enter:
openssl req -new -key <(openssl pkcs12 -in ~/exported.p12 -nocerts -nodes -passin pass:"") > new.certSigningRequest
See [1] at the end of this post for details about what's going on.
Press Enter for each prompt (Apple doesn't care about these values). When you're finished, you'll have a .certSigningRequest suitable for upload to the Apple Developer Portal. When you download the associated certificate, it will pair up with the original private key.
Delete the exported.p12 file, as it contains private key material.
Recreate the public key so Keychain Access is happy
This option is a longer-term fix that'll let you generate CSRs from the original key straight from Keychain Access. These instructions assume you can't currently use Keychain Access to do so because you're missing the corresponding public version of your private key. You can check for this by going to the "Keys" category in Keychain Access and looking for a "private key" and "public key" with the same name.
Choose the private key in Keychain Access, then click File - Export Items….
Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.
Open Terminal and enter:
openssl pkcs12 -in ~/exported.p12 -nocerts -nodes | openssl rsa -pubout > public.pem
See [2] at the end of this post for details about what's going on.
Import this public key into Keychain Access using the security tool:
security -v import public.pem -k ~/Library/Keychains/login.keychain
You should see "1 key imported."
Change ~/Library/Keychains/login.keychain if you want to import this to another keychain. (You can see where each keychain lives by going to Edit - Keychain List in Keychain Access).
Open Keychain Access and locate the public key called "Imported Public Key." Double-click it and change its name to be the same thing as your original private key.
Delete exported.p12 and public.pem.
You can now right-click the original private key and choose Request a Certificate from a Certificate Authority With "Name Of Your Key" to generate a CSR.
Explanations
[1] This command, broken down:
openssl req -new # Generate a new certificate signing request
-key # Instead of generating a key, use an existing one
<( # Put the output of the following command in a temporary file
# (a Bash feature, not specific to OpenSSL)
openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
-nocerts # Don't output the certificate contained in the file
-nodes # Output the private key from the file
-passin pass:"" # The password for the container is blank
)
> new.certSigningRequest # Write the generated CSR to a file
[2] Second command, broken down:
openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
-nocerts -nodes # Output only the private key, no certificates
| openssl rsa -pubout # Compute the public key from a private key
> public.pem # Write the public key to a file
When you go into Provisioning Profile to Enable/Configure Push Notifications, the first thing it asks for is a CSR (Code Signing Certificate).
You can generate this with an existing private key from Keychain Access instead of creating a new one.
Just open keychain access and then scroll thru and find a previous PRIVATE KEY (probably called YOUR NAME) and then right-click (two finger click) on it and choose Request A Certificate From A Certificate Authority With "bla bla bla".
I just enter the same email address in both User Email Address and CA Email Address, and choose Saved To Disk.
Then upload that to create your .cer files
I want to export the certificate and private key from one machine to another so I can reuse the provisioning profile.
There's a private key under the certificate in keychain access.
1)I exported the the certificate as certifcate .cer file then I imported that from another machine. However , it's missiong the private key. and xcode on the new machine complaining no valid signing key available for the imported provisioning profile.
2) Next I try to export the certificate and the private key as personal information exhange .p12 format, this time it prompted me to input a password which I did.
3)I imported the .p12 file into the new machine, this time the new machine complaining error, cannot read the contents.
So, what should I do to properly export both the certificate and private key and import them into the new machine.
Hope it may help you
In Keychain, select three items: Your private key, public key and the cert from Apple
CMD+Click to select "export 3 items"
and you will export one .cer file. Then double click to import the file without keying any password to protect so.
or you should import cert first and then import both public and private key.
Make sure you also have the Apple Developer Relations Root CA certificate in your keychain. That is what is used to verify the certificate. See in your keychain access whether it has been paired correctly.
With Xcode 5.0+, this has become very simple.
1. On the computer with the developer credentials,
Goto Xcode->Preferences->Accounts.
Click on the gears to export the profile. Choose a password as it includes all your credentials of apple-developer program.
2. Share the exported file with the new computer.
3. Import the profile in your Xcode->preferences->Accounts.
How do I import a public key from trusted root CA to PKCS12 key store?
Is this possible at all or am I getting the idea of this whole thing wrong?
A PKCS#12 file can contain various objects, but usually it contains certificates and private keys. A certificate is a container for a public key and other things, including a signature.
A root CA is often represented as a certificate (with a dummy signature, traditionally a self-signature). What makes such a certificate a "root CA" is a programmatic property, in which an application or an operating system declares: "in this certificate I trust".
It is possible to store a root CA certificate in a PKCS#12 file. What cannot be done is to store it as a "root": the certificate goes in the file, not the property which declares that the certificate is to be trusted ex nihilo. In more details, PKCS#12 is an open format but if you want to store something in a PKCS#12 file and have it read properly on the other end, then there must exist some sort of convention on how the object bits are to be interpreted. Such a convention does not exist (yet) for PKCS#12 files and trust settings.
You do not state which language you are using; I am assuming Java. In Java, there is a KeyStore class, obtained with a given "type", one of them being "pkcs12". You may then find, in the JCA documentation (in "Key Management"), the following:
As of JDK 6, standards for storing Trusted Certificates in "pkcs12" have not been established yet, and thus "jks" or "jceks" should be used for trusted certificates.
which says it all.