I've seen a couple questions about how to convert a PFX to a cert file, but I need to go the other way.
I have two files:
bob_cert.cert
bob_key.pem
I'd like to convert them to a single .pfx file. Is there a tool that does this?
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx
I created .pfx file from .key and .pem files.
Like this openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out rootCA.pfx
That's not the direct answer but still maybe it helps out someone else.
Here is how to do this on Windows without third-party tools:
Import certificate to the certificate store. In Windows Explorer select "Install Certificate" in context menu.
Follow the wizard and accept default options "Local User" and "Automatically".
Find your certificate in certificate store. On Windows 10 run the "Manage User Certificates" MMC. On Windows 2013 the MMC is called "Certificates". On Windows 10 by default your certificate should be under "Personal"->"Certificates" node.
Export Certificate. In context menu select "Export..." menu:
Select "Yes, export the private key":
You will see that .PFX option is enabled in this case:
Specify password for private key.
If you have a self-signed certificate generated by makecert.exe on a Windows machine, you will get two files: cert.pvk and cert.cer. These can be converted to a pfx using pvk2pfx
pvk2pfx is found in the same location as makecert (e.g. C:\Program Files (x86)\Windows Kits\10\bin\x86 or similar)
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx
Related
I was using keystore explorer tool to create a server crt and a private key file from my PKCS12 keystore file. The tools is great.
Is there any corresponding keytool commandline equivalent?
NO. keytool has no operations either to write out a privatekey alone from a keystore or read in a privatekey alone to a keystore. This is why we get hundreds of questions about the latter, mostly on other Stacks where they are on-topic. For the most recent one I answered, see How to resolve : jno_key_entry
For a PKCS12 keystore, openssl pkcs12 -in file -nocerts will extract the privatekey, or privatekeys, in PEM format. By default it/they is/are encrypted and you must give a (new) password, but you can use -nodes to get it/them unencrypted. If there is more than one privatekey in the keystore, you may need to edit the output to select the desired one (or ones).
For other type keystore, use keytool -importkeystore to convert to PKCS12, then continue as above. If (any type) keystore has multiple entries, you can use keytool -importkeystore with -alias to select only the desired entry, and thus not need the editing step above.
I have a Root CA certificate with .cer extension with private key.
I have to Export that certificate as .pem extension with private key in base64 encoded format without using OpenSSl.
I am not able to do this with mmc.
Is there any tool or script available for converting certificate from pfx to pem format without using openssl in windows.
Please help me by sharing code or any scripts or commands etc...
Thanks...
You could use the window's certutil tool to encode a file to Base64. Try this command:
certutil -encode {YOUR_PFX_FILE} {CONVERTED_FILE_NAME}
This command should put the appropriate certificate header too.
I have a need to obtain a thumbprint from a pfx file on the filesystem without being prompted for a password that requires manual input.
I'm running this as part of an installer where the user specifies the path to the certificate on the filesystem (Not in the store). And the user specifies the password for the certificate. From that point, i need the thumbprint.
So this is simply a matter of discovering a tool which i can pass a path and password to a pfx file and return the thumbprint. I've tried several tools, but even OpenSSL compiled for windows, and it still prompts for the password and gives back a lot more info than just the thumbprint. It needs to be 100% programmatic and without further user intervention.
I'd love to hear any ideas on how to do this. This will be on Windows Server machines only. Thanks!
I found a way to do this - it involves downloading OpenSSL for windows and using that tool to convert and using powershell to read it out.
Conversion
& openssl pkcs12 -in C:\LocalHost.pfx -out C:\mycertificates.crt -nokeys -clcerts -passin pass:ActualPassword
Read In
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\mycertificates.crt")
$thumbprint = $cert.Thumbprint
write-host $thumbprint
So i had to convert to crt/cer first and then read using X509Certificate2.
When creating .pfx (pkcs#12) file, the internal storage containers, called "SafeBags", may also be encrypted and signed.
By default, OpenSSL encrypts the certificate along with its private key, which means it is not possible to get its thumbprint without knowing password.
When creating a new pfx, you can explicitly add -certpbe NONE to avoid encrypting the certificate.
For more details check -certpbe OpenSSL's man page
I am a newbie to java security and know pretty much nothing about it. I have an existing jar that was given to me couple of years which was digitally signed. However, that signature is now expired and I need to sign it again. The client has bought an X.509 certificate from Comodo and Comodo gave him the following 4 files.
1) AddTrustExternalCARoot.crt
2) COMODOCodeSigningCA2.crt
3) UTNAddTrustObject_CA.crt
4) "application_specific_key".crt
I would like to know what the next steps are in order to sign the jar file I have. I have tried doing the following things but I keep getting an error when I use jarsigner to sign the applet jar
1) keytool -import -alias AddTrustExternalCARoot -keystore altis.keystore -file AddTrustExternalCARoot.crt
2) keytool -import -alias COMODOCodeSigningCA2 -keystore altis.keystore -file COMODOCodeSigningCA2.crt
3)keytool -import -alias UTNAddTrustObject_CA -keystore altis.keystore -file UTNAddTrustObject_CA.crt
4)keytool -import -alias "application_specific_alias" -keystore altis.keystore -file "application_specific_alias".crt
5) jarsigner "application_jar_file" "application_specific_alias"
jarsigner: Certificate chain not found for: "application_specific_alias". "application_specific_alias" must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
What am I missing?
You need to have the certificate along with the private key in a PKCS12 format.
To get this file you need to follow the link that COMODO provided via e-mail using the SAME COMPUTER and the SAME BROWSER that you used to place the order in the first place.
The certificate will be installed using your browser and you'll be able to export it in the PKCS12 format.
To export the certificate COMODO provides the following guides:
Internet Explorer / Chrome browsers:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/71/0/how-do-i-backup-my-digital-id-certificate-windows-ie
After you have exported the certificate along with the private key in the PKCS12 format you should sign the JAVA applet using the following guide:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/531/0/signing-jar-files
If your .jar file already have a certificate, you can open it in a compression utility and remove the content from the META-INF folder. Then you can sign the applet.
I've built a dummy app and I'll like to test it on my iPhone. I know that I need to be enrolled in apple developer program and I’m in. I don’t have a MAC, so I had to rent one from macincloud[dot]com.
At this moment, I need to generate a signing certificate request, but I don’t have access to Keychain Access utility. The guys from macincloud offer access to the terminal, but not to Keychain Utility. I know that I need to use security tool from command line, but that’s all.
After 6 hours on two different days, I didn’t find any tutorial/description about how to use the security tool in order to generate the signing certificate request.
Do you have any idea about what do I need to do in command line to generate a signing certificate request?
Run the following in the terminal:
openssl genrsa -out mykey.key 2048
Save this private key file as you will use it later.
Run the following command, replacing the e-mail address, CN (certificate name), and C (country) values with your own:
openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
Now in iOS Dev Portal, just use the generated CertificateSigningRequest.certSigningRequest
If you are doing this for Apple Push / APNS, you will also want to know about these 2 additional commands to generate the needed .p12 file:
openssl x509 -in XXXXX.cer -inform DER -out XXXXX.pem -outform PEM
openssl pkcs12 -export -inkey XXXXX.key -in XXXXX.pem -out XXXXX.p12
where XXXXX is your "mykey" value and the xxxxx.cer file is what you download from the Apple portal.