I'm writing to ask for this question: when a new wildcard SSL certificate request is made from IIS (wizard), does the "private key exportable" option enabled ? Because once installed, I need to export the new certificate together with private key.
Thank you,
Luca
If you need to export the key (to install the same cert in other server for example) you need to mark private Key as exportable. Otherwise that certificate wont work in any other machine (as the key will be different) I do not think its a best practise tho.
I found a more secure way:
Generate the CSR and private key file by using openssl
Submit the CSR to public CA
Convert the certificate issued by public CA from CRT to PFX (containing the private key - not marked as exportable)
Bye,
Luca
I have a .crt file. Opening up that file, I see that it starts with
-----BEGIN CERTIFICATE-----
From this file, how do I generate these 2 files?:
Certificate request file that starts with -----BEGIN CERTIFICATE REQUEST-----
Key file that starts with -----BEGIN PRIVATE KEY-----
You can not.
You have the process backwards.
The order is:
Generate a key, that is in fact a public and private part. So that would create the "PRIVATE KEY" file
Generate a CSR, that is a certificate signing request. This is computed based on the private key, without including it. But it includes your public key and other metadata
Give this CSR to a Certificate Authority, that will in turn give you back a certificate, that is something that includes your public key but that is also signed by the CA private key.
After which the CSR could be discarded.
If anyone could derive the private key from the certificate (which is basically the public key) then X.509 certificates would create no security by authentication as anyone would be able to impersonate any host/user/application.
I am receiving an error when the https server starts, something along the lines of:
Error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
I may be completely going about this the wrong way. I need to get an SSL cert from a 3rd party CA. This CA requires that I give them a Certificate Signing Request (CSR) that I have generated.
I generated a CSR using certreq.exe on Windows and provided the CSR to them. They provided the public key cert in response.
Here's where I'm a little confused. The https server has a key and cert property. As I understand, cert is for the public key (from the CA) and key is for the private key. Where's this private key??
After some googling, it appears that certreq.exe will create a key pair in the windows cert store when the CSR is generated. I exported the PFX, used openssl to extract the private key, and decrypted the key so that it was in a format that had "--BEGIN RSA PRIVATE KEY.. etc". The key looks fine to me. It's formatted the same way my previous self-signed certs were formatted which worked fine.
I used this private key for the https key property and received that asn1 wrong tag error. Am I going about getting the private key the wrong way? Or is the error something else?
I have created a key-pair and now I want to bind my public key with an email id (create a digital certificate). I do not want to do the next step of signing the certificate.
Question: How can I create the digital certificate (hence bind the public key with the identity) and not really sign it for now ? (Using OpenSSL for the same would be fine).
My understanding:
Digital certificate is just packaging the public key with an
identity.
Digital signature is a CA assuring/signing the
certificate and embedding the signature in the certificate file
Or is my understanding all wrong ?
Signature is a required part of certificate. You may instead create so-called self-signed certificate, signed by your own key.
if i got your question right, you want to prepare a certificate and stop the process before the actual signing by a CA would happen ...
the thing you are looking for is a so called certificate request ...
have a look at the "openssl req" command ... for examples see http://www.openssl.org/docs/apps/req.html (examples section shows generating a new request)
What is the difference between a cer, pvk, and pfx file? Also, which files do I keep and which am I expected to give to my counter-parties?
Windows uses .cer extension for an X.509 certificate. These can be in "binary" (ASN.1 DER), or it can be encoded with Base-64 and have a header and footer applied (PEM); Windows will recognize either. To verify the integrity of a certificate, you have to check its signature using the issuer's public key... which is, in turn, another certificate.
Windows uses .pfx for a PKCS #12 file. This file can contain a variety of cryptographic information, including certificates, certificate chains, root authority certificates, and private keys. Its contents can be cryptographically protected (with passwords) to keep private keys private and preserve the integrity of root certificates.
Windows uses .pvk for a private key file. I'm not sure what standard (if any) Windows follows for these. Hopefully they are PKCS #8 encoded keys. Emmanuel Bourg reports that these are a proprietary format. Some documentation is available.
You should never disclose your private key. These are contained in .pfx and .pvk files.
Generally, you only exchange your certificate (.cer) and the certificates of any intermediate issuers (i.e., the certificates of all of your CAs, except the root CA) with other parties.
Here are my personal, super-condensed notes, as far as this subject pertains to me currently, for anyone who's interested:
Both PKCS12 and PEM can store entire cert chains: public keys, private keys, and root (CA) certs.
.pfx == .p12 == "PKCS12"
fully encrypted
.pem == .cer == .cert == "PEM" (or maybe not... could be binary... see comments...)
base-64 (string) encoded X509 cert (binary) with a header and footer
base-64 is basically just a string of "A-Za-z0-9+/" used to represent 0-63, 6 bits of binary at a time, in sequence, sometimes with 1 or 2 "=" characters at the very end when there are leftovers ("=" being "filler/junk/ignore/throw away" characters)
the header and footer is something like "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" or "-----BEGIN ENCRYPTED PRIVATE KEY-----" and "-----END ENCRYPTED PRIVATE KEY-----"
Windows recognizes .cer and .cert as cert files
.jks == "Java Key Store"
just a Java-specific file format which the API uses
.p12 and .pfx files can also be used with the JKS API
"Trust Stores" contain public, trusted, root (CA) certs, whereas
"Identity/Key Stores" contain private, identity certs; file-wise,
however, they are the same.
In Windows platform, these file types are used for certificate information. Normally used for SSL certificate and Public Key Infrastructure (X.509).
CER files:
CER file is used to store X.509 certificate. Normally used for SSL certification to verify and identify web servers security. The file contains information about certificate owner and public key. A CER file can be in binary (ASN.1 DER) or encoded with Base-64 with header and footer included (PEM), Windows will recognize either of these layout.
PVK files:
Stands for Private Key. Windows uses PVK files to store private keys for code signing in various Microsoft products. PVK is proprietary format.
PFX files
Personal Exchange Format, is a PKCS12 file. This contains a variety of cryptographic information, such as certificates, root authority certificates, certificate chains and private keys. It’s cryptographically protected with passwords to keep private keys private and preserve the integrity of the root certificates. The PFX file is also used in various Microsoft products, such as IIS.
for more information visit:Certificate Files: .Cer x .Pvk x .Pfx
I actually came across something like this not too long ago... check it out over on msdn (see the first answer)
in summary:
.cer - certificate stored in the X.509 standard format. This certificate contains information about the certificate's owner... along with public and private keys.
.pvk - files are used to store private keys for code signing. You can also create a certificate based on .pvk private key file.
.pfx - stands for personal exchange format. It is used to exchange public and private objects in a single file. A pfx file can be created from .cer file. Can also be used to create a Software Publisher Certificate.
I summarized the info from the page based on the suggestion from the comments.