i am trying to work with docusign JWT.
The environment where i develop only supports .p12 files. Docusign offers me a pem file. Is there a way to convert the .pem into a .p12 or even better to generate a .p12 directly from docusign ?
When trying to convert it to a .p12 i need the certificates. Can anybody help me on where i can get the corresponding / matching certificates ? I am completely lost.
Thanks!
BR
Martin
Procedure
Go to https://www.openssl.org/community/binaries.html
Download and install version 1.0.1p.
Run the following command format from the OpenSSL installation bin folder.
openssl pkcs12 -export -out Cert.p12 -in cert.pem -inkey key.pem -passin pass:root -passout pass:root
(original source)
However, you only need the private key to get a token using JWT.
.p12 files include both.
If you can extract the private key from them - you can use it. DocuSign doesn't provide
an SDK support to work with a .p12 file, but there are things in the web you can look into:
https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl/
Related
We have an Azure Function (.NET 4.7.2) running for a year that sends messages to a webservice using a client certificate. This certificate has to be renewed but now we have done that we are getting this exception when sending a message;
System.Security.Cryptography.CryptographicException: Invalid provider type specified.
Azure has problems reading the private key and the problem seems to be exporting it from my local machine. Could this problem originate from the original CSR? The previous certificate still works fine, as long as it's valid. Note that I can send messages using the new certificate from my local machine.
Things I have tried;
Using all combinations of MMC settings to export the .pfx file
Using the answer in https://stackoverflow.com/a/34103154/6033193 to convert the cert key to the RSA format and upload the new resulting .pfx
Using CertUtil.exe -store -user my to compare the new and the old certificate. They both have Provider Microsoft Enhanced Cryptographic Provider v1.0 and, apart from the hashes and names, look the same.
Removing Azure Key Vault from the setup and uploading the pfx directly to the app service
Reading the .pfx from a local folder and using it like this: new X509Certificate2(certByes, "password", X509KeyStorageFlags.PersistKeySet);. This works so something seems to be going wrong when uploading the .pfx file to the Azure portal.
Any more things I can try?
The provider that worked for the previous certificate no longer works for the new certificate. I have a hunch something is wrong with the encryption because the Bag Attributes contained no LocalKeyID information, but I cannot say for sure.
Anyway, changing the provider to "Microsoft Platform Crypto Provider" made the private key accessible in Azure. Using OpenSSL:
First export the .key and the public .pem part from the .pfx file;
openssl pkcs12 -in cert.pfx -out cert_publicpart.pem -nokeys
openssl pkcs12 -in cert.pfx -out cert_privatekey.key -nocerts
If it's encrypted it will ask for your password after each command.
Then, convert it back to a .pfx specifying the provider;
openssl pkcs12 -export -in cert_publicpart.pem -inkey cert_privatekey.key -out cert_newCSP.pfx -CSP "Microsoft Platform Crypto Provider"
Again, specify a password and the new .pfx should be good to go!
Optional, if you'd want to verify the CSP:
openssl pkcs12 -in "cert_newCSP.pfx" -out "cert_newCSP.pem"
Open the .pem file, find -----BEGIN ENCRYPTED PRIVATE KEY----- and look for Microsoft CSP Name: Microsoft Platform Crypto Provider right above that.
I currently have an application set up in my Azure Registered Apps, and I'm unable to add my public key under 'Certificates & Secrets'. I tried generating a key like this, and the resulting public (or private, for that matter) key (.pem) was unable to be added to the app. I'm using this key for some work with JWTs, so I thought that maybe I'd need a slightly different format, so I tried making a pair like this as well. Still no luck.
The only way I was able to get some form of credential added to the app was actually creating & self-signing a .crt with the previously generated keypair, that is the only case where Azure has not complained about me adding a credential.
Trying to add anything else, even the public .pem, which it says IS a supported filetype, gives this error:
Failed to add certificate. Error detail: Upload a certificate (public key) with one of the following file types: .cer, .pem, .crt [8jpdkHO8jJ6PaePjw7NvbJ]
Having the .crt uploaded simply won't suffice, the fingerprint on my private key that I'm using with jwt.decode() aren't matching up with what is registered on Azure, causing errors.
I don't use stackoverflow often, so not sure on etiquette and whether re-posting after your answer has been deleted is ok. either way, I've fixed it up and added the actual steps, rather than just linking to them.
Following the certificate generation instructions here allowed me to upload the public key.
The steps are as follows:
Generate Certificate
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout key.pem -out cert.pem
Grab Thumbprint
echo $(openssl x509 -in cert.pem -fingerprint -noout) | sed ‘s/SHA1 Fingerprint=//g’ | sed ‘s/://g’ | xxd -r -ps | base64
You should then have a certificate azure will allow you to upload, as well as the thumbprint to use in any requests.
Background
We have MS Azure cloud hosting
Purchased a wildcard SSL certificate for my domain from a 3rd party (not Microsoft)
Created a CSR file + private key file
Used these & have been issued x509 and PKCS7 certs from SSL issuer
Azure requires a PFX file, so have been attempting to follow the ssl.com tutorial here: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
Issue
Running the openssl command in terminal on my local machine (breaks inserted for readability)
openssl pkcs12 -export -out certificate.pfx -password pass:somepassword
-inkey domain.key -in certificate.crt
I receive the following error:
140735704675208:error:0906D06C:PEM routines:PEM_read_bio:no start line
:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/pem/pem_lib.c:704:
Expecting: ANY PRIVATE KEY
But I've supplied the key? I'm confused. I'm an SSL beginner when it comes to Azure. What am I doing wrong?
Note, I included the -password parameter because MS Azure expects PFX files to be password protected. This is not optional: they HAVE to be protected.
EDIT
Having regenerated a CSR & Key using Openssl, I get a new error that the key file isn't valid. To ensure I'm not missing something obvious:
What do I do with the X509?
What do I do with the PKCS7?
Got bored messing about with openssl and terminal so found a GUI to do it. Steps:
Copy X509 contents, paste into code editor, save as cert.pem
Copy private key, paste into code editor, save as private.key
Go to https://help.configuressl.com/ssl-tools/ssl-converter/, upload both
Set password
Export as PFX
This generates a password protected PFX which can then be uploaded to Azure.
I have a problem on installation SSL certificate in IIS 7.
I downloaded the ssl certificate from godaddy. I got zip file and I saw two certificate files with .crt and .p7b in zip file.
I tried to install SSL certificate using Complete Certificate Request in IIS. After I installed it, I refreshed the server. When I checked the certificate I installed, it is disappeared in certificate list.
I followed the instructions from godaddy support link.
I tried many ways to install the certificates but after refreshed, it is gone.
I found a way that it needs to import certificate using import under action in IIS, but it needs .pfx file.
I would like to know how do I change from two certificates (.crt and .p7b) to .pfx file.
Actually, I am not familiar with SSL. So, I appreciate your help. Thanks.
You may not be able to convert/export .crt/p7b file to pfx as it doesnt contain private key.
Create a new CSR using DigiCert Utility (http://www.digicert.com). Have your CA issue out the domain cert again with the new CSR.
Then import the crt file in the utility. To enable the option of exporting out a PFX file (which includes both the domain cert and the private key).
openssl pkcs12 -export -out example.com.pfx -inkey example.com.key -in example.com.crt -certfile Example-CA-BUNDLE.crt
A PEM encoded cert and private key can be combined into PKCS12 easily with OpenSSL on the command line.
I have created a service account in the Google API Console, downloaded the .p12 file, and now I am trying to use https://github.com/hokaccha/node-jwt-simple to sign the request for a token.
Where/How should I get the 'secret' for signing it with HS256?
It turned out to be a problem with the openssl command I was using. In case anybody runs into the same issue make sure to use "-nodes" parameter like so:
openssl pkcs12 -in file.p12 -out file.pem -nodes
Then just pass the content of the .pem file as the key for signing the token.
Good luck!