Urgent SSL Help Needed! PEM file to PFX for IIS 7

I still can't seem to get anywhere with this.  I assume this is not too uncommon of a scenario.

some background:
1) From IIS7 I generated and sent two CSRs to a 3rd party CA to sign for me
2) CA returned the files in .PEM format and told me that I'd need to convert them for IIS.
3) I see the two requests when using MMC and adding a Snap-In to > Certificates (Local Computer) > Certificate Enrollment Requests
4) So for each one, I right clicked > selected Export... > Yes, export the private key > checked Include all certificates in the certification path if possible > completed remaining steps
5) Saved the newly created .PFX files
6) I installed OpenSSL as I continue read this tool will get the job done
7) I ran the below OpenSSL command to see what I'd get in return:

openssl pkcs12 -export -in server_sign.pem -inkey serverweb1.pfx -out server_sign.pfx -name "WEB01 Server Certificate"

server_sign.pem = the file sent back to me by the CA
serverweb1.pfx = the exported key (step 4 & 5 above)
server_sign.pfx = the desired output file in .PFX format

Will not work!  I get "unable to load private key" command line error.

I am so at a loss with this.


sk1922Asked:
Who is Participating?
 
B HConnect With a Mentor Commented:
right, it seems like they issued it but it was never signed by a real trusted CA... you might trust the issuer personally, but the world doesnt trust them by default (thawte, godaddy, starfield, verisign, etc).  you can install THEIR signing certificate as an enterprise trust, and that might work, but a 2-year SSL cert from a trusted CA is only like $40 might be easier to make a new one (or find out from the issuer what did they do)
0
 
B HCommented:
are you sure you need it in PFX format to complete your CSR in iis?

usually i do these with .CER files or CRT files, or .TXT even...  i dont think PFX is going to complete in this case since you dont have the private key that signed it (your issuing authority)

why did they give you a PEM file anyway, tell them you want a CRT or CER

i've never received a PEM from godaddy, so why is your provider doing things differently?

0
 
sk1922Author Commented:
well it's from a large corporation who we use for a few business apps in Accounting.  They expose several web services and is also a CA.  Probably why it's different than your VeriSigns, Thwate, etc.

do you think my .PEM file can simply be converted without including the key that was created when I generated the original CSR?
 
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
B HCommented:
what did they give you, just one key.pem file?
what happens when you go into IIS and say 'complete cert request' and point it at the PEM?

if your CA told you to convert it, i'd be real curious to see what their answer is when you say "how?"
0
 
sk1922Author Commented:
No, I received two certs - one for SOAP signatures and another for Mutual SSL

So, your initial post got me thinking "why can't I just convert them to CER/DER?

I did.  I converted both to .DER and was able to successfully install the cert in IIS.  

Both were imported successfully but now I get an error message when browsing to the path to which I have enabled SSL!!

I am not sure what I am missing now!  Is the .DER file format the issue??  Did I do it wrong?  

Any thoughts?  So many questions....
0
 
B HCommented:
what's the error message?  url doesn't match the certificate name?
0
 
sk1922Author Commented:
From IIS > Server Certificates and double clicking:  Under the general tab, it reads "Windows does not have enough information to verify this certificate".

From the browser > Clicking the Certificate error in the address bar returns:
"This certificate cannot be verified up to a trusted certificate authority"
 

Is this helpful?
0
 
B HCommented:
kind of - did your CA give you any intermediate certificates to install on your server as trusted intermediate CA's?

for example - your server won't trust a godaddy certificate, if your server doesn't first trust starfield as a CA

this is starting to look back towards asking them "how, exactly do you want me to convert it?"  and see how their steps dont include their private key they signed it with.  

can you say the certificate path, as seen in 'view certificate' from IE?  that should tell you who your server needs to trust... who signed it before your CA did?

does the world trust your CA?  if not, everyone is going to get that "not from trusted CA" anyway
0
 
sk1922Author Commented:
I've asked them about an intermediate certificate and awaiting a response.

Do you know if a conversion from PEM to DER produces different results (i.e. files) than converting from PEM to say PFX / CER / CRT??

0
 
sk1922Author Commented:
And to answer your question about the cert path in IE.... No, I can't see it.  The "View Certificate" button is dimmed out.

However, it reads Certificate status: this certificate is OK towards the bottom of that same window.
0
 
B HCommented:
here's two ways to get it from PEM to DER but... i'm curious to see what IIS thinks of it

you know as they say, garbage in, garbage out...
0
 
sk1922Author Commented:
No links??  Not sure if you meant to include any though.

Yeah, I know exactly what you mean about garbage in, garbage out...

I actually, did convert both certs they provided to .DEM format successfully.  One is signed for SOAP-Signatures the other for Mutual SSL

I just wonder if my conversion PEM => DEM didn't strip any data from the original cert?  My understanding is that PEM and DEM are considered encodings than anything else.
0
 
sk1922Author Commented:
btw, I really appreciate you sticking with me on this.  Thank you.
0
 
B HCommented:
Oh I did forget those links :/  will find them again this morning

(Getting kind of sidetracked as the wife is due in 3 days)

So u got them converted, how does it look when browsing to the secured site? Or did iis not take them?  Did you hear back from the issuer?
0
 
sk1922Author Commented:
Congrats to you!

I installed the cert which they marked as Mutual SSL.  When I fire up a browser session, I get "invalid certificate"

I reached out to the issuer and awaiting a response.  

Any thoughts on the error?
0
 
B HCommented:
are you able to get the certificate from the browser and see why it says invalid?  what about from firefox?
0
 
sk1922Author Commented:
Invalid certificate prompt in firefox
0
 
sk1922Author Commented:
Invalid certificate prompt in IE.
0
 
sk1922Author Commented:
In firefox once I clicked on "Confirm Security Exception" it loaded/saved the cert.  

In IE once I clicked on "Install Certificate" I don't see any change.  Still get the invalid cert error.  Problem is that my company's user-base all run IE and not FF.  
0
 
sk1922Author Commented:
So the provider sent over 3 certs.  I am going to install these through the MMC on my IIS box.  

Should I not install these in the "Trusted Root CA" node and instead install them in the "Enterprise Trust"?
0
 
B HConnect With a Mentor Commented:
i'm not sure if trusted root will propagate down to the users on your domain or not - either way it won't affect public computers accessing that site (not sure if you care about that or not though)

0
 
sk1922Author Commented:
I got it!! Wow only took me like a million years to do it!! I added the CA provided certs in MMC snap-in on the server then installed the same certs in my browser.  I had to also had to add these to the Trusted Publishers in order for IE to get rid of error message.


So my steps:

- Installed my signed certs returned to me by provider in IIS
- Installed the CA root and intermediate certs using MMC snap-in
- Installed those same CA certs on the client (my machine specifically to test)

Bryon44035v3 THANK YOU SOOOO MUCH FOR STICKING WITH ME ON THIS!  And congrats once again on the new baby you're expecting any day now!





.....Now, on to my next problem which is some sort of SSL/TLS secure channel error I'm getting when trying to add a reference to the web service in Visual Studio 2008.  


 

0
 
sk1922Author Commented:
Thank you for sticking with me on this one!
0
 
B HCommented:
thanks for posting this question :)

for your next question: Now, on to my next problem which is some sort of SSL/TLS secure channel error I'm getting when trying to add a reference to the web service in Visual Studio 2008.

i only get about 50% of that so, i won't be able to attend that one haha
0
 
sk1922Author Commented:
Lol... No worries.  Thanks for playing anyways.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.