sk1922
asked on
Urgent SSL Help Needed! PEM file to PFX for IIS 7
I still can't seem to get anywhere with this. I assume this is not too uncommon of a scenario.
some background:
1) From IIS7 I generated and sent two CSRs to a 3rd party CA to sign for me
2) CA returned the files in .PEM format and told me that I'd need to convert them for IIS.
3) I see the two requests when using MMC and adding a Snap-In to > Certificates (Local Computer) > Certificate Enrollment Requests
4) So for each one, I right clicked > selected Export... > Yes, export the private key > checked Include all certificates in the certification path if possible > completed remaining steps
5) Saved the newly created .PFX files
6) I installed OpenSSL as I continue read this tool will get the job done
7) I ran the below OpenSSL command to see what I'd get in return:
server_sign.pem = the file sent back to me by the CA
serverweb1.pfx = the exported key (step 4 & 5 above)
server_sign.pfx = the desired output file in .PFX format
Will not work! I get "unable to load private key" command line error.
I am so at a loss with this.
some background:
1) From IIS7 I generated and sent two CSRs to a 3rd party CA to sign for me
2) CA returned the files in .PEM format and told me that I'd need to convert them for IIS.
3) I see the two requests when using MMC and adding a Snap-In to > Certificates (Local Computer) > Certificate Enrollment Requests
4) So for each one, I right clicked > selected Export... > Yes, export the private key > checked Include all certificates in the certification path if possible > completed remaining steps
5) Saved the newly created .PFX files
6) I installed OpenSSL as I continue read this tool will get the job done
7) I ran the below OpenSSL command to see what I'd get in return:
openssl pkcs12 -export -in server_sign.pem -inkey serverweb1.pfx -out server_sign.pfx -name "WEB01 Server Certificate"
server_sign.pem = the file sent back to me by the CA
serverweb1.pfx = the exported key (step 4 & 5 above)
server_sign.pfx = the desired output file in .PFX format
Will not work! I get "unable to load private key" command line error.
I am so at a loss with this.
ASKER
well it's from a large corporation who we use for a few business apps in Accounting. They expose several web services and is also a CA. Probably why it's different than your VeriSigns, Thwate, etc.
do you think my .PEM file can simply be converted without including the key that was created when I generated the original CSR?
do you think my .PEM file can simply be converted without including the key that was created when I generated the original CSR?
what did they give you, just one key.pem file?
what happens when you go into IIS and say 'complete cert request' and point it at the PEM?
if your CA told you to convert it, i'd be real curious to see what their answer is when you say "how?"
what happens when you go into IIS and say 'complete cert request' and point it at the PEM?
if your CA told you to convert it, i'd be real curious to see what their answer is when you say "how?"
ASKER
No, I received two certs - one for SOAP signatures and another for Mutual SSL
So, your initial post got me thinking "why can't I just convert them to CER/DER?
I did. I converted both to .DER and was able to successfully install the cert in IIS.
Both were imported successfully but now I get an error message when browsing to the path to which I have enabled SSL!!
I am not sure what I am missing now! Is the .DER file format the issue?? Did I do it wrong?
Any thoughts? So many questions....
So, your initial post got me thinking "why can't I just convert them to CER/DER?
I did. I converted both to .DER and was able to successfully install the cert in IIS.
Both were imported successfully but now I get an error message when browsing to the path to which I have enabled SSL!!
I am not sure what I am missing now! Is the .DER file format the issue?? Did I do it wrong?
Any thoughts? So many questions....
what's the error message? url doesn't match the certificate name?
ASKER
From IIS > Server Certificates and double clicking: Under the general tab, it reads "Windows does not have enough information to verify this certificate".
From the browser > Clicking the Certificate error in the address bar returns:
"This certificate cannot be verified up to a trusted certificate authority"
Is this helpful?
From the browser > Clicking the Certificate error in the address bar returns:
"This certificate cannot be verified up to a trusted certificate authority"
Is this helpful?
kind of - did your CA give you any intermediate certificates to install on your server as trusted intermediate CA's?
for example - your server won't trust a godaddy certificate, if your server doesn't first trust starfield as a CA
this is starting to look back towards asking them "how, exactly do you want me to convert it?" and see how their steps dont include their private key they signed it with.
can you say the certificate path, as seen in 'view certificate' from IE? that should tell you who your server needs to trust... who signed it before your CA did?
does the world trust your CA? if not, everyone is going to get that "not from trusted CA" anyway
for example - your server won't trust a godaddy certificate, if your server doesn't first trust starfield as a CA
this is starting to look back towards asking them "how, exactly do you want me to convert it?" and see how their steps dont include their private key they signed it with.
can you say the certificate path, as seen in 'view certificate' from IE? that should tell you who your server needs to trust... who signed it before your CA did?
does the world trust your CA? if not, everyone is going to get that "not from trusted CA" anyway
ASKER
I've asked them about an intermediate certificate and awaiting a response.
Do you know if a conversion from PEM to DER produces different results (i.e. files) than converting from PEM to say PFX / CER / CRT??
Do you know if a conversion from PEM to DER produces different results (i.e. files) than converting from PEM to say PFX / CER / CRT??
ASKER
And to answer your question about the cert path in IE.... No, I can't see it. The "View Certificate" button is dimmed out.
However, it reads Certificate status: this certificate is OK towards the bottom of that same window.
However, it reads Certificate status: this certificate is OK towards the bottom of that same window.
here's two ways to get it from PEM to DER but... i'm curious to see what IIS thinks of it
you know as they say, garbage in, garbage out...
you know as they say, garbage in, garbage out...
ASKER
No links?? Not sure if you meant to include any though.
Yeah, I know exactly what you mean about garbage in, garbage out...
I actually, did convert both certs they provided to .DEM format successfully. One is signed for SOAP-Signatures the other for Mutual SSL
I just wonder if my conversion PEM => DEM didn't strip any data from the original cert? My understanding is that PEM and DEM are considered encodings than anything else.
Yeah, I know exactly what you mean about garbage in, garbage out...
I actually, did convert both certs they provided to .DEM format successfully. One is signed for SOAP-Signatures the other for Mutual SSL
I just wonder if my conversion PEM => DEM didn't strip any data from the original cert? My understanding is that PEM and DEM are considered encodings than anything else.
ASKER
btw, I really appreciate you sticking with me on this. Thank you.
Oh I did forget those links :/ will find them again this morning
(Getting kind of sidetracked as the wife is due in 3 days)
So u got them converted, how does it look when browsing to the secured site? Or did iis not take them? Did you hear back from the issuer?
(Getting kind of sidetracked as the wife is due in 3 days)
So u got them converted, how does it look when browsing to the secured site? Or did iis not take them? Did you hear back from the issuer?
ASKER
Congrats to you!
I installed the cert which they marked as Mutual SSL. When I fire up a browser session, I get "invalid certificate"
I reached out to the issuer and awaiting a response.
Any thoughts on the error?
I installed the cert which they marked as Mutual SSL. When I fire up a browser session, I get "invalid certificate"
I reached out to the issuer and awaiting a response.
Any thoughts on the error?
are you able to get the certificate from the browser and see why it says invalid? what about from firefox?
ASKER
ASKER
ASKER
In firefox once I clicked on "Confirm Security Exception" it loaded/saved the cert.
In IE once I clicked on "Install Certificate" I don't see any change. Still get the invalid cert error. Problem is that my company's user-base all run IE and not FF.
In IE once I clicked on "Install Certificate" I don't see any change. Still get the invalid cert error. Problem is that my company's user-base all run IE and not FF.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So the provider sent over 3 certs. I am going to install these through the MMC on my IIS box.
Should I not install these in the "Trusted Root CA" node and instead install them in the "Enterprise Trust"?
Should I not install these in the "Trusted Root CA" node and instead install them in the "Enterprise Trust"?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got it!! Wow only took me like a million years to do it!! I added the CA provided certs in MMC snap-in on the server then installed the same certs in my browser. I had to also had to add these to the Trusted Publishers in order for IE to get rid of error message.
So my steps:
- Installed my signed certs returned to me by provider in IIS
- Installed the CA root and intermediate certs using MMC snap-in
- Installed those same CA certs on the client (my machine specifically to test)
Bryon44035v3 THANK YOU SOOOO MUCH FOR STICKING WITH ME ON THIS! And congrats once again on the new baby you're expecting any day now!
.....Now, on to my next problem which is some sort of SSL/TLS secure channel error I'm getting when trying to add a reference to the web service in Visual Studio 2008.
So my steps:
- Installed my signed certs returned to me by provider in IIS
- Installed the CA root and intermediate certs using MMC snap-in
- Installed those same CA certs on the client (my machine specifically to test)
Bryon44035v3 THANK YOU SOOOO MUCH FOR STICKING WITH ME ON THIS! And congrats once again on the new baby you're expecting any day now!
.....Now, on to my next problem which is some sort of SSL/TLS secure channel error I'm getting when trying to add a reference to the web service in Visual Studio 2008.
ASKER
Thank you for sticking with me on this one!
thanks for posting this question :)
for your next question: Now, on to my next problem which is some sort of SSL/TLS secure channel error I'm getting when trying to add a reference to the web service in Visual Studio 2008.
i only get about 50% of that so, i won't be able to attend that one haha
for your next question: Now, on to my next problem which is some sort of SSL/TLS secure channel error I'm getting when trying to add a reference to the web service in Visual Studio 2008.
i only get about 50% of that so, i won't be able to attend that one haha
ASKER
Lol... No worries. Thanks for playing anyways.
usually i do these with .CER files or CRT files, or .TXT even... i dont think PFX is going to complete in this case since you dont have the private key that signed it (your issuing authority)
why did they give you a PEM file anyway, tell them you want a CRT or CER
i've never received a PEM from godaddy, so why is your provider doing things differently?