Solved

Need help understanding SSL Certs and how to provide PKCS#7 cert to external company

Posted on 2013-11-12
25
813 Views
Last Modified: 2013-11-20
We've been asked to upload "our own private key (which may  be PKCS#7 encrypted or bundled via PKCS#12) to a third party company.  I have absolutely no idea what I'm doing here so please use my specific examples in your answers because I can't extrapolate out from all the stuff I'm searching on the net.

I went to NetWorkSolutions, our SSL provider and downloaded a .zip. In the .zip are the following files. Just in case it matters, our SSL cert is a wildcard for *.mysite.com.
1. AddTrustExternalCARo0t.crt
2. NetworkSolutions_CA.crt  
3. STAR.MYCOMPANY.COM.crt   (which I think is my certfile)
4. UTNAddTrustServer_CA.crt

I tried using OpenSSL on a Centos 6.3 install and following different examples on the net, but have not ended up with a file that the company accepts as valid. Part of the problem is I'm not sure which of these files is my "Private Key", or if none of these are, where I'd get the private key, what other files need to be attached, etc. I was not the one who originally requested the certificate. Am I just not able to do this without the Private key?

I tried following example to create a PKCS#7 file but when I tried uploading it, I got the message "Private key must be uploaded together with a certificate" which I get no matter what I try.

openssl crl2pkcs7 -nocrl -certfile STAR.MYCOMPANY.COM.crt -out STAR.MYCOMPANY.COM.p7b -certfile NetworkSolutions_CA.crt

This produced STAR.MYCOMPANY.COM.p7b

I started to try

Convert PEM to PFX
——————————————————————————————————————————————————
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt

but I couldn't figure out which of my files listed above went where for this to work.

Thanks in advance.
0
Comment
Question by:adamant40
  • 10
  • 8
  • 7
25 Comments
 
LVL 35

Expert Comment

by:mccarl
ID: 39644298
We've been asked to upload "our own private key ... to a third party company.
Ok STOP... You haven't said exactly what this is to be used for or the reason for doing this, but before you do ANYTHING else, you should get clarification. A private key is named just that for a reason, it is (and should remain) private!! If you give out that private key to anyone, you are essentially allowing that person/entity/company to either decrypt any message/traffic that is intended just for you, or to impersonate you (or the service represented by this key/cert pair).

Now there may be a possible legitimate reason for this (I can't think of any right at the moment), but just make sure that you are fully aware of what you are giving out first!!
0
 
LVL 61

Expert Comment

by:btan
ID: 39645068
you should never reveal your private key to external parties and there is no need to do that unless there is some man in the middle activities required e.g. ssl transparent inspection. This is suspicious request and please find out the reason why they needed that key. At most they needed you public key (crt or cer).

the pkcs command
http://www.openssl.org/docs/apps/pkcs12.html

Check a certificate
> openssl x509 -in certificate.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)
> openssl pkcs12 -info -in keyStore.p12

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
> openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Check an SSL connection. All the certificates (including Intermediates) should be displayed >openssl s_client -connect www.paypal.com:443
0
 

Author Comment

by:adamant40
ID: 39646330
Ok, thanks and your points are well taken. Basically we are working with Zendesk as our helpdesk system. We have a redirect to their page, but it is under our URL. support.mycompany.com. So we need to upload our SSL certificate to them so the redirect has our ssl cert. I'm putting a hold on the upload until I get better info.

But none of your answers actually help me with understanding which of the files I listed are the ones needed for the steps listed. I've seen the examples listed in my searches, but as I said I don't know which certs go where.

Could you give me the example below but using the cert names I listed? That would let me run the examples and see the different outputs.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
0
 
LVL 35

Accepted Solution

by:
mccarl earned 300 total points
ID: 39647338
Could you give me the example below but using the cert names I listed?
But you still need to tell us what you want! In your first post, you said that the third party company just wanted your private key, and so you don't need to do anything with the certificates that you downloaded.

But just for your interest, if you were asked to bundle everything up in a PKCS#12 file, the command line would be...

openssl pkcs12 -export -out certbundle.p12 -inkey private.key -in STAR.MYCOMPANY.COM.crt -certfile AddTrustExternalCARo0t.crt -certfile UTNAddTrustServer_CA.crt -certfile NetworkSolutions_CA.crt

(I'm not sure whether that order of -certfile options is 100% or matters but you get the idea)


The main problem lies in this...
I'm not sure which of these files is my "Private Key", or if none of these are, where I'd get the private key, what other files need to be attached, etc. I was not the one who originally requested the certificate.
So, no! None of those files are the private key. As I said, the private key is private and so wouldn't be found in any files downloaded from your SSL provider or any other third parties. The private key would more than likely be found by querying "the one who originally requested the certificate". They would have created the private/public key pair and then generated the "certificate request" based on that public key, to be sent off to your certificate authority to have your certificate created. If you can't find that person to get the private key, the other place that it would be located is in your web server that handles the domain covered by your certificate.
0
 
LVL 61

Expert Comment

by:btan
ID: 39647777
For those SSL Chained certs stated, you can catch this for better understanding (if intent is just to know what they are specifically as issued by the provider). In the example, the "WIDGETS.COM.crt" is your "STAR.MYCOMPANY.COM.crt"

- AddTrustExternalCARoot.crt is “root certificate”.
- NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt are “intermediate certificates”.
- The last one is your “domain certificate”.

<links removed - GaryC123>
0
 

Author Comment

by:adamant40
ID: 39649059
At this point I'm just making sure I understand that I am truly screwed here.

So mccarl,
Since both the server that the request was made from and the guy who made the request are long gone, there is no way I can recover/obtain our private key.

And there is no way to run
openssl pkcs12 -export -out certbundle.p12 -inkey private.key -in STAR.MYCOMPANY.COM.crt -certfile AddTrustExternalCARo0t.crt -certfile UTNAddTrustServer_CA.crt -certfile NetworkSolutions_CA.crt because I don't have the private key.

So regardless of why this is needed, I can't provide the information anyway. Sigh. This has been very helpful.  We keep installing the *.MYCOMPANY.COM certificate and it works because the  certificate is authenticating with Network Solutions. The fact that I can't recover the private key is not blocking us on the certificate working. And if  we do a renew, it will continue to work.
0
 
LVL 61

Expert Comment

by:btan
ID: 39649762
Without the private keys, the certificate is as good as useless and typically provider doesn't have the recovery key. You may try to see if the login to that user prev purchase that has that installed in the personal certstore and if private key exist the cert will state so.
0
 

Author Comment

by:adamant40
ID: 39649838
Breadtan,
Now I'm really confused. Are you saying that my running servers that are have working SSL, have the private key installed on them? Would it be different if we are talking a wildcard SSL cert? Cause I'm not aware of them having the private key.
0
 
LVL 61

Expert Comment

by:btan
ID: 39649955
I have thought the private keys are in STAR.MYCOMPANY.COM.crt corect me as provider shd be giving to you so that it can be stored and used by the web server.
0
 
LVL 35

Expert Comment

by:mccarl
ID: 39649962
I think breadtan was actually saying that maybe you might have some files left behind by "the guy that made the request" that might contain the private key, but I think that that would be a long shot.

However, what YOU have said is true... If you have servers that are currently running and working with a particular SSL certificate, then YES, those servers must also have access the private key which is the "pair" of the public key that that SSL certificate represents. Your SSL just wouldn't work without it. And no, it doesn't depend on the type of certificate.
0
 
LVL 35

Expert Comment

by:mccarl
ID: 39649968
@breadtan,

Why would the provider have his private key in the first place, to be able send back to him?
0
 
LVL 61

Expert Comment

by:btan
ID: 39649974
Thanks mccarl. Indeed the private key must have been given by the provider. They shouldnt keep it anf if it is CRT then it would be installed in yur web server already.

<competing site link removed - GaryC123>
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 35

Expert Comment

by:mccarl
ID: 39649997
@Breadtan,

It was more a rhetorical question. I'm saying that you DON'T send the private key to the certificate provider. You send a "Certificate Signing Request" which contains the public key (among other things) but definitely NOT the private key. a) They don't need it for anything and b) it is a security compromise if anyone other than yourself knows your private key.

I'm not sure why you post that link, as it basically just confirms what I was saying in that a .CRT file doesn't (can't) contain a private key. It is just a certificate. (.pfx or .p12 files can contain both the cert and private key, but not a plain .crt)


@adamant40,
We keep installing the *.MYCOMPANY.COM certificate and it works
What web servers are you installing this certificate on and what steps are you taking to do this? Unless you are using some .pfx/.p12 file when doing this (only supported by certain web servers) then there must be a private key somewhere else. If you are using a .pfx/.p12 file on these servers, then BINGO, there is your private key (albeit encapsulated inside the file, but that is where you can use openssl commands to extract it)
0
 
LVL 61

Expert Comment

by:btan
ID: 39650334
Thanks for clarification. That should not be sharing of private needs at all externally.
0
 

Author Comment

by:adamant40
ID: 39652304
Excellent dialog here. So CERT request (which I don't have) would contain the Private Key but also contain other info. And the private key (which I also don't have would be just that, a private key).  The servers currently working with SSL are Centos 6.3 with Apache boxes that are chef deployed (built from a  recipe). From what I'm reading here, the fact that SSL works means that these servers HAVE to contain the private key somewhere in some format. I will dig through one of those servers this weekend and see if I'm able to locate anything. I'll look for files ending in  .pfx/.p12  as well as files ending in .key.  If I'm following this correctly it should be one of those.
0
 

Author Comment

by:adamant40
ID: 39652454
OK, searching through our server I found MYCOMPANYcert.crt and MYCOMPANYCert_decypted.key.  The .key file starts with ___BEGIN RSA PRIVATE KEY_____

So is that my private key or is that tied somehow to the .crt file?

THanks,
0
 
LVL 61

Expert Comment

by:btan
ID: 39652604
That header indicate the pem format for private key...http://how2ssl.com/articles/working_with_pem_files/

Also note that eventually the subject name should be your webserver hostname or website uri
0
 
LVL 35

Assisted Solution

by:mccarl
mccarl earned 300 total points
ID: 39652757
So is that my private key or is that tied somehow to the .crt file?
Yes, that IS your private key AND it is tied to the certificate. As said above, private keys and public keys come in pairs, so that private key is the pair of the public key contained in that certificate.

And just to go back on a point...
So CERT request (which I don't have) would contain the Private Key
No, it doesn't contain the private key. Here is a brief run down of what happens.... To start, you have to generate a key pair (you chose the key type, RSA or DSA, and key size, number of bits, and then a tool generates them for you). You keep the private key secret and the public key can be freely given out to whoever needs it. Then you can generate a Certificate Signing Request based on this key pair. What happens is that you enter all the info that should go in to the certificate, such as your name/organisation name, etc and the domain that the certificate will cover. This info, along with the public key (only, not the private key) gets included in the CSR which you send of to a Certificate Authority (CA). They confirm that you are how you say your are and then they sign a certificate which includes all that information you gave and the public key. Now anyone who "trusts" that CA can be assured that the public key really DOES represent that domain in the certificate, and so when someone uses that public key to communicate with your servers, they know that it really is that server on the other end of the line.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
ID: 39652819
The CSR has the public key and not the private key. See below example. Normally csr and private key are created by server creating those. You can  see what data was entered into the Certificate Signing Request by running...

openssl req -noout -text -in public.csr
http://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html
0
 

Author Comment

by:adamant40
ID: 39657097
Well thanks guys. I think that covers everything except the passphrase which I assume was created when the Certificate Request was created? I'm guessing the passphrase is NOT needed by servers currently serving up our site over SSL, or am I again wrong about this? If I'm wrong and the passphrase IS needed for SSL to be working on those servers then what type of file or where would I search for that?

Thanks again,
0
 
LVL 61

Assisted Solution

by:btan
btan earned 200 total points
ID: 39658081
passphrase is normally for the generation of keypair, in specific to protect your private key (p12 of pfx) e.g. Example of creating a 2048-bit private and public key pair in files, with the private key pair encrypted with password foobar

openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 2048
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub

When any application attempts to use the private key (or you import it into a keystore), the user will be prompted to supply the passphrase. In the case of CSR, to generate a new private key and CSR, you prompted e.g.

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

unless you remove a passphrase from a private key  e.g.
openssl rsa -in privateKey.pem -out newPrivateKey.pem
0
 
LVL 35

Assisted Solution

by:mccarl
mccarl earned 300 total points
ID: 39658180
I think that covers everything except the passphrase
Are you saying that the .key file you found *definitely* has a passphrase? ie, it is asking you for the passphrase when you try and do anything with the file with say, openssl command line? Or are you just asking about it in general?

There are two possible situations, either the .key file that contains your private key has no passphrase, in which case Apache can just use that file as is (but beware that ANYONE that can get read access to that file, has your private key). The other possibility is that there is a passphrase on the .key file, and if that is case then Apache MUST get the passphrase from somewhere in order to use that file. There are a couple of options here too, either Apache asks for the passphrase everytime that it is started up (unlikely if you are not entering yourself everytime), or Apache has been configured to read the passphrase from a different file on the system. Look at your apache config files (probably /etc/apache/ssl.conf or /etc/httpd/ssl.conf, etc) for a directive called "SSLPassPhraseDialog". The values that it can take are either "builtin" for Apache to ask everytime it is started for the passphrase or "exec:/path/to/an/executable/shell/script" where the shell script echos the passphrase to standard out for Apache to pick it up and use it.

Hopefully, the above information is enough for you to determine which case is applicable to your environment, and (if needed) where to locate what the passphrase is.
0
 

Author Closing Comment

by:adamant40
ID: 39659575
Thanks a lot guys. I learned a ton from this. Wish this site would allow me to give you both the 500 points.
0
 
LVL 35

Expert Comment

by:mccarl
ID: 39661563
Not a problem, glad we could be of assistance! :)
0
 
LVL 61

Expert Comment

by:btan
ID: 39662163
We learn from one another and that is important take aways :)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now