Solved

Generate Certificate for MAC

Posted on 2016-09-02
21
28 Views
Last Modified: 2016-09-23
Hello,

I want to generate certificate for a MAC from AD CA Authority to use it in email encryption byt i need the certificate in pfx extension to be able to install it in My certificate at the keychain.

i have the private key, the csr and the certificate generated. how i can convert this certificate from cer extension to pfx.

Please help.
0
Comment
Question by:fadyaz
  • 9
  • 7
  • 5
21 Comments
 
LVL 61

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
ID: 41782856
you can try using openssl which should be available in Mac OSX (within Terminal.app)

e.g. Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
> openssl pkcs12 -export -in cert.cer -inkey key.pem -out certificate.pfx -certfile CA.cer

Notes
•Your generated CSR (cert.csr)
•Your Private Key File (key.pem)
•Your SSL certificate provided by the CA (cert.cer)
•The Intermediate Certificate provided by the CA (CA.cer)

For openssl package - check this http://mac-dev-env.patrickbougie.com/openssl/
0
 
LVL 76

Expert Comment

by:arnold
ID: 41783300
Btan's example is the opposite...
You need to convert from a .pfx file to a pEM format.

If the Mac has access to the certreq of the certificate issuing, you can use OpenSSL to generate the certificate request form, that you can then paste into the cert req form, the response will be tge certificate with the certificate chains.

Opened.org has example to convert a pfx to a pEM format.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41783325
(if I understand correctly)  I supposed he has the pem and asking how to convert to pfx which the latter can be used in the Mac machine by importing into the machine's keyring
0
 
LVL 2

Author Comment

by:fadyaz
ID: 41783332
Hi All,

This is correct . I want to convert the cer certificate generating by CA to pfx certificate.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41783334
How are you getting the cert, are you using GPO to autoenroll user/computers, then use mmc certificate to export the pfx?
Usually, a Windows CA issues the cert with private key, it San be imported using mmc certificate or used on the Mac......
Using efitor to separate the private key from the certificate.
0
 
LVL 2

Author Comment

by:fadyaz
ID: 41783335
For windows it is auto enrollment but i need the correct way for mac
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41783337
Http://caissuingserver/certreq

Request a user cert, the output is in the correct format.
Depending into which application/certificate store you need to import it, OpenSSL can be used to convert...
I.e. If you need to import into a .......

Is the Mac a member system?
0
 
LVL 2

Author Comment

by:fadyaz
ID: 41783350
The mac not a member system .

This certificate will use for smime
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41783354
You can just get the CA to issue you the cert with your CSR submitted and use your Mac' s openssl to convert. You will normally have the PEM format (as .cert .cer .crt or key extension) which is text file and when you open up in notepad or editor, you see the format like

-----BEGIN ENCRYPTED PRIVATE KEY-----
...(for encrypted private key like those key file extension file)
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...(for the other public key set which you can add in the CA and intermediate se. Each set will be have its Header and footer.)
-----END CERTIFICATE-----
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41783355
Is this for a user that already has a cert issued when using a Windows system? You could export the pfx from the Windows system, use OpenSSL to convert the pfx to the DeR/pEM format importing it on the MAC?

To export use mmc certificate interface for user.
You could also export the existing certificate from the email application on Windows.


If the Mac is on the Lan, can you access the http://issuingCA/certreq
...
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41783356
Mac take in PFX file
0
 
LVL 2

Author Comment

by:fadyaz
ID: 41783358
Thanks btan.

Question once i generate the certificate.CER i should run the openssl command or shall i modify the certificate first to convert it to pfx.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41783360
You can see my earlier post ro use openssl but you should those files ready

e.g. Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
> openssl pkcs12 -export -in cert.cer -inkey key.pem -out certificate.pfx -certfile CA.cer

Notes
•Your generated CSR (cert.csr)
•Your Private Key File (key.pem)
•Your SSL certificate provided by the CA (cert.cer)
•The Intermediate Certificate provided by the CA (CA.cer)
0
 
LVL 2

Author Comment

by:fadyaz
ID: 41783361
Thanks but question the private key output will be in key extension and for the intermediate is this the certificate with chain ?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41783368
You can open up the cer file and see if they have the private or the certificate public key easily.

The key pem file in the openssl example is for private file. Actually it can be any other extension as long as the private header and footer is inside that file.

The crt can hold your cert
The cer can hold all the CA cert and intermediate certs. They are sections appended within the files as shared earlier on the structure in pem formatted files.

E.g
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
0
 
LVL 2

Author Comment

by:fadyaz
ID: 41783372
I'm getting this error  "unable to load certificates".
PS. the intermediate Certificate or Chain CA coming with the extension p7b and my downloaded certificate from the CA coming with extension cer.

Regards,
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 100 total points (awarded by participants)
ID: 41783375
Please provide step by step what you are doing, are you trying to import the user cert directly into a nail client?

Depending on you may have to convert tge DeR/pEM cert into a cert compatible with the keystore.

A search for importing cert for the application in question, will include/provide links to the type and then OpenSSL X an be used to achieve your goal.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41783380
Can convert pb7 into pem and CA in crt or cer is alright.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

In fact, we can have all have a single pem (cabundles) file containing with CA file and pre-pended within the file all its intermediate certs that are in pem format. Thereafter, use this cabundles in pem as the input to -certfile.

Note -certfile adds all certificates in that file to the .p12 store (in addition to the input certificate).

See examples https://www.digicert.com/ssl-support/pem-ssl-creation.htm
0
 
LVL 2

Author Comment

by:fadyaz
ID: 41783382
once i run the command to convert p7b to her i got the below error
openssl pkcs7 -print_certs -in certnew.p7b -out certnew1.cer
unable to load PKCS7 object
140735177785424:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
ID: 41783412
the pb7 may not be in the correct PEM format but instead in DER format. So try

openssl pkcs7 -inform DER -in certnew.p7b -out certnew.pem

 Then  openssl pkcs7 -print_certs -in certnew.pem -out certnew1.cer

OR  simply a "combined" command

openssl pkcs7 -in certnew.p7b -inform DER -print_certs -out certnew1.cer
0
 
LVL 61

Expert Comment

by:btan
ID: 41812166
As advised and guided in the solutions.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now