SSL how to convert PK7C standard godaddy to PFX
I managed to convert this to a CER and use it in windows however when i try to export it there is no export private key option available
I need to make a PFX of this certificate, I have tried to install openssl on windows 10 but it is just not playing ball.
Anybody any ideas here? I need the PFX or PEM for a Sonicwall SRA
I need to make a PFX of this certificate, I have tried to install openssl on windows 10 but it is just not playing ball.
Anybody any ideas here? I need the PFX or PEM for a Sonicwall SRA
Cliff Galiher
When you first generate the certificate request, you can check a box to make the private key exportable. If you didn't check that box, you can't export the private key. You'll have to generate a new request and rekey.
ASKER
Im pretty sure it was checked to be exportable on original CSR, i think thats the problem and your right thanks!
can i not use openssl to modify one of my existing files and give it a private key? thats what i was going to try and do next.
now i have this cert in place on some production machines i do not want to be changing it for a sonicwall vpn device. if rekey means i lose my current certificates i dont want that if there are other options!
I still have the original godaddy files. I think this arose because it was a renewal instructions were to complete CSR request again if not mistaken which I did.
can i not use openssl to modify one of my existing files and give it a private key? thats what i was going to try and do next.
now i have this cert in place on some production machines i do not want to be changing it for a sonicwall vpn device. if rekey means i lose my current certificates i dont want that if there are other options!
I still have the original godaddy files. I think this arose because it was a renewal instructions were to complete CSR request again if not mistaken which I did.
You cannot use open SSL to add a new private key. That changes the signature, and invalidates the public key that the public CA signed. Which is the point of PKI. If you could change the certificate after the fact, you could usurp traffic send do a man in the middle. The file signed must remain as-is.
ASKER
So if I rekey and download my currently installed and active certificates become unusable? basically they would stop working on the spot right as the CA would be looking for a new key.
Do I have any other options here?
So basically I have cert files I can use on some types of systems IIS but not on other types of systems like RDS and Sonicwall SRA for example. Great.
Do I have any other options here?
So basically I have cert files I can use on some types of systems IIS but not on other types of systems like RDS and Sonicwall SRA for example. Great.
Standard practice is to use different certificates for different systems anyways. While a UCC/San or wildcard cert doesnsupport multiple names, that really is meant for multiple names on one server (such as mail.company.com and autodiscover.conpany.com..
Multiple machines with the same private key is an extreme risk and exporting a key is rarely, if ever, recommended. The mere presence of the private key out of the lockbox is a sign of a bad implementation.
Multiple machines with the same private key is an extreme risk and exporting a key is rarely, if ever, recommended. The mere presence of the private key out of the lockbox is a sign of a bad implementation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It actually depends on the vendor. Many do add old certificates to their CRL when a rekey is requested. Which form systems that check for revocation, does break. I am not comfortable recommending that course of action.
ASKER
Also I am able to import the cert into IIS and it works fine? I can do this on any machine I want and I have no way to get the private key, seems insane.
This SSL works fine for example I could create a new IIS server, its a wildcard cert so I would just use the common name on the cert in the hostname for the new site i making.
It works fine in browser for user when i test it, i scan it with qualys SSL which give the certificate A+ rating. I just dont understand how I could have a wildcard certificate i can deploy on many systems but cannot get the private key or convert to PFX
Can I get godaddy to give me the private key and fix it in open SSL?
This SSL works fine for example I could create a new IIS server, its a wildcard cert so I would just use the common name on the cert in the hostname for the new site i making.
It works fine in browser for user when i test it, i scan it with qualys SSL which give the certificate A+ rating. I just dont understand how I could have a wildcard certificate i can deploy on many systems but cannot get the private key or convert to PFX
Can I get godaddy to give me the private key and fix it in open SSL?
Okay. Time for PKI 101....
When you generate a CSR, regardless of IIS, or another way, a private key is generated and stored somewhere on the machine. As a file, or in a lockbox of some sort, *somewhere.* Windows uses a proprietary way of storing that private key and if it isn't marked as exportable, it isn't exportable.
Then the information about the certificate is written to a signing request file. Things like the name you requested, the OU, the organization, the location....but *NOT THE PRIVATE KEY!* A matching public key is a part of this file. The public key is used to *encrypt* data, and the private key is used to *decrypt* data. They have unique functions.
Then the CSR (a Signing Request) is sent to a public CA. That means *THEY* don't have your private key to give back to you. They *sign* your certificate file with their signature using their private key which only they have. And if that ever got out, anybody could sign any certificate posing as them. So no, they won't give you their private key.
Now, every browser has the popular CA's *PUBLIC* keys embedded. There is even a process for a new CA to request that their public keys get added to new browser releases. So when you visit www.mybank.com, that bank sends you the *signed* certificate from a CA, and your browser then uses the public key it already knows to validate that the certificate was indeed signed by the CA. Nobody can forge this because nobody has the private key to sign a certificate.
Then stuff you send to www.mybank.com gets encrypted using the PUBLIC key that is in the certificate that the server sent your browser. And then the www.mybank.com server can decrypt the data you send them (like your password) using the PRIVATE key on their server. That NEVER LEFT their server.
So no. GoDaddy does not have a private key to give you for your certificate. And no, you can't take the certificate godaddy sent you and import it into other machines. They wouldn't have the private key so they couldn't decrypt data sent to them using that certificate's public key.
The public/private key pair is the *core* of PKI, and private keys are private for a reason. And they are supposed to be *HEAVILY* protected. So systems that store them and protect them from export are *supposed* to be locked down such as what you ware running into. That is by design.
When you generate a CSR, regardless of IIS, or another way, a private key is generated and stored somewhere on the machine. As a file, or in a lockbox of some sort, *somewhere.* Windows uses a proprietary way of storing that private key and if it isn't marked as exportable, it isn't exportable.
Then the information about the certificate is written to a signing request file. Things like the name you requested, the OU, the organization, the location....but *NOT THE PRIVATE KEY!* A matching public key is a part of this file. The public key is used to *encrypt* data, and the private key is used to *decrypt* data. They have unique functions.
Then the CSR (a Signing Request) is sent to a public CA. That means *THEY* don't have your private key to give back to you. They *sign* your certificate file with their signature using their private key which only they have. And if that ever got out, anybody could sign any certificate posing as them. So no, they won't give you their private key.
Now, every browser has the popular CA's *PUBLIC* keys embedded. There is even a process for a new CA to request that their public keys get added to new browser releases. So when you visit www.mybank.com, that bank sends you the *signed* certificate from a CA, and your browser then uses the public key it already knows to validate that the certificate was indeed signed by the CA. Nobody can forge this because nobody has the private key to sign a certificate.
Then stuff you send to www.mybank.com gets encrypted using the PUBLIC key that is in the certificate that the server sent your browser. And then the www.mybank.com server can decrypt the data you send them (like your password) using the PRIVATE key on their server. That NEVER LEFT their server.
So no. GoDaddy does not have a private key to give you for your certificate. And no, you can't take the certificate godaddy sent you and import it into other machines. They wouldn't have the private key so they couldn't decrypt data sent to them using that certificate's public key.
The public/private key pair is the *core* of PKI, and private keys are private for a reason. And they are supposed to be *HEAVILY* protected. So systems that store them and protect them from export are *supposed* to be locked down such as what you ware running into. That is by design.
ASKER
what im saying is i could create a webserver and import the ssl files i have from godaddaye, publicly expose it and run transactions through iis through a 3rd party company.
and also get an A+ on qualys . So the private key is obviously embedded in the 2 files i have from godaddy.
Has to be a way to export it?
and also get an A+ on qualys . So the private key is obviously embedded in the 2 files i have from godaddy.
Has to be a way to export it?
No. What you say is actually impossible. You either missed a step or your understanding was incomplete. The private key is NOT in any file Godaddy sends. EVER.
I could claim that my bicycle can outrun a new Corvette. That doesn't make it so. Sole laws are immutable. How PKI works is one of them. TheCSR you sent Godaddy could not have a private key (or it would not be a CSR) so Godaddy CANNOT have a private key to send back to you. It just didn't happen like you think it did.
I could claim that my bicycle can outrun a new Corvette. That doesn't make it so. Sole laws are immutable. How PKI works is one of them. TheCSR you sent Godaddy could not have a private key (or it would not be a CSR) so Godaddy CANNOT have a private key to send back to you. It just didn't happen like you think it did.
ASKER
Fixed it your a genius sir, I wasnt exporting it from the server the original CSR came from, haha level 58 expert.
ASKER
none
ASKER
at the end of the day here the problem was the sonicwall wanted a PFX because it is not a windows box. It is some kind of other most likely linux based system.
the certs I have were importable in IIS only because they were .PK7B, CRT and CER files these are not accepted by Sonicwall SRA 4600 obviously. Every single cert file i had regardless of the 4 extensions posted in here had the private key embedded clearly.
Resolved now.
the certs I have were importable in IIS only because they were .PK7B, CRT and CER files these are not accepted by Sonicwall SRA 4600 obviously. Every single cert file i had regardless of the 4 extensions posted in here had the private key embedded clearly.
Resolved now.
ASKER
Can somebody override and give Carlos the points, he is the only person apart from myself here with any useful input in this thread.
ASKER
thanks