Link to home
Start Free TrialLog in
Avatar of Yashy
YashyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

how to give someone the private key for SSL?

Hi guys

How do you give someone the private key for the SSL certificate but un-encrypted? I don't get what they are saying.

I've got a Windows 2008 R2 web server that I created the CSR onto. Then I got the certificate from the provider and have applied the certificate to this to complete the request.

My colleague needs the private key. I exported it as a .PFX file, but when you do that, it is password protected. He needs it un-encrypted.

Do you use the MMC console to do this and then export it as a .CER file? Will that be correct?

Cheers
Yashy
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dfke
dfke
Hi ,

just wondering but why does your colleague ever need a certificate without password? Keep in mind that if you're going to do that, then what's the point of having a signed deployment?

Picture anyone else besides your colleague getting a hold on that certificate. He or she will be able to make their own deployments and get away with it because the certificate will be tracked back to you eventually.

Cheers
Avatar of ste5an
ste5an
Flag of Germany image
My colleague needs the private key.
Why?
Avatar of arnold
arnold
Flag of United States of America image
Linux/unix systems can not have the private key password protected as that will require user intervention on service or system restart.

If the person does not know how to strip the password in the implementation.... Deployment on the server...
Avatar of Yashy
Yashy
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

We use Cloudflare. So the .pfx file I have submitted to our hosting provider has been applied. But apparently using Cloudflare needs the private key extracted using openssl so that it can then be applied. That was why.
Avatar of David Favor
David Favor
Flag of United States of America image
My colleague needs the private key.

Is a very bad reason to give anyone your SSL cert.

With this cert, people can create well crafted site forgeries, where people can login to some random site + they will think the site is your site.

No one should ever ask for your SSL cert.

You should never, ever, ever give anyone your SSL cert.

Only exception is when your testing, sometimes setting up local sites with an SSL cert can be useful.

When in doubt... Don't do it...
Avatar of arnold
arnold
Flag of United States of America image
was the PFX converted prior to being applied to cloudflare?
openssl convert .pfx to I think it is PEM format  (this is where the data is in text where you can see -- Begin ....)
once you have that, you can use the following to strip out the password requirement from the private key.
https://knowledge.digicert.com/solution/SO5292.html
Avatar of noci
noci
pfx is just a pkcs#12 file and it can be unpacked & exported  just use openssl pkcs12 commands for handling it.
Avatar of Yashy
Yashy
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

My colleague who requested it is part of my team. He merely liaises with our hosting providers who apply the certificates. I used to do it in the past. But since we moved to Cloudflare, I've delegated this to him.

I appreciate all of the support and feedback.
Avatar of David Favor
David Favor
Flag of United States of America image
If the person asking for the key is trusted, then provide him with the key file.

No clue as to what this person means by unencrypted key, so give them the key + they can do whatever they like with the key.