-1

I have been supplied a certificate file; CSR; Public Key and Private key by my SSL Cert reseller, all in txt files with ciphertext inside. I have to renew a ssl cert hosted on a IIS server, and the cert has to have the private key included inside for IIS to accept it. My Questions:

  1. what file extension does the cert file need to be in? (i will rename txt file with ciphertext to this extension)

  2. What file extension does the private key need to be in? (i will rename txt file with ciphertext to this extension)

  3. I understand you can use openssl to insert the private key into the cert. What command do I use for openSSL?

  4. Obviously the cert and key will have to be in the correct format for open SSL to work - I have tried a number of different combinations but no luck yet!

Improve this question
0

1 Answer 1

Reset to default
0

I have been supplied a certificate file; CSR; Public Key and Private key by my SSL Cert reseller, all in txt files with ciphertext inside

It's a bit unusual for a CA (or reseller) to provide the private key to a customer. (In fact I would almost call that malpractice.) Generally the whole point of the CSR process is that the customer generates the private key and the CA (or reseller) never gets to touch it.

What file extension does the private key need to be in? (i will rename txt file with ciphertext to this extension)

The file extension doesn't matter. It's the format inside the file that matters to OpenSSL (and IIS), and renaming the file isn't going to change that.

I understand you can use openssl to insert the private key into the cert. What command do I use for openSSL?

IIS, like most native Windows CAPI things, likely expects the certificate and key to be bundled into a PFX (PKCS#12) file, so you would use openssl pkcs12 -export to create that.

openssl pkcs12 -export -certfile Chain.txt -in Cert.txt -inkey Key.txt -out IIS.pfx

This is not really about "inserting the key into the cert". If that was the only thing, you could've done that with Notepad. The point here is to repackage both the cert and the key into a completely different format, which just happens to have both in a single file.

Obviously the cert and key will have to be in the correct format for open SSL to work - I have tried a number of different combinations but no luck yet!

OpenSSL accepts the "standard" text format (PEM for certificates, PEM or PKCS#8 for private keys) – the one with -----BEGIN FOO----- header lines – and the files you received from the CA were most likely generated specifically to work with OpenSSL-based software in the first place.

Improve this answer
5
  • Fantastic so i don't have to get so hung up on changing to the correct file extensions and can leave them as TXT Yay! So in the commandline, "openssl pkcs12 -export -certfile Chain.txt -in Cert.txt -inkey Key.txt -out IIS.pfx" Cert.txt is Certificate file, Key.txt is private key, IIS.pfx is the combined cert & Priv key file, But What is Chain.txt? What do I use for that? I only have CSR and PubKey that we havent used yet so maybe one of those? I am really sorry if this is a dumb question.
    – Scott E
    Commented Jun 17 at 6:24
  • Chain.txt should have the "intermediate" or "certificate chain" as it's often called. Every commercial CA has at least a 3-tier setup (root CA, issuing subCA, customer cert) and the web server needs to have the middle (subCA) certs so that it could provide them to clients. AFAIK, for IIS it doesn't strictly need to be in the PFX – you can omit the option and import the subCA to the server's Windows cert store separately – as long as it's dealt with (i.e. "SSL Labs Analyzer" doesn't alert about it).
    – grawity_u1686
    Commented Jun 17 at 7:56
  • As for the CSR, it is completely useless once the certificate has been issued – its only purpose was to act as proof of key ownership when requesting the certificate issuance; afterwards it can safely be deleted. (That is, normally you would generate the private key directly on the server, you would make a CSR with it [e.g. using certutil.exe], and the CA would sign the CSR to convert it into a certificate... no sending private keys anywhere.)
    – grawity_u1686
    Commented Jun 17 at 7:56
  • OK it seems i have a mismatch between Priv key and Cert. Might need to get cert reissued. ill work that issue and report back.
    – Scott E
    Commented Jun 18 at 5:54
  • Amazing! Once i had a matching cert and key following your original instructions to create the pfx made it oh so easy! Thankyou So So much!!
    – Scott E
    Commented Jun 19 at 5:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .