Reputation: 151
Convert Godaddy certificate to .pfx file
I got an ssl certificate from GoDaddy and downloaded the certicate and two text files. I need a pfx file for an Azure Web Service app. Godaddy sent me two .crt files and two text files one of which is a text titled "generate-private-key.txt". Question 1 : is the private key text file valid input as a key file for the OpenSSL pfx file conversion utility. Question 2 : Is there any indication in the .crt file name on which file to use as input to the OpenSSL utility.
Upvotes: 14
Views: 46657
Answers (3)
Reputation: 1
for my use case - I am renewing a cert on a box. so there's a caveat here - this assumes you have the private key - below im using a new cert (i just exported afresh using rekey option) - with known password
# Set variables
$pfxPath = "C:\Users\johnpope\Downloads\expiringexportedcertifcate.pfx"
$pfxPassword = "YourExistingPfxPassword"
$newCrtPath = "C:\Users\johnpope\Downloads\YourNewGodaddyCertForIIS.crt"
$privateKeyPath = $null # Set this to the path of your private key file if you have it separately
$newPfxPath = "C:\Users\johnpope\Downloads\certificate.pfx"
$newPfxPassword = "YourNewPfxPassword"
# Convert passwords to secure strings
$securePfxPassword = ConvertTo-SecureString -String $pfxPassword -Force -AsPlainText
$secureNewPfxPassword = ConvertTo-SecureString -String $newPfxPassword -Force -AsPlainText
Write-Host "Starting certificate combination process..."
Write-Host "Existing PFX path: $pfxPath"
Write-Host "New CRT path: $newCrtPath"
if ($privateKeyPath) { Write-Host "Private Key path: $privateKeyPath" }
Write-Host "New PFX will be saved to: $newPfxPath"
try {
# Load existing PFX or private key
if ($privateKeyPath) {
Write-Host "Attempting to load private key..."
$privateKeyContent = Get-Content $privateKeyPath -Raw
$privateKeyBytes = [System.Text.Encoding]::UTF8.GetBytes($privateKeyContent)
$privateKey = [System.Security.Cryptography.RSA]::Create()
$privateKey.ImportFromPem($privateKeyContent)
Write-Host "Private key loaded successfully."
} else {
Write-Host "Attempting to load existing PFX..."
$existingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($pfxPath, $securePfxPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
Write-Host "Existing PFX loaded successfully. Subject: $($existingCert.Subject)"
Write-Host "Private key present: $($existingCert.HasPrivateKey)"
$privateKey = $existingCert.PrivateKey
}
Write-Host "Reading new CRT file..."
$newCertContent = Get-Content $newCrtPath -Raw
Write-Host "New CRT file read successfully. Content length: $($newCertContent.Length) characters"
Write-Host "Creating new certificate from CRT content..."
$newCertBytes = [System.Text.Encoding]::UTF8.GetBytes($newCertContent)
$newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(,$newCertBytes)
Write-Host "New certificate created. Subject: $($newCert.Subject)"
Write-Host "Combining new certificate with private key..."
$certWithKey = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::CopyWithPrivateKey($newCert, $privateKey)
Write-Host "Exporting combined certificate as PFX..."
$pfxBytes = $certWithKey.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx, $secureNewPfxPassword)
Write-Host "PFX exported successfully. Byte count: $($pfxBytes.Length)"
Write-Host "Writing PFX to file..."
[System.IO.File]::WriteAllBytes($newPfxPath, $pfxBytes)
Write-Host "New PFX file created successfully at: $newPfxPath"
Write-Host "PFX creation process completed. Please verify the new PFX file manually in IIS or using certificate management tools."
}
catch {
Write-Host "An error occurred: $_"
Write-Host "Error details: $($_.Exception.Message)"
Write-Host "Error line: $($_.InvocationInfo.ScriptLineNumber)"
}
Upvotes: 0
Reputation: 215
I found this to be very complicated. Cobbling together these 13 steps was the equivalent of a Haynes manual 5 spanner job for me. Hope this helps and of course do provide feedback on whether any of these steps can be simplified.
For reference I host my apps on azure, and purchased a wildcard certificate from godaddy.
1. Create CSR (Certificate Signing Request):
a. Open IIS (start, type IIS, should get Internet Information Services, if not you may need to install IIS first) on your development machine locally,
b. Service Certificates, Create Certificate Request. Fill out your company details, these appear to be simple free text fields although I suspect the company name and address should match with what you've submitted to godaddy. Choose 2048 bit encryption.
c. Save CSR file on c: drive
2. Login to godaddy and rekey the certificate:
a. Login to godaddy, choose myproducts, certificates. Click your certificate then manage
b. Manage certificate section, paste in the text from your CSR file (open in notepad first locally) then 'add change'. Then 'Submit all changes'. It seemed to suggest then that I had to go all through domain verification now but this cleared when I refreshed after 5 minutes
3. Now in the 'Download Certificate' section, choose Server Type IIS then download zip file
4. Convert the crt file to a cer file:
a. Extract the files from the zip file
b. Double click the crt file,
c. Choose open, details tab, copy to file button then save the .cer file
5. Go back into IIS and choose 'Complete Certificate Request'. Feed it the .cer file you downloaded.
6. Chose a friendly name, I think this is only for your reference on your machine. Then ok. This should set your certificate up on your IIS locally.
7. Right click on the new certificate within IIS 'Server Certificates' section and choose export. Add a secure password (you'll need it later). You can now export the hallowed .pfx file
8. Login to azure, go to your appservice that you wish to secure, and choose the 'TLS/SSL settings' blade. Click the 'Private Key Certificates(.pfx) word at the top of the page (this is a tab).
9. Choose the plus button to the left of 'Upload Certificate'. Feed in your pfx file and your password from earlier.
10. Go back to bindings for your app. There is a small section marke 'Add TLS/SSL Binding' with a plus to the left of it, it looks like a heading but is in fact a button.
11. Your custom domain should be selectable (if not add a custom domain in the Custom Domains blade), choose your certificate that you uploaded in step 9, and choose SNI SSL. Add Binding button at the bottom.
12. Ensure the HTTPS Only slider is set to 'On'
13. Repeat for all your appservices.
Upvotes: 4
Reputation: 14158
First off, you normally generate a certificate request with your private key and then give the request to the CA (Go Daddy in this instance). That way the CA does NOT get there hands on your private key.
If you just asked for a certificate without a certificate request then the CA will have to have generated a private key for you (not really a good idea as this is the key to using your certificate and now the CA has access to it...). If you did this then the CA must supply you with the private key along with any password set on it (if any).
It is also recommended that you also get the intermediate certificates between your generated certificate to the CA root certificate. These are useful as some clients will not be able to connect to your server without them being supplied e.g. firefox browser.
So you want to combine the private key, CA supplied public certificate and the CA intermediate certificates into a PFX file to be used by your web server.
The private keys can be in one to two main formats:
- DER - this is a binary format
- PEM - this is a text format - it's a base64 version of the DER format with headers and footers around it.
The certificate keys can come in a number of formats but the most likely are: - DER - this is a binary format - PEM - this is a text format - it's a base64 version of the DER format with headers and footers around it.
The file extensions are not always the best indicators of what the format is. Try viewing them in a text editor to see if it looks like binary or base64 text with headers and footers around them.
The basic command in openssl to generate a PFX file is the pkcs12 command.
You would normally do something like:
openssl pkcs12 -export -out name.pfx xxx
Where "xxx" depends on the what you have to supply. If for example you have:
- key.pem - private key in pem format
- cert.pem - public key in pem format
- inter.pem - CA intermediate certificate in pem format
then the whole command will be:
openssl pkcs12 -export -out name.pfx -inkey key.pem -in cert.pem -certfile inter.pem
If you don't want to include the inter.pem just drop the "-certfile inter.pem" argument.
If any of your files are in the DER format you will need to convert them to PEM format first.
For certificates you use the openssl x509 command like this:
openssl x509 -in cert.der -inform der -out cert.pem
Converting private keys will depend on the type of private key using the openssl rsa or ec commands. The command format is basically the same for converting keys are certificates but your use the rsa or ec instead of x509.
Upvotes: 8
Related Questions
- Create a PFX File from GoDaddy Issued Private Key and Wildcard Certificate
- Convert .pfx to .cer
- Trying to generate a pfx from crt and private key from GoDaddy using openssl fails with No certificate matches private key
- Convert .cer and .key files to .pfx file using OpenSSL
- Convert pfx to pem
- How can I convert a PFX certificate file for use with Apache on a linux server?
- Convert a .cer file to .pfx file
- Code Signing Certificate - Creating a PFX from a godaddy SPC & Key File
- Is it possible to convert an SSL certificate from a .key file to a .pfx?
- Conversion from cert file to pfx file