0

I just bought a "Positive SSL certificate". The crt files and bundle-ca from the issuing company (Sectigo) arrived via email. To generate the pfx I use the "PEM TO PKCS #12" from this site https://decoder.link/converter. Is it necessary that in "Bundle File" I insert the bundle-ca received? The pfx certificate is still generated even without inserting it, so I wonder what is needed and if excluding it there are problems related to security.

Sauron
  • 221
  • 1
  • 7

1 Answers1

2

couple of things:

  1. NEVER EVER use online tools to convert PEM/KEY to PFX or PFX to PEM/KEY, because you compromise your private key. They will have a full copy of your certificate including private key and can impersonate the entity entitled in certificate and potentially can spoof you.

  2. Although not required it is generally recommended to include additional CA certificates in the case if they aren't presented on target/client systems. These certificates will be sent to clients from web server (assuming you are talking about TLS certificate) and boost/simplify certificate validation on client. In this case, clients are not required to have installed copy of intermediate CA certificate, they will be provided automatically during TLS handshake from bundle installed on a server.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Thanks for the tips. If I understand correctly, by including the bundle-ca during the generation of the pfx, can I avoid installing the ca-authority in the root store? – Sauron Jun 30 '21 at 13:39
  • Certificates from bundle are not automatically installed to root store. Most operating systems prevent this. Root store is updated explicitly either, manually, or using administrative tools. Certificate installation doesn't update root store. – Crypt32 Jun 30 '21 at 13:41
  • I created a related question here https://serverfault.com/questions/1068263/ – Sauron Jun 30 '21 at 14:08