12

I would like to work with certificates and the third part authority send me values:

-----BEGIN CERTIFICATE-----
[...]Many letters and digits[...]
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
[...]Many letters and digits[...]
-----END RSA PRIVATE KEY-----

But I need a .cer file to put in my IIS. How can I create this .cer file?

Thanks in advance for any answers.

splattne
  • 28,508
  • 20
  • 98
  • 148

3 Answers3

15

What you've been given is a Certificate (the public part, signed by a trusted party) and the associated key (the private part). In simple terms it's the private key that allows your app to sign stuff in a way that the remote party can then validate using the public part, the certificate. Your server needs to have both linked together so that protocols like SSL\TLS can work properly.

In your case you have been given a complete pair, not just the Cert. The format you have been given it is called PEM and unfortunately Windows Certificate Manager can't import that natively (to the best of my knowledge).

The quickest way I've found to convert it is to install OpenSSL somewhere and convert the file you have to PKCS#12 format using the following command. You will need to break the file you got from the CA into two parts, one containing the certificate block called "certificate.txt" and and one containing the private key block called "key.txt":

openssl pkcs12 -export -out mycertkey.p12 -in certificate.txt -inkey key.txt

Once you have the PKCS#12 format file you can import it into Windows:

  • Open the MMC ( Start -> Run -> MMC.exe ) and then select add\remove snap-in and add in the Certificates snap in.
  • Select "Computer Account" as the context.
  • Right click the "Personal" folder and select the "Tasks>Import"
  • Find the mycertkey.p12 file you created and import the certificate and private key into the Computer's Certificate store.

Once the cert is installed you can now assign it from within IIS (this may vary a bit depending on IIS version)

  • Open you IIS Management Console and right click the domain you want to assign the certificate to.
  • Select Properties
  • Select the "Directory Security" tab, and then "Server Certificates"
  • Follow the Certificates Wizard prompts, selecting Next, then select "Assign Certificate" and then Next again.
  • Find and select the certificate you have just imported and click OK.

That should do it.

Helvick
  • 20,019
  • 4
  • 38
  • 55
  • thanks for your detailed answer, but openssl tells me : Loading 'screen' into random state - done unable to load private key –  Feb 09 '10 at 12:35
  • 1
    and now, I have a "no certificate matches private key" –  Feb 09 '10 at 13:22
  • 1
    Possibly something got corrupt while splitting the PEM format file. If you try the Openssl command using the original file from your CA as both the -in file and -inkey file it should work too. If it can match the pair it will prompt you for a password for the p12 output file. – Helvick Feb 09 '10 at 13:54
  • 1
    should be that, I've re-exported the file, and it's ok. Thanks a lot for your help –  Feb 09 '10 at 14:40
  • 1
    In your openssl command, changing the output filename from mycertkey.p12 to mycertkey.pfx will allow easier import. PFX is a registered file extension in Windows that you can just double click on to start the certificate import wizard. – Ryan Bolger Feb 09 '10 at 18:26
  • @Ryan - I'm pretty sure that will result in the cert\key pair going into the user's cert store - I've always preferred to put certs where I know they belong. – Helvick Feb 09 '10 at 18:41
  • @Helvick Now that you mention it, I think you're right. – Ryan Bolger Feb 09 '10 at 23:28
  • @Helvick - For the sake of breaking file into two, how do you recognize how much part is private key block and how much part is certificate block? – Zameer Ansari Aug 09 '15 at 20:24
  • In a PEM format file you should be able to use BEGIN CERTIFICATE/BEGIN CERTIFICATE and BEGIN RSA PRIVATE KEY/END RSA PRIVATE KEY to decide but it will be safer to use something like OpenSSL to import the source file and then export the cert(s) and keys separately, that way you get some confidence that they are valid. – Helvick Aug 10 '15 at 08:00
1

This article covers the process of creating a certificate request and installing the certificate once the signing authority (GoDaddy, Thawte, etc.) has issued your certificate.

ThatGraemeGuy
  • 15,473
  • 12
  • 53
  • 79
0

The string you pasted is Base64 DER encoded X.509 certificate.

What certificate file format does IIS expect? The simplest try is to save this stuff in a .cer file and pass it to IIS.

See http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions for details