Score:1

Generate PFX file from private key and CRT files

gb flag

I'm trying to create a PFX file for my website hosted on Azure.

I generated mycsr.csr as well as privatekey.key and from Entrust I recieved back 3 files root.crt, Intermediate.crt and ServerCertificate.crt.

I've tried to create my PFX file with the following command

  • "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -out myPrivateCert.pfx -inkey PRIVATEKEY.key -in ServerCertificate.crt

This does generate a PFX file but when I try to upload it to Azure it says

  • The password is incorrect, or the certificate is not valid

I know I entered the password correct, so I feel I generated the PFX incorrectly.

I'm new to SSL certificates and I'm not quite sure the differences between the 3 CRT files I was returned. Any help is appreciated.

EDIT

I tried merging the 3 CRT files into one chain.pem file such that the ServerCertificate file was first, then Intermediate, then root.

I then tried to generate the PFX file with this command:

  • "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in chain.pem -inkey PRIVATEKEY.key -export -out myPrivateCert.pfx

Again this PFX file won't upload to Azure.

enter image description here

cn flag
What about importing the certificate on a vanilla Windows endpoint? Does that work?
cn flag
Try certutil: https://serverfault.com/questions/790786/convert-crt-and-key-to-pfx/790845
Score:1
gb flag

I followed the steps from @Lacek but it was only part of my problem. The PFX file generated after his steps still wasn't accepted by Azure. Here's the complete solution.

  1. Combine the CRT files (ServerCertificate.crt then Intermediate.crt then root.crt) into a single chain.pem file

  2. then export this file as a PFX using openssl

    openssl.exe pkcs12 -in chain.pem -inkey PRIVATEKEY.key -export -out myPrivateCert.pfx

  3. then import this PFX file into MMC (Microsoft Management Console). Important that when you import it that you check "Mark this key as exportable..."

enter image description here

  1. Once the PFX file is imported you need to right click on the server certificate and then "export..." it.

enter image description here

  1. When exporting be sure to check "Yes, export the private key". Then on the next page choose "PFX" option, then check "Export all extended properties". Give the file a password, then save the file. The PFX file generated from the MMC app will upload to the Azure Portal correctly.

I'm not an export in SSL certificates so I'm not sure if all of these steps are necessary, I just know that they worked for me.

I also have no clue the differences between the PFX file generated by OpenSSL and the PFX file generated by MMC, but clearly there's a difference and Azure preferes the latter.

Hope this helps someone else.

cn flag
Seems like a good example of OpenSSL vs using the native operating system tools.
Score:0
lk flag

I am sorry if I am late in this post.... I have just seen it...

The problem is that you have to import the PFX certificate in the same computer that you run the command ("C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -out myPrivateCert.pfx -inkey PRIVATEKEY.key -in ServerCertificate.crt)

In THAT PARTICULAR COMPUTER the certificate password will work.

You have to make sure that you mark the private key as exportable (in the import process). So you can export it again from MMC console and assign the same or a new password. AND THIS PASSWORD will work in any other Windows computer.

I hope this can help anyone.

Gerardo

Score:0
in flag

Your problem (probably) is that the PFX file does not contain all the certificate chain, so if the intermediate is not trusted, your certificate won't be trusted as well.

What you need to do is copy all the certificates into one file, from "leaf" to "root", i.e. the server certificate should be the first, then the intermediate, then the root. For this, the certificate files must be in PEM format (from the command in your post it seems they are). So what you need is to concatenate all the certificates into one file:

type ServerCertificate.crt Intermediate.crt root.crt >chain.pem

then convert the resulting file to PKCS12:

openssl.exe pkcs12 -in chain.pem -inkey PRIVATEKEY.key -export -out myPrivateCert.pfx

This way the resulting file should contain all the certificates in the chain, and the relation between them.

Stanton avatar
gb flag
I tried as you suggested (albeit I had to modify the PEM file since the `-----END CERTIFICATE-----` ended up on the same line as the `-----BEGIN CERTIFICATE-----` and apparently need to be on different lines). I then generated the PFX file using this chain.pem. The resulting PFX file still was rejected by Azure.
Andrew Henle avatar
ph flag
@Stanton I suspect it might work if you replaced `type ServerCertificate.crt Intermediate.crt root.crt >chain.pem` with `type Intermediate.crt root.crt >chain.pem`, leaving the server's cert itself out of the `chain.pem` file.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.