1

I applied for an SSL certificate and after the application process I got a file containing base 64 encoded data between following lines.

-----BEGIN PKCS7-----
-----END PKCS7-----

When I try to install SSL on my website I got invalid certificate format.

Does this file contain private key? How can I convert this file to obtain standard .crt file?

nbering
  • 3,988
  • 1
  • 21
  • 22
ozgur
  • 113
  • 1
  • 3
  • 1
    It’s PKCS7. Questions on how to use OpenSSL are off topic here. Voting to close. – Tobi Nary Apr 28 '18 at 17:59
  • @SmokeDispenser Can you point to any resources that indicate this would be off-topic? – nbering Apr 28 '18 at 23:16
  • @nbering there is no list of off-topic questions. Yet, as this is a question of tool usage, it is in the domain of SU. Just like the question how to programmatically invoke OpenSSL to recode this would be off-topic here and on-topic on SO. – Tobi Nary Apr 28 '18 at 23:42
  • @SmokeDispenser I must respectfully disagree. The [help section](https://security.stackexchange.com/help/on-topic) clearly indicates that "security tools" and "using cryptography" are explicitly on-topic. – nbering Apr 28 '18 at 23:50
  • 1
    @nbering well, then that is where community consensus comes in and the review queue will decide:) – Tobi Nary Apr 29 '18 at 00:31
  • 1
    Mostly dupe https://security.stackexchange.com/questions/73156/whats-the-difference-between-x-509-and-pkcs7-certificate/73201#73201 . What software is your 'website'? Some SSL/TLS/HTTPS servers can use PKCS7 format for their cert(s)and some can't. p7 never _contains_ the privatekey, but must be used in combination with a privatekey. If your p7 contains one cert, `openssl pkcs7 -print_certs` converts it to cert-as-PEM and `openssl x509 -outform der` converts that to cert-as-DER. If your p7 contains more than one cert, there is no single standard 'crt' format, it depends on the software. – dave_thompson_085 Apr 29 '18 at 08:30
  • [Off-topic](https://security.meta.stackexchange.com/questions/1842/are-question-on-how-to-use-security-hard-software-on-topic). Sorry ozgur. – Tom K. May 01 '18 at 13:04

1 Answers1

2

Your certificate authority should not be giving you your private key. You should have generated it before making a CSR and including the public key (corresponding to the private one) in the CSR. The CA then signed the public key, without ever knowing your private key. Therefore, the private key should be in your PC and the CA can not give it to you. It should not have it.

What they should give you is a certificate, that confirms the public key (and by extension the private key) really belong to you and are not some random keys generated by an attacker.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28