1

I am trying to install a Wildcard SSL Certificate in IIS on Windows Server. It only accepts the .pfx file format for importing & installing an SSL certificate for hosted applications. I got the .csr file from CA as it was a wildcard cert.

I downloaded and installed OpenSSL for Windows (Latest version).

I placed the .crt file & .key file into C:\Program Files\OpenSSL-Win64\bin.

Then I ran this command to generate a random file:

set RANDFILE=C:\Program Files\OpenSSL-Win64\bin\<RANDOMFILENAME>.rnd

Then I ran this command to give a path of config file:

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

Finally, I ran this command

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

The result of this was:

unable to load private key
140406554043456:error:0909006C:PEM routines:
get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

I want to know if I'm making any mistake in the steps that I followed. I also want to know the reason of this error. I have the copy of private key & .crt file

Following are some more inputs which will make my question more specific.

  1. I have the copy of generated-private-key.key file & .crt file. I changed the file names before executing the OpenSSL command. I even created the random file & config file.

  2. The SSL certificate that I got from CA is a wildcard certificate, which I used to install on multiple subdomains of a customer. It was successful. Now while creating the .pfx file once again, I'm facing this problem.

  3. A .pfx file should be created only on the server which was used to create .csr file. In our case, we got the .csr file from CA as it was a wildcard certificate.

(Thanks in advance. Any help is appreciated)

Crypt32
  • 5,750
  • 12
  • 24
Rajas
  • 41
  • 2
  • 5
  • Where did you get the .key file? How did you generate it? – Crypt32 Jun 21 '19 at 18:01
  • I got it from certificate authority. – Rajas Jun 22 '19 at 04:41
  • then you need to contact the certification authority for additional help. – Crypt32 Jun 22 '19 at 12:57
  • I tried contacting them but they clearly said that they cannot provide any help. That's why I'm stuck. – Rajas Jun 22 '19 at 13:19
  • I can't tell from here what did they send you. The fact that they refuse to help may suggest you to switch to another CA. Also, if CA sends you private key -- it is very bad CA. Private key is generated by you and you send to CA only CSR with public key inside. Try this command to check the private key: `openssl rsa -in privateKey.key -check` – Crypt32 Jun 22 '19 at 13:25
  • I tried this step. The key that I received is ----Begin Private Key---- ----End Private Key---- whereas, it should be ----Begin RSA Private Key---- ----End RSA Private Key---- – Rajas Jun 22 '19 at 14:18
  • this suggests that the content is PKCS#8 private key. But that's all. It is ok to have PKCS#8 key. – Crypt32 Jun 22 '19 at 14:19
  • Any wayout in this? – Rajas Jun 22 '19 at 14:20
  • what returns `openssl rsa -in privateKey.key -check` command? – Crypt32 Jun 22 '19 at 15:12
  • Rajas: if you told us the truth and it's really `----Begin Private Key----` that's very wrong. A correct PEM file has the BEGIN and END and type keywords in all uppercase and five not four hyphens before and after. And if you used a Windows program to create/copy this file, make sure the hyphens are really hyphens and not some other character Microsoft decided to substitute because they think it looks better, and also that the file is not in UTF-16 and does not begin with a BOM (which notepad calls UTF-8) -- i.e. it must be what notepad (ambiguously and imprecisely) calls ANSI. ... – dave_thompson_085 Jun 23 '19 at 03:14
  • ... As Crypt32 says, OpenSSL (including `pkcs12`) can read both 'traditional' (PKCS1) and PKCS8 PEM formats, as long as they are in fact PEM formats. And @Crypt32: `rsa` actually uses `PEM_read_PrivateKey` just like `pkcs12` does, so on the same input it will get the same error. – dave_thompson_085 Jun 23 '19 at 03:16
  • @dave_thompson_085 It has five hyphens & the characters are in uppercase. The file is in UTF-8 format. Should I try editing & saving it in ANSI? – Rajas Jun 24 '19 at 04:19
  • If you mean what Microsoft calls UTF-8 (which is not quite the actual standard) yes that includes BOM which makes the file invalid for OpenSSL, and can be removed by using what Microsoft calls ANSI (but in fact is not related to any actual ANSI standard or process at all). – dave_thompson_085 Jun 25 '19 at 14:10
  • Thanks again & again for helping & supporting. Can I try creating the pfx on Linux (I have a Kali Linux VM.)? Any specific steps to be taken on linux such as adding environment variable or random file generation before creating the pfx? Detailed steps for Linux will be most welcome! – Rajas Jun 26 '19 at 04:49

0 Answers0