7

I have created an SSL keypair with OpenSSL. I uploaded the Certificate Signing Request to my SSL Certificate provider and got my certificate files.

I added my certificate and the required CA certificates to the certificate database using certutil. However, when I try to serve HTTPS pages, I get this error message: "Cannot find private key for certificate".

I have the private key in a .key file, however it seems that certutil does not have an option to add keys to the key store, although it has the option to generate new keypairs and put them in the database.

Is there a way to get my private key into the key database from certutil?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Steven Roose
  • 175
  • 1
  • 1
  • 6

1 Answers1

14

No, certutil doesn't have an option to add private keys. You need to use pk12util for that.

If your private key is in PKCS12 format, you can add it to the key/cert database with

pk12util -i keyfile.key -d/path/to/database -W password

If it's in PEM format, you'll need to convert it to PKCS12 first by

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CAcert.crt

then import server.pfx with pk12util as above.

Unfortunately certutil and pk12util often don't come with man pages, but certutil -H and pk12util -H provide some help. There are also some online docs and man pages.

Steven Roose
  • 175
  • 1
  • 1
  • 6
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47