3

I have decided to generate SSL for IIS. I have own CSR and private key. The SSL generated by CloudFlare is in pcks7 format. I would like to to combine it into one pfx formate in order to import it in iis.

I used to work with Start SSL certificate - I always worked with 3 - files - my ssl crt, private key and intermediate crt.

With cloudflare, there is intermediate missing. I have tried to skip it while generating pfx with OpenSSL, but when I use it with IIS server, I get a warning:

One or more certificates in the intermediate chain are missing...

There was no such a message with Start SSL pfx. Can I ignore it? What intermediate should I use? Or how can make sure that connection is properly encrypted?

EDIT

Obtained PCKS7 details

Issuer: California, San Francisco, CloudFlare Origin SSL Certificate Authority, CloudFlare, Inc., US

Subject: CloudFlare Origin Certificate, CloudFlare Origin CA, CloudFlare, Inc.

Certificate status: The issuer of this certificate could not be found.

pwas
  • 177
  • 2
  • 10
  • Can you show the issuer and subject of the certificates that you obtained from CloudFlare? From that information, we might be able to help find the "missing" certificates. – Castaglia May 10 '16 at 19:59
  • See my edit, please – pwas May 10 '16 at 20:15
  • Great, thanks! For the certificate for that "CloudFlare Origin SSL" cert, see this [CloudFlare FAQ](https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-). – Castaglia May 10 '16 at 20:19
  • Thanks for the link ! I have tried to embed it into pfx file, but the same error occured. When imported CloudFlare Origin into system separately - yes, that was the point. Unfortunately, origin ssl is not trusted :( – pwas May 10 '16 at 20:27
  • The "CloudFlare Origin SSL CA" cert, from the above link, is self-signed; _i.e._ it **is** the root CA. I'm not sure how you tell IIS to trust such root certs, though. – Castaglia May 10 '16 at 20:34
  • Of course I know I can trust it. And since traffice goes via CloudFlare it should not be a problem - use wont see untrusted one :) – pwas May 10 '16 at 20:34
  • @Castaglia just moved it to trusted in proper snap-in within mmc. As mentioned, since traffic goes via cloudflare, user wont's see untrusted Origin SSL Ca - I want only to encrypt connection CloudFlare <-> Host. Client <-> CloudFlare uses other ssl, so there is no problem. Thanks for hints! – pwas May 10 '16 at 20:36
  • Glad I could help. I would recommend writing up your findings as a proper solution/answer to your own question, for the benefit of future ServerFault readers. – Castaglia May 10 '16 at 20:46

2 Answers2

2

To solve problem I needed import "CloudFlare Origin SSL" certificate as Trusted in "Ceritificates" snap-in in MMC (Microsoft Management Console).

Do not know why embbeding it in PFX files do not work - maybe due to untrusted ca certificate.

pwas
  • 177
  • 2
  • 10
1

I used Cloudflare "Create Certificate" under "SSL/TLS" "Origin Server" "Origin Certificates". I was provided a certificate in PEM format and a private key.

I created a PFX file by combining the CloudFlare provided origin server certificate PEM file, the CloudFlare provided private key KEY file, and the CloudFlare provided origan root certificate with the following command:

"C:\Program Files\OpenVPN\bin\openSSL.exe" pkcs12 -export -out xyz.net.pfx -inkey xyz.net.key -in xyz.net.pem -certfile origin_ca_rsa_root.pem

I imported the .pfx file into Internet Information Server (IIS). I did get the message "One or more certificates in the intermediate chain are missing". I ignored the message. CloudFlare proceeded to work with my web site using the option "your SSL/TLS encryption mode is full(strict)" aka end to end encryption using Cloudflare Origin CA certificate on my server.

As long as CloudFlare trusts the certificate, that is all that matters in this case.

David Nelson
  • 11
  • 2