TCP/IP Secure Socket Layer (SSL) - Move Apache Certificate to IIS

Ensure that the certificate(s) and key are in PEM format: To convert private key file from the PFX to PEM: openssl pkcs12 -in filename.pfx -nocerts -out key.pem To convert pubic key file (certificate) from the PFX to PEM: openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem To remove the passphrase from a private key in PEM format: openssl rsa -in key.pem -out server.key To convert a certificate from DER to PEM: openssl x509 –in input.crt –inform DER –out output.crt –outform PEM To convert a key from DER to PEM: openssl rsa –in input.key –inform DER –out output.key –outform PEM To convert a key from NET to PEM: openssl rsa –in input.key –inform NET –out output.key –outform PEM Use the openssl command to read the PEM encoded certificate(s) and key and export to a single PKCS#12 file as follows: openssl pkcs12 -export -in input.crt -inkey input.key -out output.p12 By default the key will be encrypted with 3DES so you will be prompted for an export password (which may be blank). The PEM formatted root certificate and any other certificates in the chain can be concatenated into a single file (for example, root.crt) and included in the PKCS#12 file as follows: openssl pkcs12 -export -in input.crt -inkey input.key -certfile root.crt -out bundle.p12 Some PKCS#12 implementations require that a friendly name be specified using the name flag (for example, ‘-name “Friendly Name”’) which may be displayed on import. There is an obsolete format called PFX which is incompatible and not to be confused with PKCS#12, even though Microsoft uses the ".PFX" extension in addition to ".P12" for PKCS#12 files. Private Key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. A PEM (.pem) format private key file begins and ends with the following lines, respectively: -----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY----- A PEM (.pem) format digital certificate begins and ends with the following lines, respectively: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Note: If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool for converting DER format files to PEM format, and visa versa. An unencrypted PEM file might look something like this: -----BEGIN CERTIFICATE----- MB4CGQDUoLoCULb9LsYm5+/WN992xxbiLQlEuIsCAQM= -----END CERTIFICATE----- The string beginning with MB4C... is the Base64-encoded, ASN.1-encoded object. An encrypted file would have headers describing the type of encryption used, and the initialization vector: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,C814158661DC1449 AFAZFbnQNrGjZJ/ZemdVSoZa3HWujxZuvBHzHNoesxeyqqidFvnydA== -----END RSA PRIVATE KEY----- The two headers Proc-Type and DEK-Info declare the type of encryption, and the string starting with AFAZ... is the Base64-encoded, encrypted, ASN.1-encoded object. For OpenSSL applications, the PEM format should suffice. For Java applications, the DER format might be more suitable for importing the private key and certificates. *key-rsa.pem for pem files *key-rsa.der for der files For certificates, the available formats are PEM, DER and PKCS12 with file names of the following type: *cert.pem for pem files *cert.der for der files *cert.p12 for pkcs12 files In general, the PEM formats are mostly used in the Unix world, PCKS12 in the Microsoft world and DER in the Java world. How to Use OpenSSL to Create PKCS#12 Certificate Files http://support.citrix.com/article/CTX106630 The documentation of the OpenSSL conversion tools can be found here: [PKCS8 == DER, PKCS12 == PFX] http://www.mkssoftware.com/docs/man1/openssl_pkcs8.1.asp and http://www.mkssoftware.com/docs/man1/openssl_pkcs12.1.asp Your best choice is to use PFX [alias PKCS#12 files] files. OpenSSL can convert your key to PFX format and the CryptoAPI can import those files. First you'll have to convert your private key to the PEM file format. You can use the following command if you have a compiled version of OpenSSL installed: openssl pkcs8 -inform DER -in key.der -out key.pem After that you can convert the PEM encoded certificate and key to a PKCS#12 file. You can use the following command: openssl pkcs12 -export -in certificate.pem -inkey key.pem -out certificate.pfx -name "My Certificate" You can then either load the PFX file directly from the Security Library [CertificateStore.CreateFromPfxFile(...)] or import them manually into a certificate store [by double-clicking the pfx file in explorer for instance] and then load them by opening the certificate store for your code. q Do I need to combine the intermediate and root certificates in some way? a all will be well if you place the server certificate together with the intermediate certificates in the same certificate store, and the root certificate in the ROOT store. Yes, and potentially the intermediate certificates. You shouldn't bother with the root certificate because most of the time the SSL servers don't send the root CA certificate to the client (the point of certificate authorities is that the client already has the root CA certificate). CONVERT pkcs12 to pem #!/bin/sh # echo "copy your cert to cert.p12 - then run this script" # openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem CONVERT pem to pkcs12 #!/bin/sh # echo "Verify that you are using the correct certificate pair (key/cert)" # openssl pkcs12 -export -out cert.p12 -inkey ./userkey.pem -in ./usercert.pem