Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 0 subscribers
  • Views 13272 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL Guide to convert and install certificates on an email appliance (Part 2)

Red_Warrior

PART #3 About the Formats and Converting the certificates (thanks to sslshopper)

About the Formats:

PEM Format

The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extensions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. The SSL Converter can only convert certificates to DER format. If you need to convert a private key to DER, please use the OpenSSL commands on this page.

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extension of .p7b or .p7c. P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Process:

this process will convert your DER to PEM and upload the file to your FTP site.

there are other ways to get the files on or off the system but that’’’’s just the easy way.

Login as root

enter Password

# cd /tmp

# openssl x509 -inform der -in certificate.cer -out certificate.pem

# ftp

ftp> open your.ftp.com

ftp> enter your username

ftp> enter your password

ftp> put certificate.pem

ftp> bye

PART #4 - Assembling the certificate

open notepad and select a new document. From there you must cut / paste ALL of the parts of the certificate EXACTLY as

described below. Do not add spaces, dont make the - - - look pretty. cut/paste each part in the correct order or the certificate

will fail to import.

Definitions:

- - - - - BEGIN RSA PRIVATE KEY - - - - -

this is your private key, you should NEVER give it to anyone or let ANYONE see any part of it .. EVER!!

That’’’’s why you are reading this document because you don’’’’t want to just give it to some idiot that claims they will convert it.

WHY? because anyone with your private key can packet capture and decrypt ANY piece of information it was used to encrypt with

- - - - - END RSA PRIVATE KEY - - - - -

- - - - - BEGIN CERTIFICATE - - - - -

this is the common public key that your provider got, chances are if you got a go daddy cert this is the whole reason

you are having to convert it, because they wont give you certificates in clear text formats. So be it!

- - - - - END CERTIFICATE - - - - -

after these 2 parts the next parts are the intermediate CA's in order to complete the certificate correctly you must

include ALL of the CA's .. In most cases they will provide you with 3 CA's Each one is separated with the same

- - - - - BEGIN CERTIFICATE - - - - - -

- - - - - END CERTIFICATE - - - - -

once the certificate chain is complete.. save it to your desktop and scroll down to Part 5

SAMPLE CERTIFICATE

-----BEGIN RSA PRIVATE KEY-----

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M//ffDF/fdfLLDKEW

MIFJDJfffdjfRKRKRKDKFKFDKFEFKkfkefKKEFKEFK93894M

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCB

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZTzANBgkqhkiG9w0BAQQFADCBrDEjMCEGA1UEAxMa

MIID1jCCAr4CCQDNL+Mr0mfZT

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZC5zb3Bob3MxEzARBgNVBAoTClNvcGhvcyBQTEMx

Y2EtdHMtZXM0MDAwLTAxLnJlZ

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIw

b3Bob3MxCzAJBgNVBAYTAkNBM

-----END CERTIFICATE-----

PART #5 - Installing the certificate

Log Into the appliance UI

under Configuration / System / Certificates

Add Certificate

check off Upload Existing certificate and private key

Next

check off import certificate file

add a description in the provided box

click browse

select your file on the desktop

Next

You should then see the process indicator get to 100% click done

you will now see your key listed in the list of valid keys

click on the underlined link on the name of the certificate and visually check and make sure everything looks right

Last step, verifying the keys.

click on the name of your cert.

where it says download certificate, click download

save the file to your desktop

open the file and make sure you see, the public key, CA, CA, CA (There should NOT be a private key here!)

once that is confirmed you are good to go, you can send that key to any company

you wish to do business with and they will be able to validate your traffic and trust

your certificate

Enjoy!

:50454


This thread was automatically locked due to age.
Unfiltered HTML