0

I really didnt want to ask this but i cannot find a solid answer online that i understand. I am not good at networking/IIS/certificates and need some help. I have a CRT file generated from godaddy, i have it installed on the server but need to create a PEM file with a private key and the certificate inside it so i can do a key exchange. I have a DER file created, then a PEM file created using OpenSSL with the certificate in it. My question is how do i create a private key and then place it inside the PEM file? Im sorry if this doesnt make any sense, if so please just let me know i am on the wrong track. My goal is to set up an FTP key exchange and this is what a client of mine is requesting. the cert is in 2048 bit RSA format.

jww
  • 97,681
  • 90
  • 411
  • 885
wondergoat77
  • 1,765
  • 9
  • 32
  • 60
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Apr 25 '15 at 18:49

2 Answers2

0

How do you create private key of the certificate you already have? You must have private key to sign the certificate signing request (CSR). You can export this private key into any format (provided that it is marked as exportable) you want.

If you can export the private key then one solution is that you can concatenate your file with private key and public key if it is supported by your application.

Another way is to combine them into pfx or PKCS #12 file.

You can see the about openssl pkcs12 here.

doptimusprime
  • 9,115
  • 6
  • 52
  • 90
  • ok then maybe i dont understand the whole process. I have the original certificate request i used to get the cert, is that the same as they key? I tried exporting the key out of IIS but i guess i am getting stuck there. I have it exported as PKCS #12 (.pfx) but not sure what to do with it at this point. – wondergoat77 Jun 26 '13 at 13:54
  • Orignial certificate request is not the key. If you can export it to .pfx, then you can extract the private key and public key out of it. You can also check that FTP key exchange may use .pfx file or specify private key and certificate separately. This you have to check in the configuration. – doptimusprime Jun 26 '13 at 15:26
  • i have an old keyfile from our expired cert, which shows --begin private key-------begin certificate---- (with appropriate info and end tags) this is what i need, in openssl format per filezilla. I guess i need to extract the private key and make this file myself. Thanks for the info. – wondergoat77 Jun 26 '13 at 15:45
  • or you can use this command on your PFX file to make sure you are using the right keyfile: openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes – authcate Jan 23 '14 at 02:53
0

Turns out this is what i needed, thanks for the assistance.

openssl pkcs12 -in file.pfx -nocerts –nodes -passin pass:123 | openssl rsa -out privatekey.pem

This got me a private RSA key, which is then put into FileZilla as the private key and the cert in the cert field in FileZilla's settings. Both of these files should be in a folder not protected by permissions and (not 100% sure on this part) should be in the same folder.

jww
  • 97,681
  • 90
  • 411
  • 885
wondergoat77
  • 1,765
  • 9
  • 32
  • 60
  • 1
    You probably DO want to protect the private key with appropriate permissions. It's ok for anyone to have the cert, but the private key should have restricted access. – gtrig Jun 27 '13 at 20:35
  • @gtrig - in this case, password protection won't really matter because {IIS|Apache} needs to load it. In the case of Apache, storing the encrypted key and the passphrase next to it defeats the security. The best you can do is filesystem ACLs. (BTW, this is know as the *[Unattended Key Storage](https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf)* problem. Its a problem without a solution). – jww Apr 25 '15 at 18:53
  • *"Both of these files should be in a folder not protected by permissions"* - FileZilla ***depends*** on those ACLs because they don't integrate with Windows DPAPI or other protected storage. See [FileZilla Bug #1373: Passwords saved as plain text](http://trac.filezilla-project.org/ticket/1373). Sadly, the authors of FileZilla appear to be Unix/Linux, so they have no clue about Windows security. The sad things is they ignore folks who have the knowledge and attempt to help them. – jww Jun 01 '15 at 03:14