18

I was asked to help converting a certificate for a renewal. I was given the domainname.crt file along with some intermediate .crt files, but no .key file. They want me to convert the CRT to both a .CER and a .KEY file.

I have looked at the following (among many other sites) but they either say I need the .key file, which I don't have, or that I have to install it locally and then export it, but when using MMC and trying to export it the .PFX option is grayed out.

http://community.spiceworks.com/topic/367133-i-cant-convert-a-ssl-crt-to-pfx-i-need-help-with-this

I also tried the OpenSSL command PKCS12 -EXPORT... to convert it to a .P12 and I get an error for "unable to load private key". If I open it and choose "Copy To File..." I can obtain a .CER file but nothing more.

Thank you for your help.

user1970778
  • 361
  • 2
  • 5
  • 10

2 Answers2

18

Is the private key in the certificate file? In other words, in there a section that starts with

-----BEGIN RSA PRIVATE KEY-----

in the file?

If not, then the private key is stored in a separate file.

In any case, to renew a certificate, you don't need a certificate, but a certificate signing request (CSR), which you will send to the CA, and you will receive the certificate in return (alternatively, in some cases the CA may generate a new certificate using the previous stored CSR).

You can generate a new key with:

openssl genrsa -out <private key file name> 2048

then generate the CSR with:

openssl req -new -key <private key file name> -out <csr file name>

You keep the key, send the CSR to the CA. On return, you get the certificate, which together with the intermediate certificates and the private key, should be provided to the software used. In some cases they need to be in separate files, in others you can just lump them up together in a single file.

jcaron
  • 17,302
  • 6
  • 32
  • 46
  • Thanks. The CRT file does not have the "BEGIN RSA PRIVATE KEY" section. I will have do discuss this with the people that sent me the files. – user1970778 Aug 15 '14 at 14:24
  • I had a different, yet similar, problem (converting from CRT & Key to PFX) and `-----BEGIN RSA PRIVATE KEY-----` was the clue that helped get the `openssl` command to work. Thank you. – jiminy Jan 15 '15 at 06:47
  • 1
    If I only have csr file, can I convert it back to key file? – TommyQu Jun 08 '17 at 18:33
  • @TommyQu A CSR? That's a certificate request, it only has limited use. You mean a certificate? If the file containing the certificate also contains the key (as is sometimes the case in some configurations), then you can just grab it. Otherwise no, it's the whole point, certificates are public, and private keys are private, if you could generate the private key from the certificate then it would defeat the whole purpose... – jcaron Jun 08 '17 at 18:37
  • @jcaron Thanks! So if I'm trying to enable HTTPS on my server. If I lost my key file, I only have csr and crt file. I would not be able to make it work without generating a new key, is that correct? – TommyQu Jun 08 '17 at 18:43
8

You don't need to convert a CRT to a PFX. You can convert a CRT to a CER, and from there you can load it into the Certificate Store.

https://support.comodo.com/index.php?/Knowledgebase/Article/View/361/17/how-do-i-convert-crt-file-into-the-microsoft-cer-format

  1. Right-click the CRT file and select "Open".
  2. Navigate to the "Details" tab.
  3. Click "Copy to File..."
  4. Click "Next".
  5. Select the "Base-64 encoded X.509 (.CER)" option, and click "Next".
  6. Give your export file a name (e.g., "www.mysite.com-2019.cer"), and click "Save".
  7. Click "Next".
  8. Confirm the details, and click "Finish".
  9. Open IIS, and navigate to the "Server Certificates" page.
  10. Click "Complete Certificate Request" (on the right-nav).
  11. Select your new CER file, specify a friendly name of your choosing (e.g., "www.mysite.com-2019"), and click "OK".

You should see the new cert listed in the "Server Certificates" page, under the "Friendly Name" that you chose.

David
  • 2,782
  • 4
  • 31
  • 47