Skip to main content
Solved

Loading a new SSL certificate

  • 19 July 2024
  • 6 replies
  • 69 views

I have received a new SSL certificate along with the Private Key but every time I try to upload the certificate it requests a password.  One wasn’t provided.  Is there a way to load the SSL certificate and private key into Certlm.msc without the password.  Just wondering if I can load the SSL certificate and private key whether I could then export the loaded certificate and create a password that could then be used in the IFS installer.cmd or F1mage.exe.

 

Thanking you in advance for your advice.

6 replies

B
Rank
Userlevel 5
Badge +12

Hi John,

Please confirm that you have a PFX file. A PFX file is a wrapper containing a x509 certificate and a private key. The PFX file should be password protected. If it is not, you will need to use a tool such as OpenSSL to add a password. If it is not a PFX file and just an x509 certificate and private key, then you will need to convert it into a PFX (again OpenSSL can do that).

Is the certificate signed by an external certificate authority? Windows by default trusts the major certificate authorities. If so there should not be any need to manually add it to the Windows certificate manager. Though unknown (often internal or self-signed) authorities will need to be added manually (or via a domain controller, for example).

Are you preparing a new APP10 environment? Or are you trying to refresh the certificate for an existing environment? If the later IFS has a update_http_certificates.cmd option as well.

Additional details will help to give you the best answer.

Best regards -- Ben

R
Rank
Userlevel 7
Badge +18

@Ben Monroe Thank you for your answer.  I have been provided with a PFX file and a Private Key but no password.  It is for a new APP10 environment.

 

R
Rank
Userlevel 7
Badge +18

@Ben Monroe When prompted for the keystore password is this prompting for the password of the pfx file?

 

B
Rank
Userlevel 5
Badge +12

Hi John,

> When prompted for the keystore password is this prompting for the password of the pfx file?

Yes, it is prompting for the PFX password. It will not work if there is no password set.

Best regards -- Ben 

B
Rank
Userlevel 5
Badge +12

Hi John,

It is a little complicated to add a password after the fact to an existing PFX file. I would recommend discussing this with your IT manager before proceeding. You will need to extract the x509 certificate and private key from the existing PFX and recreate it, this time with a password. Steps 6) and 7) below may be particularly difficult unless you have such experience.

1) Install OpenSSL if not already available. Linux is easiest through a package manager. There are many builds available for Windows. It is also included in Git for Windows, which may be easiest.

2) Extract the x509 certificate from the existing PFX file.

openssl pkcs12 -in <pfx file> -out temp.pem -nodes

3) Test the extracted temp.pem to ensure it is as expected.

openssl x509 -in temp.pem -text -noout

4) Extract the private key from the existing PFX file.

openssl pkcs12 -in <pfx file> -nocerts -nodes -out key.pem

5) Test the extracted private key to ensure it is as expected. Assuming the key is also not password protected, press Enter when prompted for the password.

openssl pkey -in key.pem -text -noout

6) Verify the certificate chain. Check the output from step 3) for the Issuer field.
Obtain a copy of that issuer certificate. Repeat until you have certificates all the way to the root.
7) Concatenate the non-leaf certificates (intermediate--possibly multiple--and root) into a chain.

type <intermediate certificate 1> <intermediate certificate 2...> <root certificate> > chain.pem

8) Create a new PFX based on the extracted x509 certificate and private key. (Other options are possible.)

openssl pkcs12 -export -in temp.pem -inkey key.pem -chain -CAfile chain.pem -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 -out <new pfx file>

8) Set a password when prompted.
 

Best regards -- Ben

R
Rank
Userlevel 7
Badge +18

 

Pre-requisitie:  after receiving the valid SSL certificate PFX~ file and password.

 

PART 1

On the MWS server double-click the PFX file and select Install PFX

This will open the Certificate Import Wizard.

Select Local Machine and click Next

Browse to the PFX file you wish to import and click Next

Enter the password you received with the SSL certificate PFX

Select Mark the key as exportable.  This will allow you to back up or transport your keys at a later time.

Click Next

Select Place all certificates in the following store and browse, select Trusted Root Certification Authorities and click OK

Click Next

Finally, click Finish

 

PART 2

The next step would be to open Certificate Manager 

Expand Trusted Root Certification Authorities

locate the loaded SSL certificate entry and RMB then select All Tasks > Export

Select Yes, export the private key and click Next

Under Personal Information Exchange - PKS #12 (.PFX) ensure only Include all certificates in the certification path if possible is checked and nothing else then click Next

Check Password checkbox and enter the SSL password in Password and Confirm Password.  For Encryption leave as TrippleDES-SHA1 and click Next

File to Export - browse to the location and specify filename where you wish to export the PFX file, then click Next

Finally, click Finish

 

PART 3

Install the exported SSL certificate using IFS Installer without any issues.

Reply


Terms & ConditionsCookie settings