topic Re: How to deploy inbound certificate in p12 format on the firewall in General Topics

How to deploy inbound certificate in p12 format on the firewall

marcinw — Tue, 13 Oct 2020 12:47:49 GMT

Hi,

I've got from CA wildcard certificate in .crt format and .pem (as I believe contains private key ) How to properly prepare from these files single .p12 file that is the only allowed in mgmt server, could someone guide me ?

thanks

Re: How to deploy inbound certificate in p12 format on the firewall

G_W_Albrecht — Tue, 13 Oct 2020 13:24:21 GMT

Old school way is using openssl on CLI, see e.g. https://www.ryadel.com/en/openssl-convert-ssl-certificates-pem-crt-cer-pfx-p12-linux-windows/

Re: How to deploy inbound certificate in p12 format on the firewall

Mike_A — Tue, 13 Oct 2020 13:34:57 GMT

You can also use a tool called KeyStore Explorer. Its free and will allow you to create the P12. Its extremely friendly for individuals who are not very CLI savvy.

Re: How to deploy inbound certificate in p12 format on the firewall

marcinw — Tue, 13 Oct 2020 14:04:15 GMT

Ok, but what do I have to do ? Just convert .crt to .p12 ? what about .pem file, is somehow necessary in this process ?

Re: How to deploy inbound certificate in p12 format on the firewall

G_W_Albrecht — Tue, 13 Oct 2020 14:09:45 GMT

As you need it so seldom, CLI is not a big issue, i think ! There are even websits that will convert it for you - for extra security, i would use openssl as it will never phone home 8)!

Re: How to deploy inbound certificate in p12 format on the firewall

marcinw — Tue, 13 Oct 2020 14:13:50 GMT

I started using openssl right now , CLI is not a problem , my question is not HOW but WHAT to do , do I have to only convert wildcard .cer to .p12 and certificate will be ready to deploy on mgmt server ? I am asking because I get also .pem certificate and I don't know maybe it should be use somehow, extract .key from it ?

Re: How to deploy inbound certificate in p12 format on the firewall

Mike_A — Tue, 13 Oct 2020 14:14:28 GMT

I don't think its a big issues either @G_W_Albrecht but it seemed like someone who is asking how to create a P12 maybe be given an alternative to CLI.

Re: How to deploy inbound certificate in p12 format on the firewall

marcinw — Tue, 13 Oct 2020 14:20:57 GMT

based on this command

openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx

how to get .key file in order to include it in the p12 ?

Re: How to deploy inbound certificate in p12 format on the firewall

G_W_Albrecht — Tue, 13 Oct 2020 14:25:41 GMT

Usually not more to do than # openssl pkcs12 -export -in certificate.cer -inkey privatekey.key -out certificate.p12

When importing an internal server's certificate for incoming SS traffic inspection, it is necessary to include all the intermediate CAs of the chain in the *.p12 file. Inclusion of only the server certificate may cause some browsers to warn about untrusted sites, since some browsers are unable to fetch and validate the complete certificate chain.

Now it would be # openssl pkcs12 -export -in certificate.cer -inkey privatekey.key -out certificate.p12 -certfile CAcert.cr

Re: How to deploy inbound certificate in p12 format on the firewall

Mike_A — Tue, 13 Oct 2020 14:28:35 GMT

When you generate the CSR you would do this....

openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

Get the CSR signed by your CA and then you would run the command you just mentioned on the same box, the key would then be present... Where did you generate the CSR, wherever you did, the KEY should be present.

Re: How to deploy inbound certificate in p12 format on the firewall

marcinw — Tue, 13 Oct 2020 14:37:20 GMT

Intermediate certificates are included in wildcard .cer file so I run command

openssl pkcs12 -export -in SMHcrt.cer -inkey privatekey.key -out SMHcert.p12

and I get :

Can't open privatekey.key for reading, No such file or directory
15132:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:69:fopen('privatekey.key','r')
15132:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:76:
unable to load private key

I've fund this command to export key from .pem file

openssl pkey -in SMHcert.pem -out SMHcert.key

but I get
unable to load key
9524:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY

Re: How to deploy inbound certificate in p12 format on the firewall

marcinw — Wed, 14 Oct 2020 08:16:14 GMT

Thanks Mike you gave me a clue. I've found old private key that is being used currently, but in this year we didn't make CSR , we just got new certificate so the NEW private key wasn't generated . So I used old private key and new .crt and I got new .p12 . On the new .p12 certificate it is written "You have a private key that corresponds to this certificate" so I think everything should be ok ?

Re: How to deploy inbound certificate in p12 format on the firewall

G_W_Albrecht — Wed, 14 Oct 2020 09:03:42 GMT

So what upon import ?

Re: How to deploy inbound certificate in p12 format on the firewall

marcinw — Wed, 14 Oct 2020 11:38:57 GMT

I imported .p12 certificate to mgmt server, we still use the old one. I just wanted to know if I can use old Private key and new certificate , but since we didn't do CSR this year i t should be correct .

Re: How to deploy inbound certificate in p12 format on the firewall

_Val_ — Wed, 14 Oct 2020 11:55:36 GMT

P12 usually includes the private keys. You should be fine, I think

Re: How to deploy inbound certificate in p12 format on the firewall

marcinw — Wed, 14 Oct 2020 12:32:18 GMT

yes, but I've got .crt certificate from my CA and I had to convert to .p12 (required by checkpoint) , in order to do that I had to combine .crt with private key.key ( that I fortunately found) to get .p12

Re: How to deploy inbound certificate in p12 format on the firewall

Mike_A — Wed, 14 Oct 2020 13:41:50 GMT

Yes, if you did not have the correct .key file for the .p12 creation, I believe it will complain and the .p12 will not be created. It looks like everything should be OK now and you can import the .p12 to mgmt server.