Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcinw
Participant

How to deploy inbound certificate in p12 format on the firewall

Hi,

I've got from CA wildcard certificate in .crt format and .pem (as I believe contains private key ) How to properly prepare from these files single .p12 file that is the only allowed in mgmt server, could someone guide me  ?

thanks

0 Kudos
Reply
16 Replies
G_W_Albrecht
Champion
Champion

0 Kudos
Reply
marcinw
Participant

Ok, but what do I have to do ? Just convert .crt to .p12 ? what about .pem file, is somehow necessary in this process ?

0 Kudos
Reply
Mike_A
Advisor

You can also use a tool called KeyStore Explorer. Its free and will allow you to create the P12. Its extremely friendly for individuals who are not very CLI savvy. 

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

As you need it so seldom, CLI is not a big issue, i think ! There are even websits that will convert it for you - for extra security, i would use openssl as it will never phone home 😎!

0 Kudos
Reply
marcinw
Participant

I started using openssl right now , CLI is not a problem , my question is not HOW but WHAT to do , do I have to only convert wildcard .cer to .p12 and certificate will be ready to deploy  on mgmt server ?  I am asking because I get also .pem certificate and I don't know maybe it should be  use  somehow, extract .key from it ? 

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

Usually not more to do than # openssl pkcs12 -export -in certificate.cer -inkey privatekey.key -out certificate.p12

When importing an internal server's certificate for incoming SS traffic inspection, it is necessary to include all the intermediate CAs of the chain in the *.p12 file. Inclusion of only the server certificate may cause some browsers to warn about untrusted sites, since some browsers are unable to fetch and validate the complete certificate chain.

Now it would be # openssl pkcs12 -export -in certificate.cer -inkey privatekey.key -out certificate.p12 -certfile CAcert.cr

0 Kudos
Reply
marcinw
Participant

 

Intermediate certificates are included in wildcard .cer file so I run command 

openssl pkcs12 -export -in SMHcrt.cer -inkey privatekey.key -out SMHcert.p12

and I get :

Can't open privatekey.key for reading, No such file or directory
15132:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:69:fopen('privatekey.key','r')
15132:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:76:
unable to load private key

 

I've fund this command to export key from .pem file 

openssl pkey -in SMHcert.pem -out SMHcert.key

but I get 
unable to load key
9524:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY

0 Kudos
Reply
Mike_A
Advisor

I don't think its a big issues either @G_W_Albrecht but it seemed like someone who is asking how to create a P12 maybe be given an alternative to CLI. 

0 Kudos
Reply
marcinw
Participant

based on this command 

openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx

how to get .key file in order to include it in the p12 ?

0 Kudos
Reply
Mike_A
Advisor

When you generate the CSR you would do this.... 

openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

Get the CSR signed by your CA and then you would run the command you just mentioned on the same box, the key would then be present... Where did you generate the CSR, wherever you did, the KEY should be present. 

0 Kudos
Reply
marcinw
Participant

Thanks Mike you gave me a clue. I've found old private key that is being used currently, but in this year we didn't make CSR , we just got new certificate so the NEW private key wasn't generated . So I used old private key and new .crt and I got new .p12 . On the new .p12 certificate it is written "You have a private key that corresponds to this certificate" so I think everything should be ok ?  

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

So what upon import ?

0 Kudos
Reply
marcinw
Participant

I imported .p12 certificate to mgmt server,  we still use the old one. I just wanted to know if I can use old Private key and new certificate , but since we didn't do CSR this year i t should be correct .

0 Kudos
Reply
_Val_
Admin
Admin

P12 usually includes the private keys. You should be fine, I think

0 Kudos
Reply
marcinw
Participant

yes, but I've got .crt certificate from my CA and I had to convert to .p12 (required by checkpoint) , in order to do that I had to combine .crt with private key.key ( that I fortunately  found) to get .p12

0 Kudos
Reply
Mike_A
Advisor

Yes, if you did not have the correct .key file for the .p12 creation, I believe it will complain and the .p12 will not be created. It looks like everything should be OK now and you can import the .p12 to mgmt server. 

0 Kudos
Reply