Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcinw
Contributor

How to deploy inbound certificate in p12 format on the firewall

Hi,

I've got from CA wildcard certificate in .crt format and .pem (as I believe contains private key ) How to properly prepare from these files single .p12 file that is the only allowed in mgmt server, could someone guide me  ?

thanks

0 Kudos
16 Replies
G_W_Albrecht
Legend Legend
Legend

Old school way is using openssl on CLI, see e.g. https://www.ryadel.com/en/openssl-convert-ssl-certificates-pem-crt-cer-pfx-p12-linux-windows/

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
marcinw
Contributor

Ok, but what do I have to do ? Just convert .crt to .p12 ? what about .pem file, is somehow necessary in this process ?

0 Kudos
Mike_A
Advisor

You can also use a tool called KeyStore Explorer. Its free and will allow you to create the P12. Its extremely friendly for individuals who are not very CLI savvy. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As you need it so seldom, CLI is not a big issue, i think ! There are even websits that will convert it for you - for extra security, i would use openssl as it will never phone home 😎!

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
marcinw
Contributor

I started using openssl right now , CLI is not a problem , my question is not HOW but WHAT to do , do I have to only convert wildcard .cer to .p12 and certificate will be ready to deploy  on mgmt server ?  I am asking because I get also .pem certificate and I don't know maybe it should be  use  somehow, extract .key from it ? 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Usually not more to do than # openssl pkcs12 -export -in certificate.cer -inkey privatekey.key -out certificate.p12

When importing an internal server's certificate for incoming SS traffic inspection, it is necessary to include all the intermediate CAs of the chain in the *.p12 file. Inclusion of only the server certificate may cause some browsers to warn about untrusted sites, since some browsers are unable to fetch and validate the complete certificate chain.

Now it would be # openssl pkcs12 -export -in certificate.cer -inkey privatekey.key -out certificate.p12 -certfile CAcert.cr

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
marcinw
Contributor

 

Intermediate certificates are included in wildcard .cer file so I run command 

openssl pkcs12 -export -in SMHcrt.cer -inkey privatekey.key -out SMHcert.p12

and I get :

Can't open privatekey.key for reading, No such file or directory
15132:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:69:fopen('privatekey.key','r')
15132:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:76:
unable to load private key

 

I've fund this command to export key from .pem file 

openssl pkey -in SMHcert.pem -out SMHcert.key

but I get 
unable to load key
9524:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY

0 Kudos
Mike_A
Advisor

I don't think its a big issues either @G_W_Albrecht but it seemed like someone who is asking how to create a P12 maybe be given an alternative to CLI. 

0 Kudos
marcinw
Contributor

based on this command 

openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx

how to get .key file in order to include it in the p12 ?

0 Kudos
Mike_A
Advisor

When you generate the CSR you would do this.... 

openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

Get the CSR signed by your CA and then you would run the command you just mentioned on the same box, the key would then be present... Where did you generate the CSR, wherever you did, the KEY should be present. 

0 Kudos
marcinw
Contributor

Thanks Mike you gave me a clue. I've found old private key that is being used currently, but in this year we didn't make CSR , we just got new certificate so the NEW private key wasn't generated . So I used old private key and new .crt and I got new .p12 . On the new .p12 certificate it is written "You have a private key that corresponds to this certificate" so I think everything should be ok ?  

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So what upon import ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
marcinw
Contributor

I imported .p12 certificate to mgmt server,  we still use the old one. I just wanted to know if I can use old Private key and new certificate , but since we didn't do CSR this year i t should be correct .

0 Kudos
_Val_
Admin
Admin

P12 usually includes the private keys. You should be fine, I think

0 Kudos
marcinw
Contributor

yes, but I've got .crt certificate from my CA and I had to convert to .p12 (required by checkpoint) , in order to do that I had to combine .crt with private key.key ( that I fortunately  found) to get .p12

0 Kudos
Mike_A
Advisor

Yes, if you did not have the correct .key file for the .p12 creation, I believe it will complain and the .p12 will not be created. It looks like everything should be OK now and you can import the .p12 to mgmt server. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events