How to create a SSL certificate using SSL certificate text from StartSSL?

certificate private-key ssl-certificate openssl

Solution 1:

You say you want to create a .cer file, but the instructions you link to don't do that. A .cer file normally contains only a certificate, or very rarely multiple certs, whereas the entire purpose of a .p12 or .pfx file (they are basically the same thing) is to contain a privatekey AND cert(s). If you are trying to run a SSL/TLS server (such as HTTPS but also LDAPS SMTPS FTPS etc), you do need both privatekey and cert(s), otherwise you usually don't.

The privatekey is used to generate the CSR, but is not in it; the CSR is sent to someone else, so it wouldn't be private. It's not at StartSSL because that wouldn't be private. It's not in your certificate because that wouldn't be private.

Look to see what is in your .pfx with openssl pkcs12 -in whatever.pfx -nodes. If the output contains at least a block beginning with a line -----BEGIN PRIVATE KEY----- followed by several lines all or nearly all letters and digits then a line -----END PRIVATE KEY----- you have some private key. (If using OpenSSL below version 1.0.0 it will say RSA PRIVATE KEY instead of just PRIVATE KEY.) If so, do: openssl pkcs12 -in whatever.pfx -nocerts -nodes -out key.txt. Now try the openssl pkcs12 -export in your question. If it doesn't give an error and doesn't say "No certificate matches private key" you have the right key. At this point the result can be imported to Windows store and used by e.g. IIS, or used directly by some programs e.g. Tomcat.

However, an SSL/TLS server SHOULD also have chain cert(s). CAs today mostly use one chain cert (as well as the root, which you don't need here); some use two or occasionally more. Which chain cert(s) is correct depends on what kind (validation and class) of cert you got; the StartSSL website should be able to tell you that. If you don't obtain and configure the correct chain cert(s), your server will run but clients will sometimes fail to connect to it, perhaps almost all the time, perhaps only rarely. Get the correct chain cert(s) in PEM format (the one you've already seen, with -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----) and put them in a file, e.g. chain.txt, and add -certfile chain.txt to your pkcs12 -export command.

PS- most people and examples use .pem not .txt as the extension for files in PEM format like these. The openssl software works either way, but it is more meaningful and helpful for people.

Related

Getting "500 unrecognized command" when telnet to mail server from Windows - works fine from Linux
VMWare ESX installation on sata disk
Linux to Linux NFS UID change
my pure-ftpd server on centos is not working [closed]
Windows: Audit/View logins from remote networks?
wget works for all sites on the web but not the one hosted on that server
Mount NTFS HDD on linux
List of PHP modules that are thread safe
RealVNC command-line switches
Boundedness and total boundedness
Are there useful categorical characterisations of the topological separation axioms?
"universe" in set theory and category theory