How to create a SSL certificate using SSL certificate text from StartSSL?
Solution 1:
You say you want to create a .cer
file, but the instructions you link to don't do that. A .cer
file normally contains only a certificate, or very rarely multiple certs, whereas the entire purpose of a .p12
or .pfx
file (they are basically the same thing) is to contain a privatekey AND cert(s). If you are trying to run a SSL/TLS server (such as HTTPS but also LDAPS SMTPS FTPS etc), you do need both privatekey and cert(s), otherwise you usually don't.
The privatekey is used to generate the CSR, but is not in it; the CSR is sent to someone else, so it wouldn't be private. It's not at StartSSL because that wouldn't be private. It's not in your certificate because that wouldn't be private.
Look to see what is in your .pfx
with openssl pkcs12 -in whatever.pfx -nodes
. If the output contains at least a block beginning with a line -----BEGIN PRIVATE KEY-----
followed by several lines all or nearly all letters and digits then a line -----END PRIVATE KEY-----
you have some private key. (If using OpenSSL below version 1.0.0 it will say RSA PRIVATE KEY
instead of just PRIVATE KEY
.) If so, do:
openssl pkcs12 -in whatever.pfx -nocerts -nodes -out key.txt
.
Now try the openssl pkcs12 -export
in your question. If it doesn't give an error and doesn't say "No certificate matches private key" you have the right key. At this point the result can be imported to Windows store and used by e.g. IIS, or used directly by some programs e.g. Tomcat.
However, an SSL/TLS server SHOULD also have chain cert(s). CAs today mostly use one chain cert (as well as the root, which you don't need here); some use two or occasionally more. Which chain cert(s) is correct depends on what kind (validation and class) of cert you got; the StartSSL website should be able to tell you that. If you don't obtain and configure the correct chain cert(s), your server will run but clients will sometimes fail to connect to it, perhaps almost all the time, perhaps only rarely. Get the correct chain cert(s) in PEM format (the one you've already seen, with -----BEGIN CERTIFICATE-----
through -----END CERTIFICATE-----
) and put them in a file, e.g. chain.txt
, and add -certfile chain.txt
to your pkcs12 -export
command.
PS- most people and examples use .pem
not .txt
as the extension for files in PEM format like these. The openssl
software works either way, but it is more meaningful and helpful for people.