Cert passphrase from downloaded cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: afsfield.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have a Zentyal server in which I created a user certificate and downloaded it for the purpose of installing it as email auth cert for my phone using an MDM to push it to my device. When I download the cert I get 4 files in the zip. The file types are cert.p12, cert.crt, cert-private-key.pem, cert-public-key.pem. On my MDM to import the cert it wants a cert file and a password. How do i get the password to use with the cert file(s)?

2 Likes

What document did you follow when you created the cert?
What does any of this have to do with this forum?

3 Likes

I used this doc Zentyal &Lets Encrypt
I was hoping someone in this forum could help since its regarding certificates

2 Likes

Did you read this?:
Let’s Encrypt is a third-party software that is not integrated into Zentyal, so any incident in this regard will be the responsibility of the technician in charge of managing the Zentyal Server.

Reviewing what you have asked, it seems that you are trying to do something with the cert (intended solely for the email/web server) directly on your phone.
I don't see how that will be possible and don't find that part anywhere in the guide.

I found one line with an indirect/vague reference:
The package with the keys contains also a PKCS12 file with the private key and the certificate and it can be installed directly into other programs such as web browsers, mail clients, etc.
This seems to be very misleading; as you won't be able to use the cert in any other system than the one the name resolves to via DNS, nor in any other way than described:

2 Likes

Thanks for the response, however I'm not necessarily asking for System info as much as I am asking how to take the Cert(s) I downloaded and obtaining a passphrase from them... Is that possible?

1 Like

You can verify Server details such as enrollment challenge password from http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll .

1 Like

The system in which I downloaded the certs from is a Zentyal server which is basically and Ubuntu 16.04 I believe

1 Like

IT admins must get the challenge password from the enterprise Simple Certificate Enrollment Protocol / Certificate Authority (SCEP/CA) server, before triggering certificate enrollment request.

Note: Each SCEP/CA Server has a different means to retrieve this challenge password.

2 Likes

You could be dealing with one of two things here:

  • password encrypting the certificate
  • MDM SCEP enrollment password
2 Likes

I've found that if I export a user cert from Windows it allows me to export with a password and that allows me to import it into the MDM system. This is what I'm trying to do with the certs I get from the Ubuntu server

1 Like

A certificate contains only public information, so encrypting it with a password is completely unnecessary. Can you export it without a password? I do know how to get the certificate password in Windows, but it's much easier if the certificate is just exported in PEM format (like the encryption keys).

For instance, here's the entire certificate history for afsfield.com where each certificate link contains a link to download the certificate in PEM format:

2 Likes

The mere fact that a password is being used implies the key went with it.
[It is NOT just the public cert.pem information]

2 Likes

How did you download them?

2 Likes

@rg305

He's probably trying to use a symmetrically-encrypted .p12 file. I'm suspecting the .cert file is plaintext PEM.

2 Likes

I don't see how that can be created from the certbot command though.
More than one thing happened and the details are getting blurred.

2 Likes

I think he's using the built-in CA via the GUI, not Let's Encrypt via certbot.

The package with the keys contains also a PKCS12 file with the private key and the certificate and it can be installed directly into other programs such as web browsers, mail clients, etc.

2 Likes

I think he did both.

2 Likes

Can I break something now?

:man_facepalming:

If you renew a certificate, the current certificate will be revoked and a new one with the new expiration date will be issued.

2 Likes

I hope that is only within the local CA system.

2 Likes

I see no evidence of certbot actually being used though anywhere in this topic.

2 Likes