How convert pem to pfx and also generate intermidiate certificates chain

Help
1

My domain is:
coffeeok.pp.ua

I ran this command:
sudo certbot certonly --manual --preferred-challenges=dns -d coffeeok.pp.ua
and
sudo openssl pkcs12 -export -out coffeok.pp.ua.pfx \

-inkey /etc/letsencrypt/live/coffeeok.pp.ua/privkey.pem
-in /etc/letsencrypt/live/coffeeok.pp.ua/fullchain.pem

It produced this output:
Enter Export Password:
Verifying - Enter Export Password:
I left export password empty

My web server is (include version):
IIS 8.5.9600.16384

The operating system my web server runs on is (include version):
Windows Server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
I used certbot manually on my local machine

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 3.1.0

So, I have win server as VM on linux machine. IIS can accept connection on non-standart port (because of port forwarding) so that is reason why i used certbot manually. I have next question and I hope you can help me:

  1. If I used certbot with --preferred-challenges=dns key does it mean that I've get wildcart-certificate that I could use for all hosts like my-host.coffeeok.pp.ua . I think yes, but can you approve it?

  2. I have problem with generated .pfx certificate. To generate this certificate I used command
    sudo openssl pkcs12 -export -out coffeok.pp.ua.pfx \

-inkey /etc/letsencrypt/live/coffeeok.pp.ua/privkey.pem
-in /etc/letsencrypt/live/coffeeok.pp.ua/fullchain.pem
After I tried to import this certificate to IIS I get error
"There was an error while performing this operation.

Details:

The specified network password is not correct."

During the import process I left password field empty because I also set empty export password during pfx certificate generation.
Also the output .pfx file has size 2.7K while .pfx file that I've generated before from ZeroSSL crt files was 5.0K. So I don't know, maybe I missed something.

  1. Also when I used ZeroSSL first time for correct work I was needed to add intermediate chain certificates. How I can generate it from this .pem files?

Thanks for your answers.

2

I found that folder with cert contain 4 files
cert.pem chain.pem fullchain.pem privkey.pem . So the my old command that I used for ZeroSSL crt files has generated valid for my IIS certificate.pfx . The command is

openssl pkcs12 -macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Also I've imported chain.pem file with no changes to Intermediate Certification Authorities and this work for me with no problems.

Also I've find that I should use key -d *.my-domain.com in certbot to create wildcard certificate so for now it looks like my problem solved.

Thanks for your job LetsEncrypt and certbot.

1 Like
3

You know you shouldn't use certbot on Windows anymore, right?

1 Like
4

Just for info, modern versions of OpenSSL use a new set of PFX (PKCS12) algorithms by default and these are not compatible with some older versions of Windows, but you can use their -legacy option.

I would recommend migrating your application workload to a newer version of Windows as Windows Server 2012 is well past it's end of life.

2 Likes