Password protect PFX File?


#1

Hey guys,

I am new to the SSL game and used LetsEncrypt to get my site properly secured. Imported into IIS no problem, my site using https:// is valid and secure no issues. A requirement for a server app I am installing requires the root, intermediate and certificate to work. The problem is the software requires the PFX has a password which mine does not so it errors out. Is there an easy way to set a password for the file without having to regenerate the certificate?

thanks

edit: i see the option in the .config file to set the password and set one. if i run letsencrypt.exe --renew --baseuri https://acme-v01.api.letsencrypt.org/ will this automatically renew the cert (even tho its not expired on my server) and password protect my pfx? would this change anything that I would have to update on IIS?

thanks again


Installing Certificate on Exchange 2010 "Private Key Missing"
#2

Hi traviss

Very good questions.

Microsoft likes pfx format because the key and cert are in one
You can create a PFX from a key and cert using OpenSSL https://indy.fulgan.com/SSL/
A lot of useful OpenSSL commands: https://www.sslshopper.com/article-most-common-openssl-commands.html
The command you need is

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

After you type that command OpenSSL will ask you for a password so enter one

A few other points:
You wanto use the certificate which has the intermediate certificates as well
Have a read of a couple of articles I wrote below about using LetsEncrypt with Windows

https://www.linkedin.com/pulse/lets-encrypt-part-2-3-repurposing-clients-making-things-andrei-hawke
https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke

Andrei


#3

… the cipher-key material is the same, but the packaging is different, and that particular packaging includes a password feature …


#4

hey thanks for the reply this has helped a lot. can i simply rename the key letsencrypt generated from <domain.com>-key.pem to <domain.com>.key? http://i.imgur.com/0KYFp9x.png i couldn’t find an explanation of the various extensions. Thanks for those two links they’ve helped with some clarity there.


#5

hi traviss

no need to change the extensions just use the names as they are

openssl doesn’t really care about extensions but rather evaluates the contents of the file

andrei


#6

perfect it worked! thank you.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.