How to generate a .pfx and .cer file on Windows
Question
Years ago I worked on this .NET Standard project that made use of a private key (in password protected.pfx file) to sign some content, and its corresponding public key (in.cer file) to verify the signature.
In code, I use .NET's X509Certificate2 to get the respective keys to sign and verify signatures.
Now, I can't remember to save my life what tools I used to generate these files on Windows. Could someone point me in the right direction? Looking at openssl , I can generate public/private key pairs, but not in a format X509Certificate2 can read.
1 answers
solution1
1 ACCPTED 2022-03-30 17:04:24
An X.509 certificate contains a publickey, but is not the same as a publickey. X509Certificate2 can read a certificate or a PKCS7 that contains a certificate, or a PFX/PKCS12 that contains a certificate and the matching privatekey and possibly any related 'chain' cert(s), but it can't read (and more generally can't exist with) a publickey as such, or a privatekey by itself. To sign you need the second alternative (cert and privatekey).
The openssl program can create a PFX/PKCS12 in many ways, by different combinations of three basic steps:
generate the actual keypair (privatekey and publickey), in a file
create or obtain a certificate for the publickey. This can itself be done in smaller steps depending on whether you use a certificate from a 'real' (external) CA like LetsEncrypt, GoDaddy, Digicert; or from a private or individual CA like Windows AD/CS, or yourself; or a 'self-signed' certificate (one not from any CA) which isn't trusted for most purposes but can be useful for testing, or for an application that uses the cert only as a container format for the publickey and not for trust, which sounds like it may be the case for yours.
combine the privatekey from 1 and the certificate from 2, plus any 'chain' cert(s) if required/desired, into PFX/pkcs12
For a self-signed cert (the simplest case, which as I said sounds suitable for you), openssl can perform 1 and 2 in a single operation with
openssl req [-config conffile] -newkey $spec -keyout keyfile [-nodes] -x509 $otherfields -out certfile
# $spec can be rsa:$size or dsa:$paramfile or ecdsa:$paramfile
# $otherfields can include subject name (else it is prompted or set per the config)
# and/or -days $num -addext $type:$value -days $num -$hash; see the man page
# and/or many existing questions, or at least ask more specifically,
# but if you're not using the cert for trust probably none of these matter
#
# for all openssl commands except genpkey the flags may be given in any order
# but I show a sequence-based order that can be more easily compared
or can perform 1 using one of several methods then 2 with either one or two parts
# 1: old methods
openssl genrsa $size [-$cipher] >keyfile
openssl gendsa $size >keyfile
openssl ecparam -curve $name -genkey [-noout] >keyfile
# or 1: new method
openssl genpkey {-algorithm rsa | -paramfile $dsa_or_ecdsa_file} [-pkeyopt $name:$value]... >keyfile
#
# then 2: single step
openssl req [-config conffile] -new -key keyfile -x509 $otherfields >certfile
# or 2: two steps
openssl req [-config conffile] -new -key keyfile $someotherfields >reqfile
openssl x509 -req <reqfile -signkey keyfile [-extfile $file [-extsect $sect]] -days $num -$hash >certfile
or it can combine 1 with the first part of 2, followed by the second part of 2
openssl req [-config conffile] -newkey $spec -keyout keyfile [-nodes] $someotherfields >reqfile
openssl x509 -req <reqfile -signkey keyfile [-extfile $file [-extsect $sect]] -days $num $hash >certfile
For a CA-issued cert, step 1 and the first part of step 2 ( req -new[key] ) either separate or combined is the same, but the second part of step 2 ( x509 -req -signkey ) is replaced by a process to submit reqfile to the CA and get back a certificate; this in turn varies enormously, far too much to be addressed by one answer, so I won't try.
After any of the above openssl step 3 is (always and simply):
openssl pkcs12 -export -in certfile -inkey keyfile -out pfxfile
# add -certfile chaincerts if and as needed
Compare How to generate a self-signed SSL certificate using OpenSSL? which shows the evolution in this area over the past decade, and includes more consideration of making the cert trusted especially by browsers, but does not lay out the options systematically as I did above and does not include step 3 (although many other Qs cover that separately: search 'convert PEM to PKCS12' or 'convert PEM to PFX'). If you are using OpenSSL directly on Windows (not WSL) eg from ShiningLight, the man pages are available online at https://www.openssl.org/docs/manpages.html .
Finally as an alternative, powershell can do this with New-SelfSignedCertificate since at least Eight; I think it was in Seven but can't check now. It generates the keypair and certificate corresponding to steps 1 and 2 but (both) in the Windows store instead of files, so you follow with Export-PFXCertificate to get them in a PFX file (or you can use the Export task in MMC/certmgr.msc, but why bother if you're already in posh?).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.