OpenSSL . SSL
sherweb news
Terri Donahue

When given .crt and .key files, make a .pfx file

Security is an important topic for anything hosted online, and SSL (Secure Sockets Layer) is key when you have information that needs to be transferred securely between a client browsers and a web server. In the Windows Cloud VPS hosting world, this means managing the SSL settings within Microsoft Internet Information Services (IIS) – the standard Microsoft web services that are included with Windows Server.

Everyone has heard the expression, when given lemons, make lemonade. In the IIS world, .crt and .key files are the equivalent of lemons since they can not be used in their current form to install an SSL certificate. This post will show you how to turn those files into lemonade or, more appropriately and useful, a pfx file.

As IIS Administrators we find ourselves from time to time (well, in all honesty, pretty much yearly) having to support the renewal and implementation of SSL certificates. In a perfect world, this would be a seamless process. We, the administrators, would create and provide the certificate signing request (CSR) to the responsible purchasing party. The certificate would be purchased and we would be provided the certificate response file from the Certificate Authority (CA) for completing the certificate request and installing the certificate.

This is not the way that things always happen. Sometimes we are provided text blobs of the certificate that look like this:

—–BEGIN PRIVATE KEY—–
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+MWFUhHn7RnDA
TBDa/YEtz7yJSaQHJu0OvcfkLe67Dk3XmJlvlIR1ZSAi3VHEe0tZCbGLUH+QpMfZ
/+CZ/jOqy/T2br0N1+Nz8pXTK2pyWCoWyEuTA1F/KimtJyuBglCXctrxWR4U/Bvg=
—–END PRIVATE KEY—–

—–BEGIN CERTIFICATE—–
MIIFODCCBCCgAwIBAgIQAv9+bZ/eqYYHETW+Sh9SHzANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQG
EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYD
Wtw75qW8mqQXZfa+e7gaVwaQ70uuEuXXmxG6I00=
—–END CERTIFICATE—–

Disclaimer: These are not actual certificate or key blobs but are provided as examples only

Or we may even be provided with the actual files which are noted by the extension .crt and .key. Neither of these can simply be completed within IIS and installed. There is a way to use these files to create a personal information exchange file (.pfx) which can then be imported into IIS. This walkthrough will provide the information necessary to combine the .crt and .key files into a usable .pfx file for IIS.

To complete this process, you will need to use OpenSSL. There are multiple places that you can download OpenSSL for a windows server. I personally use cygwin for all of my open source utilities. You can install utilities such as grep, curl, tail, and of course, OpenSSL within this utility for use on any Windows cloud server.

Cygwin creates a home directory structure in the installation path. For ease of use, we will copy the .crt and .key files into the users home directory on the file system. On my system, this path is C:\apps\cygwin64\home\Terri. After running Cygwin64 Terminal, we are able to list the directory to see the 2 files that we will be working with.

User Home Directory

The command to be run is (replacing domain.name with your filenames):

   1: openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

When you run the command, you will be prompted to enter an export password. This secures the file since the private key is now part of the pfx file. Once you have entered the export password twice, the pfx file is created as you can see when you list the directory again.

home directory

This .pfx file can now be imported into IIS for use with the appropriate website.

I hope this blog post can save you some time and some searching if you ever need to perform this function. Keep in mind that this post, along with most everything on our blog, are issues that our “Webteam” perform on a regular basis for our Windows Cloud ServerDedicated Server clients. To learn more, reach out directly at 1-855-780-0955 or Sales@sherweb.com.

Try Performance Cloud Servers

  • twitter
  • linkedin
  • facebook
  • google
  • 5

TAGS / KEYWORDS

Terri Donahue

About Terri Donahue

Terri is a System Administrator that has been supporting IIS since version 4.0. Through the years she has had extensive hands-on experience with many web servers including Lotus Domino, Apache, and of course, IIS. She has a passion for helping people solve technology related problems. In addition, she's an active member of the Charlotte PowerShell User Group. She was originally awarded Microsoft MVP for IIS in 2013 and was recently re-awarded on July 1st, 2014.

Discussion

So, you're ready to deploy O365 using Remote Desktop

Fill out this small form so we can get in touch

Thank you for your interest! We’ll contact you soon.