5

I have been sent two txt files from somebody who used to maintain a website for a client.

One contains the certificate from Thawte with:

---BEGIN CERTIFICATE---
xxxxxxxx
---END CERTIFICATE---

The other contains the RSA Private Key

-----BEGIN RSA PRIVATE KEY-----
xxxxxxxx
-----END RSA PRIVATE KEY-----

I've got the Certificate imported to Windows Server 2008, using the MMC snap-in, but it doesn't have the matching Private Key.

Is there anyway to create and install the private key from the second text file? Or do I need to create a new CSR request, and get a new certificate?

I'd rather create it from what has been sent if possible, just because I don't have access to the Thawte site to login, and the previous developer lives in the US and can be slow to respond. My client is in a rush to have the SSL up and running again.

I've not found an answer online, so guessing I have to generate a new request?

Any help greatly appreciated.

Dan Harris
  • 365
  • 2
  • 4
  • 14

2 Answers2

4

OpenSSL can convert the certificate/key to PKCS#12 format, which Windows should be able to import.

openssl pkcs12 -export -in foo.crt -inkey foo.key -out foo.p12
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • This worked great. I downloaded a Windows version from http://www.slproweb.com/products/Win32OpenSSL.html – Dan Harris Aug 16 '11 at 15:52
  • Are you extracting private key from certificate? Because there is no such a thing. Private key is **private** and is not included in the certificate. Can you elaborate please? – Saeed Neamati Feb 10 '16 at 14:18
  • @SaeedNeamati: The input is two files, the `-inkey` PKCS#1(or PKCS#7)-format private key file and the `-in` X.509 certificate file (with public key), as commonly used by Linux services. The output is a combined PKCS#12 archive for easy importing to Windows, with both keys and the certificate (often, intermediate issuer certificates are included as well). – u1686_grawity Feb 10 '16 at 14:20
  • Ok, I see. Can `foo.key` be `foo.txt`? – Saeed Neamati Feb 10 '16 at 14:21
  • The input file extensions don't matter here (in fact different people tend to use `.pem`, `.crt`, `.cert`, `.cer`, `.der`, `.x509` for the exact same thing, since it's not part of the standard) – as long as it contains a recognizable certificate and/or key. – u1686_grawity Feb 10 '16 at 14:23
1

I believe this will describe the process needed to import the private key and pair it with the certificate: http://blogs.iis.net/lprete/archive/2007/11/25/assign-a-private-key-to-a-new-certificate-after-you-use-the-certificates-snap-in-to-delete-the-original-certificate-in-internet-information-services.aspx

Also, I'd consider this more of a Serverfault question.

Jeff Ferland
  • 843
  • 6
  • 12
  • Using the method above, I believe it would only work if you already have the private key on the machine, but deleted the public certificate. You would use the above when you want to re-connect the two after re-adding the public certificate – Dan Harris Aug 16 '11 at 15:53