• 8

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

How to install cer and p7b certificates to use in IIS?

I have generated the CSR request on our windows server ( we need to bind our application hosted on this server for Https) using below commands in keytool:

Keytool -genkey -alias <server name> -keyalg RSA -keysize 2048 -keystore <server name>.keystore

keytool -certreq -keyalg RSA -alias <server name> -file certreq.csr -keystore <server name>.keystore

After this I got one csr and and keystore files, which I forwarded for issuing SSL. The team gave me a zip files as the certificate ( containing one .cer and one .p7b file). Now I am not sure how to use these two files in IIS.

What we have tried so far:

  • Imported the .cer in IIS using Complete Certificate Request option, but the certificate disappears from IIS when we check again.
  • Imported the .p7b in IIS using Complete Certificate Request option, but the certificate disappears in this case also.
  • Imported the .cer in certificate store in personal certificate, but it does not appear in IIS settings.
  • Imported the .p7b in certificate store in intermediate certificates, but it does not appear in IIS settings.
  • Imported the .cer in certificate store in personal certificate and .p7b file in intermediate certificates, but no certificate appears in IIS settings.
  • Tried to export the certificate in PFX format from certificate store, but while export, the pfx option is greyed out.
      • 2
    • Is this requesting certs from a public CA, or an internal CA? Maybe even ADCS? If public, look at the instructions of the provider. If internal, probably click the right options in IIS Manager.

Windows has it's own tool for creating certificate requests. You can use the rather clumsy certreq or the much easier Management Console (Add Certificates plugin for the Computer account on Server 2008R2 and earlier, or run certlm.msc on Server 2012 and later).

In addition to the certificate returned from the CA, you also need the private key installed on the end-entity. In your case, that private key is within the keystore you used when running keytool and therefore inaccessible to Windows.

You have two options:

  • Import the new certificate into the keystore and export both it and the private key as a PKCS#12 (.pfx), which you can then import into Windows.
  • Use the Microsoft tool to generate a new request and have that signed by your CA. When you import the returned certificate into Windows it'll match up with its private key and you can use it in IIS.

If this is an internal CA, I'd go for the latter option. However, an external CA may charge you for another certificate, so you need to decide what is the most cost effective resolution.

If you decide to go with the former and import the newly signed certificate to your keystore, use something like:

keytool -importcert -file certificate.cer -keystore <server name>.keystore -alias <server name>

Then convert the keystore to a PKCS#12, which you can import to Windows, with:

keytool -importkeystore -srckeystore <server name>.keystore -destkeystore <server name>.pfx -srcstoretype JKS - deststoretype PKCS12 -deststorepass <new password>

You will need Java 8 or later to run the command above.

Any intermediate certificates should also be sent to you. That's probably what is in the p7b file (although you haven't stated it's contents). They should be imported into Windows' Intermediate Certification Authorities store, which you seem to have done already.

Once you have your *.pfx file import it into the server's Local Machine certificate store (don't waste time with the IIS MMC snap-in).

Start certlm.msc (W2K12 or later) or add the Certificates MMC snap-in configured for Computer accounts and Local computer (for W2K8R2 or earlier). Right click on the Personal store and import the certificate. If you receive any additional certs within the *.pfx file, move them to the Intermediate Certification Authorities store (for sub CA certs). Otherwise import them separately to that store.

  • 3
Reply Report
      • 1
    • This is correct answer. There is no need to use keytool on Windows. Regarding solutions, I would go with 2nd option. CAs often do not charge when you are re-requesting the certificate for the same subject, so this option should be ok.
      • 1
    • Hi @garethTheRed, thank you for your answer. I would like to try the first option first as the second option of getting another cert will take long time by the team. Can you please share any link or instructions to import certificate into keystore and then export as pfx. That would be really helpful.
    • Hi @garethTheRed, after importing the cer in keystore, its showing privateKeyEntry and trustedCertEntry in keystore, and while trying to exporting to pfx, only privateKeyEntry is exported, not the newly added trustedCertEntry Problem importing entry for alias .mhf.mhc: java.security.KeyStoreExc eption: TrustedCertEntry not supported.

Trending Tags