Unable to load certificates when trying to generate pfx file

by

I get the error: unable to load certificates

myserver.crt needs to be in PEM format. Does it have ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----?

myserver.crt should actually be a chain of certificates (and not just the one server certificate). The chain should include all intermediate certificates needed by the client to verify the chain.

You send all the intermediate certificates to solve the “which directory” problem. The “which directory” is a well know problem in PKI. Essentially, the client does not know where to go to fetch the missing intermediate cert. To avoid the problem, you send all intermediates.

I often use Startcom because they offer free Class 1 certificates. When I get the signed server certificate from them (for example, www-example-com.crt), I add their Class 1 Server Intermediate to it. I get their Class 1 Server Intermediate from their website at Startcom CA certs. The one I use is sub.class1.server.ca.pem.

With the www-example-com.crt, my server certificate looks like:

$ cat www-example-com.crt

-----BEGIN CERTIFICATE-----
< My Server Certificate >
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
< Startcom Intermediate >
-----END CERTIFICATE-----

For completeness, the private key (for example, www-example-com.key) is also in PEM format. It uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.

With my server certificate in PEM format (and with the required intermediates) and private key, I then issue the following (which looks like the same command you are using):

openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12

When clients connect, they use the Startcom CA. So, to test the connection (after loading into IIS):

openssl s_client -connect www.example.com:443 -CAfile startcom-ca.pem

The command should complete with “Verify OK”:

SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 37E5AF0EE1745AB2...
    Session-ID-ctx:
    Master-Key: 7B9F8A79D3CC3A41...
    Key-Arg   : None
    Start Time: 1243051912
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

I have also tried this: x509 -text -in myserver.key and received the error…

x509 is for certificates. If you want to dump a key, use OpenSSL’s pkey command. See the docs on OpenSSL’s pkey(1) command.

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)