Creating a.pem with the Private Key and Entire Trust Chain Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt) and Primary Certificates (yourdomainname.crt). Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order.
When I try to configure WS-AT transactions on windows the system claims I cannot use particular SSL certificate because it has no private key. I tried self signed certificate and one provided by StartSSL - no luck.
I think thanks to extensions it is possible to create certificate with attached private key, the question is is there such tool? Or is there a piece of software that can export it from glassfish keystore?
user505660
1 Answer
From what I see in the screencast you noted in your comments, the tiny.cer is the server certificate that you import on the Windows side. You don't need the private key of that certificate, on the Windows side.
The mrbean.cer is the certificate that you import to the jks on the server side. You don't need the private key of that certificate on the server side either.
Which system is complaining about a lack of private key? If it's the Windows side, then look at the certificate details in the MMC Certificates snap-in. At 25:26 in the screencast, you can see the certificate details of the tini.east.sun.com certificate. Note that there is no private key associated with the certificate. This is fine.
What the screencast doesn't show (or I didn't see it scanning through it quickly) are the details of the mrbean certificate, on the Windows side. On the Windows system you need the private key, if you are using the mrbean certificate to connect using SSL to the server. For that certificate on your Windows system, the certificate details tab should show a small icon of a key and the text, 'You have a private key that corresponds to this certificate.' (The private key isn't actually part of the certificate -- it's stored separately.)
You don't need to export this private key or copy it to the server, in fact, you do NOT want to copy the private key to the server. You want the private key of the mrbean certificate kept safely on the Windows system.
However, if you are using it to connect, as the client certificate for an SSL connection, then there must be a private key showing in the MMC snap-in, and, additionally, the Windows account that is doing the SSL connecting MUST have access to the private key. When you import the client certificate (mrbean) on the Windows side, the Windows account you are logged in as will have access to the private key, but if the code doing the connecting is running under a different Windows account, it does not.
In the MMC snap-in, right click on the certificate (mrbean) and select 'All Tasks -> Manage Private Keys'. From there, you can give Read access to the Windows account that is doing the SSL connecting. (Be careful -- whoever you give read access to the private key to, can use the certificate to connect via SSL using that certificate.)
So I'm not sure this is the problem, but if it is the Windows side complaining about a lack of private key, and you need a client certificate for an SSL connection, then check that (a) you have a private key associated with the certificate, and (b) the Windows account that needs to use the certificate to connect out via SSL has access to the private key. You can check both things in the MMC snap-in on the Windows system.
Don't copy either private key (client or server) in either direction.
![Create Certificate From Private Key Create Certificate From Private Key](https://docs.druva.com/@api/deki/files/13647/1.png?revision=1&size=bestfit&width=535&height=400)
6,00433 gold badges2525 silver badges3939 bronze badges
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Obtain a Custom SSL Certificate and Private Key Using OpenSSLToolkit
This procedure is a simplified description on how to obtain a custom SSL Certificate using the OpenSSL toolkit. Your requirement to use a temporary self-signed or a certificate authority-signed certificate should be determined by your site administrator or security officer. In the event you do need to obtain a custom SSL certificate (temporary self-signed or certificate authority-signed), you can follow these example OpenSSL command-line instructions below.
Note - Oracle ILOM does not require youto use OpenSSL to generate SSL certificates. OpenSSL is used inthis procedure for demonstration purposes only. Other tools areavailable for generating SSL certificates.
Note - If further OpenSSL instructions are required to generatethe SSL certificate, you should consult the user documentation providedwith the OpenSSL toolkit.
- Createa network share or local directory to store the certificate andprivate key.
- To generate a new RSA privatekey using the OpenSSL toolkit, type:openssl genrsa -out <foo>.key 2048Where <foo> equals the nameof the private key.Note - This private key is a 2048 bit RSA key which is storedin a PEM format so that it is readable as ASCII text.
- To generate a certificate signingrequest (CSR) using the OpenSSL toolkit, type:openssl req -new -key <foo>.key -out <foo>.csrWhere <foo> equals the nameof the certificate signing request.Note - During the generation of the CSR, you will be promptedfor several pieces of information.A <foo>.csr fileshould now appear in your current working directory.
- To generate an SSL certificate,perform one of the following:
- Generate a temporary self-signed certificate(good for 365 days).The self-signed SSL certificate is generated from the server.key privatekey and server.csr files.Using the OpenSSL toolkit, type:openssl x509 -req -days 365 -in <foo>.csr-signkey <foo>.key -out <foo>.certWhere <foo> equals the nameassigned to the private key (.key) or certificate (.cert).Note - This temporary certificate will generate an error inthe client browser to the effect that the signing certificate authorityis unknown and not trusted. If this error is unacceptable, you shouldrequest the Certificate Authority to issue you a signed certificate.
- Obtainan officially signed certificate from a certificate authority provider.Submit your certificate signing request (<foo>.csr)to an SSL certificate Authority provider. Most certificate authorityproviders require you to cut and paste the CSR output in a web applicationscreen. It can typically take up to seven business days to receiveyour signed certificate.
- Generate a temporary self-signed certificate(good for 365 days).
- Upload the new SSL certificateand private key to Oracle ILOM. See the following instructions, Upload a Custom SSL Certificate and Private Key to Oracle ILOM.