Professional Documents
Culture Documents
OneNoteOnline
SSL/TLSCertificateFileTypes/Extensions
29September2015 11:45
SSL certificates are being used for various purposes such as:
Authentication, The digital certificate is a common credential that provides a means to verify
the identity of either the sender or the recipient.
Privacy, which ensures that information, is only available to the intended audience.
Certificates enable privacy of transmitted data using a number of different methods
Encryption, which disguises information so that unauthorized readers are unable to decipher
the message. On computers, sensitive data in the form of email messages, files on a disk,
and files being transmitted across the network can be encrypted using a key.
Digital signatures, it provides strong evidence that the data has not been altered since it was
signed and it confirms the identity of the person or entity who signed the data.
https://onenote.officeapps.live.com/o/onenoteframe.aspx?Fi=SDDE886CC9905C0E23!423&H=emul&C=5_810_BN1SKYWACWSHI&ui=enIN&rs=en
1/8
9/29/2015
OneNoteOnline
BEGINCERTIFICATE
MIIB0TCCATqgAwIBAgIQUq+2SdEkLr5K6xqjSEvRsDANBgkqhkiG9w0BAQUFADAU
MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTIwODA0MDA0OTEyWhcNMTcwODA0MDAw
MDAwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAKjGuGT8NN5chlGSHIqEgjgceLQOX41f46MvYZMbGecoaFcl4yGAcU21
0oJeZyAjoZiuKueNdugqN4sTNq7IKpnK+cqNOr44aH1lCh6zAPz+KT/KtKuOBhXv
Ypv6QL4eDVVYpMfHNk120xaItE+pk75ZKh6aXmh+v4HIFD/Off8XAgMBAAGjJDAi
MAsGA1UdDwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUF
AAOBgQCIBC/BE4ObFNbI6UV7bpg4abxrQDG+HYhMrLyw29jB4KNyeJPzkDHUkTua
Y2nd44bYEpmaBy7XJ5UIGEkuD3VIxT2S+2bCwkRR+9/+7vggR2q7l7YEktM2mFBI
yqOMOroAw+5cdc06c/B7UimwKFczsyhi9LUIr3rXI42FdXBHWw==
ENDCERTIFICATE
Base64 encoded Certificate
This file type is used more often for exporting certificates.
https://onenote.officeapps.live.com/o/onenoteframe.aspx?Fi=SDDE886CC9905C0E23!423&H=emul&C=5_810_BN1SKYWACWSHI&ui=enIN&rs=en
2/8
9/29/2015
OneNoteOnline
3/8
9/29/2015
OneNoteOnline
theCRLfile and checks the list to ensure that the current certificate is not part of that list.
TheCAcan make theCRLavailable for download to the client, viaHTTP,FTPor any other
protocol. Here is the downloaded CRL from the CA:
https://onenote.officeapps.live.com/o/onenoteframe.aspx?Fi=SDDE886CC9905C0E23!423&H=emul&C=5_810_BN1SKYWACWSHI&ui=enIN&rs=en
4/8
9/29/2015
OneNoteOnline
5/8
9/29/2015
OneNoteOnline
Intermediate CA Certificate
Root CA certificate
Private Key
A single PEM file can also be split into multiple PEM files each containing a part of the original PEM
file.
PEM for storing Public Key
This format can also be used for storing only the public key information of a certificate. I found this
article:http://www.bo.infn.it/alice/introgrd/certmgr/node20.html,which talks about extracting only
the public part of the certificate. Even in this case the file is a Base64 encoded string enclosed
between"BEGINPUBLICKEY" and "ENDPUBLICKEY".
BEGINPUBLICKEY
MIICXQIBAAKBgQDedH/Kb8d0oqAu2+huQTHhQbqP1gx2Ae6LOtVejTt1Tg54f/iF
79E8wD/EUKNJ9omWCj4rFsPF6aiN+QNjmJc5zJqH4uCuIS7NeB2DCIeZxtS6f5oS
...
...
...
...
...
...
qIco7Hxh0B71QnL/22lxAkAXcqs0Ah0yw3+3yBFDJgu1Wj/8gzMMRTrw8B07v13k
gFlJxAuPc2ckMXsegTJf+mMaoS59KXMqcNh3B8P4V2ko
ENDPUBLICKEY
I have personally never encountered any situation or a usage scenario where the public key
information of the certificate had to be extracted.
Private Key.key
This file format contains the private key of the certificate. On Windows there is no mechanism
available to extract only the private key from the certificate, as it is not required.
However,OpenSSLallows only thePrivate Keyto be extracted from the certificate.If you open
the file in a notepad, you would find that it is a Base64 encoded string enclosed between"
BEGINRSAPRIVATEKEY" and "ENDRSAPRIVATEKEY".
Command used to convertPFXtoPEM:
openssl.exepkcs12inCertificate.pfxnocertsoutCertificate.pem
BEGINRSAPRIVATEKEY
MIICXQIBAAKBgQDedH/Kb8d0oqAu2+huQTHhQbqP1gx2Ae6LOtVejTt1Tg54f/iF
79E8wD/EUKNJ9omWCj4rFsPF6aiN+QNjmJc5zJqH4uCuIS7NeB2DCIeZxtS6f5oS
BWyoQ/eAjmFE0T/6P/aupsjrrB9qI7mELQnJEikzWCwsiBzSlM+bjdTDeQIDAQAB
AoGBAItNyPisJusTK9wsOdFRYjr9Pib0k7kSXJ8zqIodRy6eQtGS0b6N/ylb+pKl
LJwUlvQuVeAF0XMOb074sPadh5Suyos/Sa8OuHDDRmhxTQjk03EUhXrpGkA7WCU6
VdIf7xyCZFOc4RXy222xHfweZohEZ6qEdqyn7Cy6yQrHJKkBAkEA/15+gomP9rt4
M3Pyp+r2GsCm6aq1lHzF+/Req1Tzj/h4DlBN9dCNH2NnRFJ3S1GbrSsPR9YTpitu
U+eah7+JXQJBAN8BMFa6bye1gc7Y/4McOfeNzUXzQc1TCCwdRxlF7VBxJkOcD3FD
53Ur/TSQL++TaE+ihsuQLUBnO31aJXOSlM0CQQCd83yckSmSmvIGITl90z7V3UNg
VE5rwaFT7hqALtNXwX/AmrsdyBkBySIeiENxOtDnkzKoZClTJpnfG+ng/P+hAkA7
aWGreXfrqFuw8/b+wyJeZZTuseQyA5EFz7cFcK/M4phDIuyqTGD5woJu4osi1K7R
qIco7Hxh0B71QnL/22lxAkAXcqs0Ah0yw3+3yBFDJgu1Wj/8gzMMRTrw8B07v13k
gFlJxAuPc2ckMXsegTJf+mMaoS59KXMqcNh3B8P4V2ko
ENDRSAPRIVATEKEY
More on Certificates:
When a certificate request is created for a website in IIS 6, corresponding private key is also
created. The requests are stored under theCertificate Enrollment Requestsstore under
Computer account. This contains the private key information corresponding to the request raised.
https://onenote.officeapps.live.com/o/onenoteframe.aspx?Fi=SDDE886CC9905C0E23!423&H=emul&C=5_810_BN1SKYWACWSHI&ui=enIN&rs=en
6/8
9/29/2015
OneNoteOnline
Once you have submitted the request to the CA. It will process the request and provide a certificate
in .cer, crt or .der extension DER or Base64 encoded. Now the pending request can be processed
in the IIS Manager by installing the certificate which was provided by the CA.
Consider, if somehow the request for the certificate was lost i.e., the request under theCertificate
Enrollment Requestswas removed. Now if you install the certificate on the website you are bound
to see some issues due to the missing key information. The SSL handshake will not complete and
you will see a Page cannot be displayed error message on the browser.
By default a .cer file doesnt contain a private key.The notion of such file is that the private key
already exists on the server and during installation the binds to the certificate. Now since the
request private key no longer exists the server doesnt know how to decrypt the information
received from client encrypted using the public key. However, we are not totally helpless. We can
try to retrieve the private key for the certificate. Here are the steps to do it:
1. Import the certificate to the personal store of computer account.
2. Now double click the certificate and go to theDetailstab. Select the Thumbprint section and
copy the value as shown below:
3. We will usecertutiltool to map the private key to the certificate. Open a command prompt and
execute the following:
Certutilrepairstoremy"7314b2201c57f9fe1936cfff9fcbc9
1e8c0f1a02"
If the command is successful then you will see a confirmation message as shown below:
7/8
9/29/2015
OneNoteOnline
Scenarios:
Sometimes the webadministrator has to install the same certificate across various servers in a load
balanced server. So, continuing from the above scenario lets assume the webadmin has to install
the cert on other 12 servers. Manually copying the .cer file to every server and running the above
command is quite tedious.
Why cant we export the certificate along with the private key to the other servers and then install
it? Well, it can be done,provided the private key has been marked as exportable. Generally, you
would see this if the certificate was renewed again with the private key not being exported earlier.
Go to the websites on which the certificate has been installed.
1.
2.
3.
4.
5.
6.
Now you have a SSL certificate containing the Private Key. You can copy this to other servers and
then install it on the website. You may also choose to install the certificate programmatically on IIS
using the KB article313624.
https://onenote.officeapps.live.com/o/onenoteframe.aspx?Fi=SDDE886CC9905C0E23!423&H=emul&C=5_810_BN1SKYWACWSHI&ui=enIN&rs=en
8/8