The last few steps... From PFX to Apache...

[ThorkilG12]

Hi
I'm able to get a PFX file, but if I tru to access it using OpenSSL i am promptet for a password ?

$order.CertificateUrl gives me an URL and that URL downloads a file with two certificates inside.
Is this two certificates two out of three of those I need ?

SSLCertificateFile "C:/Apache/g12ssl/www_sublim_dk/certificate.crt"
SSLCertificateKeyFile "C:/Apache/g12ssl/www_sublim_dk/private.key"
SSLCACertificateFile "C:/Apache/g12ssl/www_sublim_dk/ca_bundle.crt"

Please be aware that lot's of people just need some certificates. We don't nedd to understand the depth of ACME. So when you write this:

The certificate chain is not part of the issued certifcate. To get a correct certificate chain, you'll need to import the intermediate certificates from your acme service. For Lets Encrypt you can obtain them via https://letsencrypt.org/certificates/.

Then some of us are left behind...
Will it be possible to do some guidence so that we can make PowerShell, AcmeV2 and Apache to live together ?

[glatzert]

This module is meant to support you in using ACME. It's no out-of-the-box magic thing, which just will do everything necessary. That's why the ReadMe starts with a synopsis.

If you need oobe just create a certificate, I'd recommend using https://github.com/rmbolger/Posh-ACME, which is also PowerShell-based, but way more automated.

[ThorkilG12]

Allow me to remind you that you have this in the readMe as well:
Now you have a ready to use certificate containing the public and private keys. If any problems arise, feel free to open an issue.

And the problem is: I'm running apache and need the same certificate that ebekker provided when it was acmeV1

[glatzert]

Sorry, if I was being hostile.

As I said before use openSSL to convert the PFX into the appropriate files you need.
If it asks for passwords, you'll need to provide the ones you used or make it work without password.
OpenSSL itself is a big product, but (since I'll always need to look it up myself, if needed) the internet will provide the necessary code snippets to convert PFX to PEM (aka CRT/KEY)

The certificate chain file is (as far as I understand Apache) whats referenced in SSLCACertificateFile. Just store it and point Apache to it.

[ThorkilG12]

You said:
If you need oobe just create a certificate, I'd recommend using https://github.com/rmbolger/Posh-ACME, which is also PowerShell-based, but way more automated.

It looks as if it is all DNS-txt-record-based. I have to use HTTP for challange...

So... I'm still hoping for some help from one of you guys.
What is the purpose of your solution if apache-users can not use it ?
If you help me, i'm sure a lot of more apache-users would be happy, as well

[glatzert]

There's no way around openSSL currently, so please use that.

You'll need the following commands:
For the private-key: openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
For the certfile: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
And for the SSLCA file download this (I think): https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

Nice writeup here: https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/

[ThorkilG12]

Well The problem is the password inside the PFX file. Where does it come from ? It is not in the PowerShell code, but where then ? Is it on the Let'sEncrypt server ? I tried to use another email-address. That did not help. Still the PFX file is protected by some password. Is it on my server. Is it the windows operating system that your module talks to ? Is the password in a PFX file related to a) The windows server ? b) The windows user ? c) The domain ? d) The account at Let's Encrypt In my situation where a have many sites running on one apache windows machine... How many Private Keys do I need ? One for every site og one for my server or one for myself ? Or ? BTW: After your sample code from https://github.com/PKISharp/ACMESharpCore-PowerShell I have added this: $certdir = "c:\ApacheCerts" cd $appath\bin $opensslArgs = "pkcs12 -in c:\acmestate\www.sublim.dk.pfx -nocerts -out $certdir\private.key" Start-Process 'cmd' -ArgumentList "/k $appath\bin\openssl.exe $opensslArgs" $opensslArgs = "pkcs12 -in c:\acmestate\www.sublim.dk.pfx -clcerts -nokeys -out $certdir\certificate.crt" Start-Process 'cmd' -ArgumentList "/k $appath\bin\openssl.exe $opensslArgs" $opensslArgs = "pkcs12 -in c:\acmestate\www.sublim.dk.pfx -nodes -nokeys -cacerts -out $certdir\ca.crt" Start-Process 'cmd' -ArgumentList "/k $appath\bin\openssl.exe $opensslArgs" *Venlig hilsen* *Thorkil Johansen* *Tel: +45 4070 6547* Den tir. 15. okt. 2019 kl. 11.03 skrev Thomas Glatzer < notifications@github.com>:

…

There's no way around openSSL currently, so please use that. You'll need the following commands: For the private-key: openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key] For the certfile: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt] And for the SSLCA file download this (I think): https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt Nice writeup here: https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/ — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#41>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC4PBVLGHT2WCWIAQ6FQXYDQOWBNLANCNFSM4JAULAXA> .

[glatzert]

If you did not explicitly call Export-ACMECertificate with -Password there should* be none.
Possibly openSSL will accept you pressing [Enter]?

Alternatively just call Export-ACMECertificate and set a password - then you can provide it to openSSL.
Also it might be openSSL wants to know the password it should use to protect the output files?

[ThorkilG12]

Success. Now I'm back on track.

I do this:

cd $appath\bin # OpenSSL is part of the Apache installation
$procArg = "/k $appath\bin\openssl.exe " # Last space is nessesary. Change /k to /c to close CMD-window

$opensslArgs = "pkcs12 -in $stateDir\$dnsName.pfx -nocerts -out $certdir\privateKey.pem -passin pass: -passout pass:verySecret"
Start-Process 'cmd' -ArgumentList ($procArg + $opensslArgs)

$opensslArgs = "rsa -in $certdir\privateKey.pem -out $certdir\private.key -passin pass:verySecret"
Start-Process 'cmd' -ArgumentList  ($procArg + $opensslArgs)

$opensslArgs = "pkcs12 -in $stateDir\$dnsName.pfx -clcerts -nokeys -out $certdir\certificate.crt -passin pass:"
Start-Process 'cmd' -ArgumentList ($procArg + $opensslArgs)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$crossURL = Invoke-WebRequest -Uri "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt"
$crossURL.content | out-file "$certdir\ca_bundle.crt" -encoding ASCII

When I check the certificat in a browser i don't see anything that should be wrong.
I'm not sure if the error in this command should worry me ?

$opensslArgs = "verify -untrusted $certdir\ca_bundle.crt $certdir\certificate.crt"
Start-Process 'cmd' -ArgumentList ($procArg + $opensslArgs)

Thanks a lot with your patience with me. Even though I often have the same old feeling of being outside the "Members Only Closed Linux Club"

Let's hope others can use my findings :-)
Have a nice evening, and thanks for your incredible work.
/T