Skip to content

SSH SSL certificate

Jump to bottom
DUONG Phu-Hiep edited this page Aug 29, 2023 · 1 revision

SSH certificate

SSL binding information is stored in:

- %windir%\System32\inetsrv\config\applicationHost.config

- SSL configuration associated with the SSL binding is stored in the HTTP.sys configuration

List SSL binding in Http.sys: netsh http show sslcert

When the site starts: - IIS sends the binding to HTTP.sys - HTTP.sys starts listening for requests on the specified IP:Port

- HTTP.sys looks in its SSL configuration for the IP:Port pair

- SSL configuration must include a certificate hash and the name of the certificate store

Tip: If you're having trouble with an SSL binding, verify that the binding is configured in ApplicationHost.config, and that the HTTP.sys store contains a valid certificate hash and store name for the binding.

Source: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis#IISManager

Generate a certificate

$ openssl req -out CertificateRequest.csr -new -newkey rsa:2048 -nodes -keyout RsaPrivateKey.key

it will create a "CERTIFICATE REQUEST" and a "RSA PRIVATE KEY"

Create pfx

openssl pkcs12 -export -in my.cer -inkey my.key -out mycert.pfx

Source: https://langui.sh/2009/01/24/generating-a-pkcs12-pfx-via-openssl/

Checking Using OpenSSL

Source: https://www.sslshopper.com/article-most-common-openssl-commands.html

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR) 
    openssl req -text -noout -verify -in CSR.csr
    • Check a private key
    openssl rsa -in privateKey.key -check
    • Check a certificate
    openssl x509 -in certificate.crt -text -noout
    • Check a PKCS#12 file (.pfx or .p12)
    openssl pkcs12 -info -in keyStore.p12

Converting Using OpenSSL

Source: https://www.sslshopper.com/article-most-common-openssl-commands.html

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM

    openssl x509 -inform der -in certificate.cer -out certificate.pem
    • Convert a PEM file to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der
    • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

    • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Clone this wiki locally