PEM files for non-IIS

[JustinWebDev]

I'm not using IIS on my Windows server. I need PEM files for the cert. Please add an option to output PEM cert files.

Then, with the built-in server function, I think this would work great for me.

[aloopkin]

Actually, you probably want much more than that:

• which PEM files do you need? Certificate for sure, private key also, PKCS#1? PKCS#8? Encrypted?
• where to put these files?
• you probably need to restart your web server afterwards?
• you also probably need to manage the certificate chain as well?

All of this is already doable by using the PowerShell scripting option (-f switch). Here are some pointers on how to transform a PFX/PKCS#12 using PowerShell: https://www.sysadmins.lv/blog-en/how-to-convert-pkcs12pfx-to-pem-format.aspx https://stackoverflow.com/questions/37247764/openssl-for-windows-and-powershell-pfx-to-pem

[aloopkin]

This should do the trick. You need to install OpenSSL, change the ssl_path in the script to the nginx conf path, and then point ssl_certificate and ssl_certificate_key in the nginx configuration respectively to the generated server.crt and server.key In the script, you probably need to add the commands to stop nginx before generating aforementioned files, and then start it once it's done. ExplodePFX.ps1.txt

[mikenor]

How about a command-line switch to NOT import into the Windows certificate store? The Windows certificate store is not relevant to my usage so it'd be nice to totally skip it.

Looking at the code, I think this would be an easy addition but at the moment I don't have a suitable dev environment.

Ideally I would like WinCertes to get the signed certificate from the CA, save whatever info it needs to keep in its configuration, run my $scriptfile, then delete the PFX. (Bonus points: check the scripts' exit status for success before deleting.)

[aloopkin]

How about a command-line switch to NOT import into the Windows certificate store? The Windows certificate store is not relevant to my usage so it'd be nice to totally skip it.

Looking at the code, I think this would be an easy addition but at the moment I don't have a suitable dev environment.

Actually it's doable, but not so easy as it seems at first glance. I did it initially, but removing this ability solved a lot of small things (e.g. the IIS bind option then depends on not having this tag set, etc.). So i will add this back when i can find time to do it.

Ideally I would like WinCertes to get the signed certificate from the CA, save whatever info it needs to keep in its configuration, run my $scriptfile, then delete the PFX. (Bonus points: check the scripts' exit status for success before deleting.)

Well, all this exists right now. The only thing is that the cert is stored in the store as well, but you can still use it as PFX in the Powershell script. About checking the exit status for success before deleting, i don't think that's a good idea. Then you have a pending PFX on the file system, and you don't know its password. IMHO the powershell script should handle properly error cases if it wants to be able to manually fix a situation.

[cshawky]

I added creation of the PEM public and private key chains into CertesWrapper.cs:RetrieveCertificate(). That was very easy because the original key chain is in text format. I made too many other changes that might confuse this topic. I am targeting a certificate for VPS hMailServer and VisualSVN, web services normally disabled. Code snippet added to RetrieveCertificate() is below. The file attached can't be used without inclusion of other more extensive changes. `

            // Now we can fetch the certificate

            CertificateChain certChain = await _orderCtx.Download();

            // .cer: Full Certificate with Private Key. e.g. Visual SVN

            string cer = certChain.ToPem(certKey);

            // .pem: Full Certificate without Private Key e.g. hMailServer

            string pem = certChain.ToPem();

            // .pkey: Private key in separate PEM file.

            string pkey = certKey.ToPem();

            var fileName = Path.GetFileNameWithoutExtension(fullPathForPfx);

            string pfxName = fileName + ".pfx";

            string pfxPath = pathForPfx + "\\" + pfxName;

            string cerPath = pathForPfx + "\\" + fileName + ".cer";

            string pemPath = pathForPfx + "\\" + fileName + ".pem";

            string pkeyPath = pathForPfx + "\\" + fileName + ".pkey";

            System.IO.File.WriteAllText(certPath, cert );

            System.IO.File.WriteAllText(pemPath, pem);

            System.IO.File.WriteAllText(pkeyPath, pkey );

`

[aloopkin]

PEM files issuance released as part of WinCertes 1.4.0