Feature RequestsCurrent StatusTools WebsiteSubmit Ticket

Discussions / FAQs

Ask a Question
ANSWERED

How do I convert a PEM to PFX?

You can achieve this using OpenSSL (Mac OSX includes OpenSSL within Terminal.app) or our converter tool. You should have the following files (Filenames are just for reference) - Your generated CSR (cert.csr) - Your Private Key File (key.pem) - Your SSL certificate provided by the CA (cert.cer) - The Intermediate Certificate provided by the CA (CA.cer) **Servertastic Certificate Converter** You can also use the [Servertastic Certificate Converter](https://tools.servertastic.com/certificate-converter) **OpenSSL Commands** Using OpenSSL run the following command `openssl pkcs12 -export -in cert.cer -inkey key.pem -out certificate.pfx -certfile CA.cer` This should output a certificate.pfx file.
Posted by Andy Gambles over 3 years ago
ANSWERED

Convert Private Key to RSA format

Some hosting systems require the Private key to be in RSA format rather than PEM. You can easily convert these files using OpenSSL. Your private key file will usually start with `-----BEGIN PRIVATE KEY-----` an RSA private key will start with `-----BEGIN RSA PRIVATE KEY-----` To convert your key simply run the following OpenSSL command `openssl rsa -in domain.key -out domain-rsa.key`
Posted by Andy Gambles over 3 years ago
ANSWERED

Change or Add a password for PFX using OpenSSL

Generally, PFX files are generated without a password. When importing and being asked for a password this can normally be left blank. Some systems insist that a password is entered. Therefore we recommend regenerating the PFX file with a password. This can be done using OpenSSL First convert the PFX file to PEM. ```text openssl pkcs12 -in cert.pfx -out cert.pem -nodes ``` Then convert the PEM file back to PFX and specify a password ``` openssl pkcs12 -export -out cert.pfx -in cert.pem Enter Export Passord: Verifying - Enter Export Password: ```
httpsopenssl
Posted by Andy Gambles 9 months ago
ANSWERED

I need a certificate with CA=True or KeyUsage=CertSign

The above key constraints mean that the certificate is allowed to issue signed certificates. It is not possible to purchase a publicly trusted certificate with these constraints from any Certificate Authority. If such a certificate were issued it would be possible to sign an end-entity certificate for any domain and it automatically be trusted by browsers. This creates a significant security risk as the owner of such a certificate could simply just issue a certificate for google.com or paypal.com and inspect all traffic between the user and the server. The main reason for requiring such a certificate is to install on a firewall type device that performs deep packet inspection. This is essentially performing a Man-in-the-Middle attack on the end user using the firewall by breaking end-to-end encryption for that user. The only option is to create a self-signed certificate with these key constraints and then add it as a trusted certificate on all the end user devices connecting through the firewall either via a group policy or asking the end users to install the certificate.
https
Posted by Andy Gambles almost 3 years ago
ANSWERED

Can't convert CRT to PFX for IIS

Hi, You kindly supplied me with a .crt file, however, I cannot convert this to a .pfx file, required for IIS, since I do not have a private key for the certificate. I tried your converter and OpenSSL but nothing is working sadly. The certificate is a SAN cert, so covered multiple domains. Are you able to convert it for me? Best regards, Liam Young
Posted by Liam Young over 1 year ago
ANSWERED

Sectigo SSL OV - 1 year / 2 year certificates

We usually order Sectigo SSL OV certificates for 1 or 2 years due to the short lived nature of some of our sites and the new guidance for the maximum life of a certificate. But i can no longer find Sectigo SSL OV for 1 or 2 years, have these been removed?
Posted by Allen Haigherty about 3 years ago
ANSWERED

Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error

This message is sometimes displayed when accessing an SSL page via a proxy (including our own payment page PayPal). It is caused by Chrome being unable to render the 502/302 proxy response for some sites (Issue 119713). Check your browsers Proxy settings. If possible remove the proxy and try again. To change this setting, go to [chrome://chrome/settings/](chrome://chrome/settings/) Then Click `Show Advanced Settings`. Scroll down to `Network` and click `Change proxy settings…` Uncheck `Automatically Detect`.
error
Posted by Andy Gambles over 3 years ago
ANSWERED

CSR does not contain a wildcard domain as expected

Posted by Andy Gambles over 3 years ago
ANSWERED

Why is my certificate is only valid for 1 year but I purchased for multiple years?

Due to changes implemented by the CA Browser Forum certificates can only have a maximum validity period of 397 days to be trusted by browsers. You can reissue your certificate multiple times during the life of your certificate plan to obtain the full validity. For more information please see our guide on [Multi-Year HTTPS Certificates](https://docs.servertastic.com/docs/multi-year-https-certificates)
https
Posted by Andy Gambles about 3 years ago
ANSWERED

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Error can occur when visiting a website even in modern browsers.
error
Posted by Andy Gambles over 3 years ago
announcementerrorhttpsopensslsmartermailsmarterstatssmartertoolssmartertrack