Its not easy to determine by looking at a file extension whether it would carry a certificate or not. I am writing this blog to help myself simplify my task. Next time I can directly jump to y blog instead searching endlessly on internet on what does a specific file extension corresponds to.

I will be discussing certificates extensions related to Windows only. This would give you some idea on what are the different types of certificates that exist. My area of expertise is in IIS, so I would be discussing related to that mostly.

SSL certificates are being used for various purposes such as:

v Authentication, The digital certificate is a common credential that provides a means to verify the identity of either the sender or the recipient.

v Privacy, which ensures that information, is only available to the intended audience. Certificates enable privacy of transmitted data using a number of different methods

v Encryption, which disguises information so that unauthorized readers are unable to decipher the message. On computers, sensitive data in the form of e-mail messages, files on a disk, and files being transmitted across the network can be encrypted using a key.

v Digital signatures, it provides strong evidence that the data has not been altered since it was signed and it confirms the identity of the person or entity who signed the data.

Different types of Certificates:

Different file format exists for certificates based upon how they are encoded and what they contain. They can be classified in 2 types as well. Ones that contain the private key and the ones that doesn’t. We have 4 Certificate file formats that are supported on Windows. The first 3 listed do not support storage of Private Key within them.

1. Base64-encoded X.509: (.cer, .der or .crt extensions)

The Base64 format supports storage of a single certificate. This format does not support storage of the private key or certification path. They are Base64 encoded ASCII files and contain "—–BEGIN CERTIFICATE—–" and "—–END CERTIFICATE—–" statements. Right click and open the certificate in a notepad and you will see the statements as shown:

2. DER-encoded binary X.509: (.cer, der or .crt extensions)

The Distinguished Encoding Rules (DER) format supports storage of a single certificate. This format does not support storage of the private key or certification path.

3. Cryptographic Message Syntax Standard (PKCS #7): (.p7b, .p7r or .spc extension)

The PKCS #7 format supports storage of certificates and all certificates in the certification path. A PKCS #7 file typically has a .p7b file name extension, but this is not always the case. This again doesn’t support exporting private keys. It is generally used by the CA to provide certificate chain to clients.

However as in the case of any other data file, the creator has the authority to use the existing .p7b extension or change it as desired.

4. Personal Information Exchange (PKCS #12): (.pfx or p12 extension)

The Personal Information Exchange format (PFX, also called PKCS #12) defines a file format that can be used for secure storage of certificates (containing both private and public keys), and all certificates in a certification path, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12.

The PKCS #12 formats is the only file format that can be used to export a certificate and its private key. A PKCS#12 certificate containing a private key is shown below:

More on Certificates:

When a certificate request is created for a website in IIS 6, corresponding private key is also created. The requests are stored under the Certificate Enrollment Requests store under Computer account. This contains the private key information corresponding to the request raised.

Once you have submitted the request to the CA. It will process the request and provide you with a certificate in .cer format (DER or Base64 encoded). Now the pending request can be processed in the IIS Manager by installing the certificate which was provided by the CA (.cer format).

Consider, somehow the request for the certificate was lost i.e., the request under the Certificate Enrollment Requests was removed. Now if you install the certificate on the website you are bound to see some issues due to the missing key information. The SSL handshake will not complete and you will see a “Page cannot be displayed error message” on the browser.

By default a .cer file doesn’t contain a private key. It assumes that the private key is present in the requests store and while installing it is bind to the certificate. Now since the request (private key) no longer exists the server doesn’t know how to decrypt the information received from client (encrypted using the public key). However, we are not totally helpless. We can try to retrieve the private key for the certificate. Here are the steps to do it:

1. Import the certificate to the personal store of computer account.

2. Now double click the certificate and go to the Details tab. Select the Thumbprint section and copy the value as shown below:

3. We will use certutil tool to map the private key to the certificate. Open a command prompt and execute the following:

“C:\>certutil -repairstore my "73 14 b2 20 1c 57 f9 fe 19 36 cf ff 9f cb c9 1e 8c 0f 1a 02"

If the command is successful then you will see a confirmation message as shown below:

More information on certutil tool can be found here: http://technet.microsoft.com/en-us/library/cc772898%28WS.10%29.aspx

Scenarios:

Sometimes the web-administrator has to install the same certificate across various servers in a load balanced server. So, continuing from the above scenario let’s assume the web-admin has to install the cert on other 12 servers. Manually copying the .cer file to every server and running the above command is quite tedious.

Why can’t we export the certificate along with the private key to the other servers and then install it? Well, it can be done, provided the private key has been marked as exportable. Generally, you would see this if the certificate was renewed again with the private key not being exported earlier.

Go to the websites on which the certificate has been installed.

1. Right click and select Properties-> Directory Security-> View Certificate.

2. Now go to the details tab and click on “Copy to File…”

3. Click on Next, you will now see a window provided with 2 radio buttons

a. Yes, export the private key

b. No, do not export the private key

If the private key was not marked as exportable, earlier when the certificate was created the first time, then the first option would be grayed out.

4. Select the first option “Yes, export the private key” and click on Next.

5. In the next window the “Personal Information Exchange – PKCS#12 (.PFX)” will be selected provided with three checkboxes. Select the first 2 and then click on Next.

6. Type in the password if required and then click on Next.

7. Browse to the location where you want to save the file (in .pfx format) and then click on Next.

8. Click on Finish, you would get a small prompt saying “The export was successful”

9. Click on OK and it’s done.

Now you have a SSL certificate containing the Private Key. You can copy this to other servers and then install it on the website. You may also choose to install the certificate programmatically on IIS using the KB article 313624.