Recently in Google Developer Console by mistake I generated a new SSL certificate for my project’s Service Account so had to convert it again from p12 file to base64 representation and store its thumbprint separately.
Here’s how you can do it:
var cert = new X509Certificate2("project-595a8425b1d7.p12", "notasecret", X509KeyStorageFlags.Exportable);
var thumbprint = cert.Thumbprint;
var base64 = Convert.ToBase64String(cert.Export(X509ContentType.Pfx, "notasecret")); // or Pkcs12 which works as well
And just to make sure output string actually works and certificate contains private key:
var test = new X509Certificate2(Convert.FromBase64String(base64), "notasecret");
Debug.Assert(test.PrivateKey != null);
When I tried to enable SSL for BitTorrent Sync installed on my new NAS Synology 215j it turned out it requires not pfx but private and public keys separately in base64 encoded form.
Here’s the command to extract certificate itself. It will prompt for existing pfx’s passphrase (password):
openssl pkcs12 -in synology.pfx -clcerts -nokeys -out synology.cer
To extract private key. It will prompt for pfx’s passphrase and for a passphrase to add to the key:
openssl pkcs12 -in synology.pfx -nocerts -out synology.private.key
To remove the later passphrase. Now private key doesn’t contain any:
openssl rsa -in synology.private.key -out synology.key
When you don’t want to enable SSL offloading so both internet facing web site and the one behind reverse proxy are access over SSL you will receive domain name mismatch.
The solution is simple. Either:
- enable SSL Offloading
- enable Require Server Name Indication in bindings settings:
This week problem was to make working the Remote Desktop Gateway located behind a NAT. Here’s the lesson learned:
That’s all, folks!
To have a properly working SSL web site you have to assign a SSL certificate to it. A real one costs real money. Easily especially for development to issue a self-signed one.
To create certificates I will use MakeCert.exe that is shipped with Windows SDK (usual path is %ProgramFiles%\Microsoft SDKs\Windows\v7.1A\Bin\).
First step: create a certificate at TempCA.cer with subject name CA=TempCA with private key kept in TempCA.pvk:
makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
Second step: create a certificate at SignedByCA.cer in container SignedByCA with subject name CN=example.com (probably should correspond to the web site address) signed by root authority certificate TempCA.cer with private key at TempCA.pvk and save it into the store named My for CurrentUser:
makecert -sk SignedByCA -n "CN=example.com" -iv TempCA.pvk -ic TempCA.cer SignedByCA.cer -sr CurrentUser -ss My
Third step: generate Personal Information Exchange (.pfx) file at TempCA.pfx from certificate TempCA.cert and private key TempCA.pvk (with no password):
Pvk2Pfx -pvk TempCA.pvk -spc TempCA.cer -pfx TempCA.pfx -f
See MSDN for more details.