Creating an easy to deploy SSL certificate in PEM format

When ordering a secure certificate, most often one has to deal with the following files:

  • certificate key file (aka private key): .key
  • certificate request file: .csr
  • primary certificate file (issued by the CA): .crt
  • certificate chain (aka intermediate certificate, or sf bundle): sf_bundle.crt

As a result, when deploying to a web server, it is necessary to configure 3 files: the key, the cert, and the trust chain. However, a little known fact is that these can be combined in a “pem” file that holds all three. One may even include the trusted root certificate optionally. Here is how:

  • download your certificates (your_domain_name.crt) from your NewPush Customer Portal.
  • paste the entire body of each certificate one by one into one text file in the following order:
    • domain.key
    • domain.crt
    • sf_bundle.crt

    Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

The number of

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

sections will depend of the length of the certificate trust chain.


How to add a secure cert to IIS on Windows

To add an SSL cert to IIS 5 on Windows, you need three separate steps:

  • Create a p12 (pkcs12) cert file:
cat server.key server.crt > server.pem
openssl pkcs12 -export -in server.pem -out server.p12 -name "server"

  • Import the p12 file into IIS:
Start->Run->mmc
Ctrl+M
Add...
Certificates
Computer Account
Finish
Close
OK
Open "Certificates (Local Computer)" tree
Right click Certificates
All Tasks->Import...
Browse to .p12 cert
Next
Next
Next
Finish

  • Select cert for site:
Open IIS Admin
Select properties of website
Select Directory Security Tab
Server Certificate...
Next
Assign existing cert
Next
Select Cert
Next
Next
Finish
Web Site tab
SSL Port 443
Apply
OK

Also if there isn’t separate IIS installed we can also attach the certificate from cmd:
Start / Run / cmd
List current certificates attached to the ports:
netsh http show sslcert
Add new certificate to a port:
netsh http add sslcert ipport=0.0.0.0:PORTNUMBER certhash=THUMBPRINT appid=GUID
PORTNUMBER: ipport=0.0.0.0: will remain untouched, just need to specify the port, for example:
ipport=0.0.0.0:443
THUMBPRINT: this is the thumbprint of the certificate. You can check this thumbprint by double click on the certificate in the certificate store,select Details, and “Thumbprint”. Use this without white spaces, for example: 42 b3 f1 c1 d1… will be 42b3f1c1d1…
GUID: this should be generated with Guidgen.exe .

Example command: netsh http add sslcert ipport=0.0.0.0:443 certhash=42b3f1c1d1c1fg8dd81sd1 appid={CJKC07D-8D1D-CCSa-CS1s-VSF1CS1dsX}