Context

If you are self-hosting your on-prem VenioOnDemand (VOD) and your Certificate Authority https://www.digicert.com/blog/what-is-a-certificate-authority provided you a private key (sometimes in .key .txt or .cer) and you need to use the new cert in IIS, here is what you can do to generate a .pfx file for the IIS server.

Prerequisites

OpenSSL must be installed on whatever machine you are using to create the .pfx file (OpenSSL does not need to be installed in your IIS server) and made available in your system's PATH environment variable.

1. Install OpenSSL:

If you haven't installed OpenSSL, you can download and install it from the official website or use package managers available for your operating system. On Windows, you can use tools like Win32/Win64 OpenSSL.

2. Add OpenSSL to your PATH:

If OpenSSL is already installed, you need to add the environment variable path:

• Determine where OpenSSL is installed.
  • It's often in a directory like `C:\Program Files\OpenSSL-Win64\bin` or something similar.
• Add that directory to your system's PATH variable.
  • Right-click on the `Start` button and select `System`.
    - Click on `Advanced system settings`.
    - Click on the `Environment Variables` button.
    - Under `System Variables`, find and select the `Path` variable, then click `Edit`.
    - Click `New` and add the path to the OpenSSL `bin` directory.
    - Click `OK` to save your changes.
• Close all of your Command Prompt and PowerShell windows.
  • After they are all closed, open up a new PowerShell window.

Run the OpenSSL command:

After following the above steps, you should be able to run your OpenSSL command without issues.

Remember to keep sensitive materials, such as private keys and certificates, secure and private during this process.

Here's how to build using OpenSSL. When you run, it asks you to create a password for the resulting pfx file. We recommend using a new password that is not used anywhere else. Make sure it has at least 75 bits of entropy. https://www.securitycentric.com.au/blog/bits-of-entropy-the-importance-of-complex-passwords

Be sure to replace the following fields as needed.

<new_pfx_filename_exp_<expiration_date>>.pfx
I prefer using the certificate's expiration date in the name of the file to avoid confusion. For example, the ISO representation for July 15, 2022 is: 20220715
It's also good practice to name the file after the domain it is for. For example: If my CA provided me a certificate specifically for www.acme.com expiring July 15, 2022 I would name the file www_acme_com_exp20220715.pfx
If I had received a star certificate, *.acme.com which can be applied to any subdomain on acme.com, I would name the file star_acme_com_exp20220715.pfx

<ca_provided_private_key>.key
Make sure that the filename and extension of the private key matches what your CA (Certificate Authority) provided. Keep it secret. Keep it safe.

<ca_provided_public_cert>.crt
Make sure that the filename and extension of the public cert matches what your CA (Certificate Authority) provided.

The following command assumes the files have been downloaded into a Windows user's Download directory. You may need to change the file paths accordingly.

openssl pkcs12 -export -out "%USERPROFILE%\Downloads\<new_pfx_filename>.pfx" -inkey "%USERPROFILE%\Downloads\<ca_provided_private_key>.key" -in "%USERPROFILE%\Downloads\<ca_provided_public_cert>.crt"

Clarifying the OpenSSL Command

The command you're given is:

openssl pkcs12 -export -out "%USERPROFILE%\Downloads\.pfx" -inkey "%USERPROFILE%\Downloads\.key" -in "%USERPROFILE%\Downloads\.crt"

Let's deconstruct it piece by piece:

1. openssl pkcs12: This is the main command. It instructs OpenSSL to work with .pfx files, which are Personal Information Exchange files that can store private keys and certificates.
2. -export: This flag tells OpenSSL to export a PFX file.
3. -out "%USERPROFILE%\Downloads\.pfx": This is the destination where the exported .pfx file will be saved.
   • %USERPROFILE%: This is a Windows environment variable that points to the current user's home directory. If your username is "John," this typically translates to C:\Users\John.
   • \.pfx: This is a placeholder. You should replace it with the desired name of the .pfx file you're creating. The article suggests using the certificate's expiration date and domain name for clarity.
4. -inkey "%USERPROFILE%\Downloads\.key": This specifies the location of the private key provided by your Certificate Authority.
   • \.key: This is another placeholder. Replace it with the filename of your actual private key file.
5. -in "%USERPROFILE%\Downloads\.crt": This points to the public certificate provided by the Certificate Authority.
   • \.crt: Yet another placeholder. This should be replaced with the filename of your public certificate.

In Summary: This command tells OpenSSL to create a .pfx file from a provided private key and a public certificate, and to save that .pfx file to a specified location. To use the command effectively, ensure that you replace all the placeholders with appropriate filenames and paths.

Import .pfx into local computer certificate store

Now you need to install the `.pfx` certificate onto the Windows Server hosting your IIS (Internet Information Services) or another service, here's a step-by-step guide:

1. Locate the .pfx File:

Make sure you have followed the previous steps carefully to create a password-protected `.pfx` file. Now we need to make sure this file is accessible on the IIS server. Transfer it using a secure method if it's not already there.

2. Import the .pfx Certificate:

- Press `Windows + R`, type `mmc`, and press Enter to open the Microsoft Management Console.
- In the MMC, click on `File` then `Add/Remove Snap-in`.
- In the Add or Remove Snap-ins window, select `Certificates` and click `Add >`.
- In the Certificates snap-in window, select `Computer account` and click `Next`.
- Select `Local computer` and click `Finish`.
- Click `OK` to close the Add or Remove Snap-ins window.
- In the MMC, expand `Certificates (Local Computer)` on the left pane.
- Right-click on the `Personal` folder, hover over `All Tasks`, and then select `Import`.
- The Certificate Import Wizard will start. Click `Next`.
- Click `Browse` and locate your `.pfx` file. Select it and click `Open`.
- Click `Next`. You will be prompted for the password for the `.pfx` file. Enter it.
- Select `Mark this key as exportable` if you want to be able to export the certificate with the private key in the future. Click `Next`.
- Accept the default option to place the certificate in the Personal store, or choose another store if necessary. Click `Next`.
- Click `Finish` to complete the import.

3. Backup the Certificate:

- It's a good practice to backup your certificate (with its private key) once installed. This way, in case of server issues, migrations, or other scenarios, you have a secure backup of your certificate. This can be done using the same MMC snap-in. Right-click on the certificate under the `Personal` store, choose `All Tasks`, then `Export`, and follow the export wizard.

Remember to always handle certificates, especially those with private keys, with care. They should be protected and not shared carelessly.

Assign the certificate to your site

Now we must assign the newly imported `.pfx` certificate to a site on IIS (Internet Information Services), here's how you can do it:

1. Open IIS Manager:
- Press `Windows + R`, type `inetmgr`, and press Enter.

2. Choose Your Site:
- In the Connections pane on the left side, expand your server's node, then expand the `Sites` node, and then click on the site you want to assign the certificate to.

3. Bind the Certificate:
- In the Actions pane on the right side, click on `Bindings`.
- In the Site Bindings window, find the HTTPS entry. If there isn’t one, click `Add` and choose HTTPS from the Type dropdown. If there's an existing HTTPS binding, you can edit it.
- Choose the SSL certificate dropdown, and select the certificate you just imported (it's typically named by the common name of the certificate).
- Click OK and then Close.

4. Restart the Site:
- Still in the IIS Manager main window, in the right pane, under Manage Website, click `Restart` to ensure the changes take effect.

5. Ensure Security:
- Ensure that your server doesn't serve content over HTTP unless you want to allow insecure connections. If you want to force HTTPS, you should set up an HTTP to HTTPS redirect.

6. Test the Certificate:
- Open a web browser and navigate to your site using `https://`. Ensure that the connection is secure. Check the certificate to ensure it's the one you just installed.

Troubleshooting

If you've installed the certificate but the site still displays as insecure, there could be several reasons for this:

1. Certificate Binding:
- Ensure the correct certificate is bound to the correct website and port (usually port 443 for HTTPS) in IIS.
- To check, open IIS Manager, select your site, click on "Bindings" in the right pane, and ensure your SSL certificate is bound to the HTTPS type. If not, add or modify the binding.

2. Intermediate Certificates:
- Sometimes, the issue is because intermediate certificates are not installed correctly. Ensure that all the intermediate certificates provided by your Certificate Authority (CA) are installed correctly.

3. Expired Certificate:
- Ensure that the certificate itself isn't expired. Even if you've recently installed it, there's a possibility that the certificate itself is outdated.

4. Mixed Content Warnings:
- If your website is using HTTPS but also loads content (scripts, stylesheets, images, etc.) over HTTP, it will trigger a mixed content warning. Ensure that all content is loaded over HTTPS.

5. Incorrect Hostname:
- Ensure that the domain name you're using to access the website matches one of the names on the certificate. For example, if your certificate is for `www.example.com`, accessing the site via `example.com` (without the www) might throw an error unless it's a wildcard or has Subject Alternative Names (SANs).

6. Certificate Trust:
- Ensure you're using a certificate from a trusted Certificate Authority. Self-signed certificates or certificates from non-trusted CAs will cause browsers to show the site as insecure.

7. Server Configuration:
- Sometimes, server misconfigurations can lead to security warnings. Tools like [Qualys SSL Labs](https://www.ssllabs.com/ssltest/) can help you diagnose SSL issues and provide a report on your SSL setup.

8. Cache:
- Sometimes, especially if you've made a lot of recent changes, your browser cache might not have caught up. Clear your browser's cache and try accessing the site again.

9. SSL Cipher Suites:
- It's possible that there's a misconfiguration with the SSL/TLS settings or supported cipher suites on your server. Ensure you're using recommended configurations and up-to-date protocols.

10. Browser Issues:
- Try accessing the site from a different browser or a private/incognito window to see if the issue persists.

11. Check the Certificate Installation:
- Use online tools like [DigiCert's SSL Installation Diagnostics Tool](https://www.digicert.com/help/) to check if the SSL is installed correctly.

After checking all these, if you're still facing issues, it might be useful to have a detailed look at the exact error or warning message your browser is displaying or consult with your hosting provider or server administrator.