Generating pfx file with multiple certificates.

One pfx file can have multiple certificates inside it. In order to create such file, the easiest way is to copy paste all the *.crt files into one file so the file content will be similar to this one:

-----BEGIN CERTIFICATE----- MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz 91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2 RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11 GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDDD -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- GGGEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- AAAEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBZZZ -----END CERTIFICATE-----

This is just an example, the certificate section for each certificate will be larger. Let's call such file bundle.crt<\i>. In order to sign it we need a key - key is just a file with a content similar to the *.crt file - some people call it pem files. Generally speaking *.crt, *.pem, *.cert are files that have this same content in this same format, the only difference is just a file extension. To create a pfx file we need an openssl application. You can get the windows binaries from here: ssl binaries. I used the openssl-1.0.2r-x64_86-win64.zip.

To generate pfx I run:
openssl pkcs12 -export -out Private.pfx -inkey C:\cert.key -in C:\bundle.crt

You will need to provide a password for this key and retype it.


If you want to see what is inside pfx you can run:
certutil -dump Private.pfx

certutil is a tool that is by default installed on Windows machine. If you have openssl installed you can run:
openssl pkcs12 -info -in Private.pfx

You need the password in order to run these commands.

IIS Access denied problem

Access denied problem is a most typical problem for me when setting new application under IIS. The most typical example that I see recently in various environments is related to understanding of what users accounts are used under a hood. Namely that sometimes there is a need to assign permissions on a hard drive not for one user but for two of them.

Consider that you set up application pool identity to Network Service, it is a common mistake to believe that this is the only user that you need to grant a permission to application folder. Unfortunately if application allowed anonymous users, they also run in a context of a user account, and by default in IIS 7.5 it is set to IUSR account. It means that you need to set up permissions also for this user on a hard drive.

RSA Security commonly uses keys of sizes 1024-bit, 2048-bit or even 3072-bit. And most Symmetric algorithms only between 112-bit and 256-bit.

The ultimate question is should I use a longer key. And ladies and gentleman, here is an answer from Bruce Schneier's book

Longer key lengths are better, but only up to a point. AES will have 128-bit, 192-bit, and 256-bit key lengths. This is far longer than needed for the foreseeable future. In fact, we cannot even imagine a world where 256-bit brute force searches are possible. It requires some fundamental breakthroughs in physics and our understanding of the universe.

One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that k = 1.38 × 10−16 erg/K, and that the ambient temperature of the universe is 3.2 Kelvin, an ideal computer running at 3.2 K would consume 4.4 × 10−16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

Now, the annual energy output of our sun is about 1.21 × 1041 ergs. This is enough to power about 2.7 × 1056 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.

But that's just one star, and a measly one at that. A typical supernova releases something like 1051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

An excellent explanation