Swinging for the fences (a story… part2)

Photo: randjsc.com

Still Baseball Day!!! Did you miss the first part of the story? don’t worry, you can read here.

So what did I do to my customer… Remember I mentioned in the first story, that the customer’s application was no longer secured. I’m sure you must have seen a ‘Not secure’ warning on some websites before…well maybe not so sure, but almost. check out the screenshot below:

Photo: https://www.dignited.com/49538/should-be-worried-about-not-secure-chrome-warning-on-websites/

On communicating with the customer during the troubleshooting process, I realized the customer felt since he already obtained his GoDaddy certificates, all he needed to do next was to just quickly upload on Azure, and boom, his web application becomes secured again. Sadly, he didn’t realize the extensions mattered.

I did inform the customer though, that the issue was not within the scope of support but I could try to assist him further. Now, in the cause of finding a fix for the issue, I later felt more like I found myself in a fix😢. I needed to provide a fix for the issue as I already promised the customer to assist him. So, my wanting to swing for the fences led me to surf the internet for several hours and stumble upon several not-so-detailed results on how to achieve the certificate conversion. P.S Telling the customer it was out of scope was like a Disclaimer should I not be able to convert the certificate successfully, I will not be held responsible. It’s called working smart😎.

After reading through several contents and still could not get a hold of any comprehensive post as I needed to first understand the fix to be provided in terms of steps to follow, I was obviously getting frustrated. So, I decided to combine steps from different articles that fit our scenario during the screen share session with the customer, and of course, I read to understand each step before telling the customer to perform any…I had loottss of tabs opened on my end. Working smart again😉.

Customer’s GoDaddy certificates were in .crt, .pem and .p7b file extensions. And all I was seeing online were commands like:
To convert .crt file to .pfx:
openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx.
To convert .p7b file to .pfx:
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer

Obviously means, Before you begin implementing the commands

You must have:

• The original private key that was used for the certificate
• A PEM (.pem, .crt, .p7b) file
• OpenSSL

Below were the steps performed to successfully convert GoDaddy certificates to Azure supported certificates for the Cloud Service resource:

1. Downloaded and installed OpenSSL
2. I observed customer did not have a .key file that was needed for the conversion process and asked the customer about this but the customer said he had no such file.
3. We had to ReKey customer’s GoDaddy Certificate
4. Based on step 3, we had to regenerate the CSR file as this was required for the ReKey’ing
5. Then ReKey’ed the certificate as in step 3
6. Again, the files generated were the same as the customer after ReKey’ing. Got stuck 😶. I dug the internet further
7. Found this article which this time around showed the detailed next steps to perform after Rekeying. It explains how to convert the .crt file and it included how to extract a private key. So I continued with the customer from step 7 of this article as this was not included in any other post I found. This was the most important part of the steps that was missing in all articles I stumbled upon at the time of assisting the customer.
8. The .PFX file that was generated in step 7 was then uploaded for customer’s cloud service on Azure, added thumbprint value to the Service Configuration .cscfg file, and finally redeployed (published) cloud service from Visual Studio (VS)
9. And customer navigated to his web application which no longer showed ‘Not secure’.
10. The customer confirms the issue was resolved. This is like what every Support Engineer looks forward to hearing when assisting a customer. It gladdens the heart and so did it for me that day.

The major issue was that the commands to convert the files required a .key file which all but only one article categorically explained how to get. I just could not get any post on where/how to get the .key file. So after generating the key file, it was easy to use the OpenSSL command. Once we generated the first pfx file, we did try to convert the .p7b file to .pfx as well as seen in the above commands. However, the customer just said he’d just use only one of them which was the .crt file converted in steps above.

It gladdens my heart that I was able to single-handedly assist the customer because I could have called for backup from my colleagues.

One of the links I found with well-listed commands
OpenSSL — Convert SSL Certificates to PEM CRT CER PFX P12 & more (ryadel.com)

P.S:
pkcs#12 file has extension .pfx or .p12
pkcs#7 file has extension .p7b or .p7c

Again, for me, I swung the fence as I did achieve what I had never done. Assisted the customer and the workaround successfully turned out to be a FIX for the issue. We spent about 3 hours on the screen share session😀 and did not realize time was far spent. I hope I did not bore you here again.

Why am I sharing the story? Well just to have the experience documented and have something to read should I have imposter syndrome, share so others can learn, and also get an alternative and simpler option

Do let me know if you have additional input that could have saved the whole stress. Add any useful links to the comment section and don’t forget to give your clap ehn…catch you some other time.