Skip to main content

Extracting Key, Cert, and Cert Chain from a PFX file

Sometimes you're given all the certificate files you need. Other times you're given a PFX file... If you don't know by now, the PFX file is used primarily on Windows based IIS servers. But sometimes, if you run an Apache server, or load balancer, you need multiple files (cert, key, cert chain) in order to update the certificate information. This issue can arise if you're using a shared cert (like a wildcard), or if the person that manages the certs in your IT shop pulls a PFX without thinking. The easiest option is usually just to request the separate files from your Cert Issuing company, but sometimes that takes too long (if you aren't the one that manages it), or could potentially cost extra money.

The process I outline below was completed on a Linux server with OpenSSL. Now, this can be completed on a Windows system, as long as OpenSSL is installed. I'll detail some Windows specific stuff, but this post will not be going over how to install OpenSSL. If you're doing this on a Linux box (you probably don't need to hear this but...) you will just need to copy the PFX file to the directory of your choice.

Windows Specifics

 If you are using a Windows system and do not register OpenSSL as an environment variable, then I suggest copying your PFX file to the OpenSSL instillation directory \bin folder. This will make running the below commands a little easier. You will need to open a command prompt and CD (change directory) to the OpenSSL bin folder. From there, you should be able to run through the below commands.

Extraction Process

 Now, these commands could be figured out by simply reading through the OpenSSL documentation, or man page (always RTFM), but who wants to do that when folks like me are willing to just highlight common tasks. So here they are:

Extracting the private key
openssl pkcs12 -in [certificate.pfx] -nocerts -out [keyfile-encrypted.key]
Extracting the private key inot PEM format
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]
Extracting an unencrypted private key
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Extracting the certificate
openssl pkcs12 -in [certificate.pfx] -clcerts -nokeys -out [certificate.crt]
Extracting the certificate chain
openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [cert-chain.crt]

Now, if i need to tell you that extracting the private key unencrypted could be dangerous, than you shouldn't be doing this in the first place. But there it is. Also, if you don't know the password to the PFX file, then you either shouldn't be doing this, or you should just pitch the PFX and request a new one.

There it is, nice and simple.
Labels:

Comments

Post a Comment

Popular posts from this blog

Visio Stencils Pack for Azure and Microsoft Integration (v5.0.0)

First off, I'd like to send a big shout out to Sandro Pereira who's been managing the vision stencils pack. Essentially, I'm re-posting his information here, because I had a really hard time finding the latest Visio pack for Azure, that wasn't a bunch of SVG's. My thought is that if more people re-post, maybe the search engines of the internet will have an easier time propagating the information... Sandero's Blog (the original post around the new stencils): https://blog.sandro-pereira.com/2019/10/18/microsoft-integration-and-azure-stencils-pack-for-visio-new-major-version-available-v5-0-0/ Sandero's GitHub: https://github.com/sandroasp/Microsoft-Integration-and-Azure-Stencils-Pack-for-Visio Microsoft TechNet Download: https://gallery.technet.microsoft.com/Collection-of-Integration-e6a3f4d0 I will say, and maybe it's just because I'm using Visio 2013, each icon has a boarder that needs to be removed when putting it on the page... Likely it
Post a Comment
Read more

Keto Kickin' Choffle

Alight, first recipe on the blog... If you've had a chance to reach the "About" section, you will have seen that, rather than spinning up multiple blogs, I'm just going to combine my passions for tech, food, health, and music into this one space. If you're not a fan, then too bad. I really just don't want to manage more than one blog.... With that, here goes nothing... So I recently came across the choffle. This is a really great, and fast to make replacement for buns. I'm also a huge fan of spicy foods. Well, I got the great idea to combine the heat with the choffle. And let me tell you, it turned out really good. I like to use this for a bun replacement when I'm in the mood for that extra kick, but not the extra toppings. Why? Because the extra toppings are now combined in the choffle. Thus removing the need for the additional toppings on my burgers. Enjoy. Kickin' choffle The choffle mix with a kick! Author: Larry L. Preparation Time: 3
Post a Comment
Read more

Replacing rsyslog with syslog-ng on RHEL 6.5

So...I had a piece of monitoring software that didn't play nice with the RHEL default rsyslog for log collection. The software was developed to only work with syslog-ng. I'll be going over the steps that I took, that worked for me, in replacing rsyslog with syslog-ng. I would imagine that these same steps should work for any Linux system similar to RHEL (Fedora, CentOS, etc.). For others (like Debein based distributions), I would need to look into that (coming in a future update to this post). First, remove rsyslog. You will need to keep the dependencies as they will be needed for syslog-ng: sudo rpm -e --nodeps rsyslog Next we will need to add the EPEL repository (more info can be found HERE ): wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm sudo rpm -ivh epel-release-6-8.rpm sudo yum repolist That last command will list all the installed repositories. You are simply verifying that the EPEL package has been installed. Now that we fi
1 comment
Read more