Skip to main content

Extracting Key, Cert, and Cert Chain from a PFX file

Sometimes you're given all the certificate files you need. Other times you're given a PFX file... If you don't know by now, the PFX file is used primarily on Windows based IIS servers. But sometimes, if you run an Apache server, or load balancer, you need multiple files (cert, key, cert chain) in order to update the certificate information. This issue can arise if you're using a shared cert (like a wildcard), or if the person that manages the certs in your IT shop pulls a PFX without thinking. The easiest option is usually just to request the separate files from your Cert Issuing company, but sometimes that takes too long (if you aren't the one that manages it), or could potentially cost extra money.

The process I outline below was completed on a Linux server with OpenSSL. Now, this can be completed on a Windows system, as long as OpenSSL is installed. I'll detail some Windows specific stuff, but this post will not be going over how to install OpenSSL. If you're doing this on a Linux box (you probably don't need to hear this but...) you will just need to copy the PFX file to the directory of your choice.

Windows Specifics

If you are using a Windows system and do not register OpenSSL as an environment variable, then I suggest copying your PFX file to the OpenSSL instillation directory \bin folder. This will make running the below commands a little easier. You will need to open a command prompt and CD (change directory) to the OpenSSL bin folder. From there, you should be able to run through the below commands.

Extraction Process

Now, these commands could be figured out by simply reading through the OpenSSL documentation, or man page (always RTFM), but who wants to do that when folks like me are willing to just highlight common tasks. So here they are:

Extracting the private key
openssl pkcs12 -in [certificate.pfx] -nocerts -out [keyfile-encrypted.key]
Extracting the private key inot PEM format
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]
Extracting an unencrypted private key
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Extracting the certificate
openssl pkcs12 -in [certificate.pfx] -clcerts -nokeys -out [certificate.crt]
Extracting the certificate chain
openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [cert-chain.crt]

Now, if i need to tell you that extracting the private key unencrypted could be dangerous, than you shouldn't be doing this in the first place. But there it is. Also, if you don't know the password to the PFX file, then you either shouldn't be doing this, or you should just pitch the PFX and request a new one.

There it is, nice and simple.

Comments

Popular posts from this blog

Using Python for GPG/PGP File Encryption - Part 1

So, this will be the start of a series that will build a python script for GPG/PGP file encryption. In this post, we'll look at installing gnupg for python and using python to setup the keystore, create a private key, exporting the associated public key, and importing a public key. Now everything done here can be done with simple gnupg commands, but learning how to do this with python will help in understanding the script we'll be building to complete file encryption. I will be covering non-python gnupg commands in a future post. Additionally, the folks at the python-gnupg site over at pythonhosted.org have done a really great job at documenting everything (link to their site at the bottom). The stuff I'll be going over will be more of a start-to-finish for anyone that may get lost in the muck of doing stuff with python. Full Disclosure #1: Any key identifier throughout the series of posts is FICTITIOUS and DOES NOT represent any real key, either associated with myself or...

Windows Server 2008: Log on as batch job

From time to time, I have to set up some scheduled tasks that required a dedicated account to run. And when doing so, I'll usually forget that the dedicated account usually isn't given any more permissions than what it needs to complete the task at hand. So, after setting up the task, Windows will usually yell at me and say "The account needs batch job rights". So here's how to grant batch job permissions on your server. Go to your start menu, and start searching for Local Security Policy In the left pane of the MMC that opens up, expand Local Policies, and highlight User Rights Assignment. Now, in the left right pane, locate "Log on as a batch job" and double click it. In the properties window that opens up, add the user or group that needs this permission. I find that if you have multiple service accounts running different tasks on the same server, it's easier to just add a group verses the individual a...

Using Python for GPG/PGP File Encryption - Part 2

Previously we looked at creating keys, importing public and private keys and the overall setup of gnupg with python. This time around, we're going to take a look at file encryption. Overall the file encryption process is fairly general/easy. But it lacks in the area of scaleablilty, ie to start, you'll only be encrypting one file at a time, which can be done outside of Python with ease. The idea of going over everything in Python, is that you can setup a script to encrypt multiple files in a folder (look for that in Part 3). Assumptions; you have python, and python-gnupg installed, and a public key from someone you want to encrypt and send files to imported to your keystore home (see Part 1 for more information here. Let's get started with Python file encryption. Start off by getting into your python shell, and enter the following: >>> import os >>> import gnupg >>> gpg_home = "/path/to/keyfile/.gnupg" >>> gpg = gnupg....