Category: Certificates

Prerequisites

Access a Computer with OpenSSL

Copy the file(s) to a system that has OpenSSL. If you are on a Windows machine, the easiest way to do this is to use Git for Windows (https://git-scm.com/download/win). Once installed, you can run Git Bash and will have access to OpenSSL. Linux and macOS will likely already have OpenSSL support in Terminal. If you are in a VMware environment, the ESXi hosts also have OpenSSL support.

Obtain the Certificate Password

It is highly likely the .pfx file will contain a password to protect the file. This password is required for the conversion process.

Convert PKCS12 (P12) to Privacy Enhanced Mail (PEM)

PEM files may have either a cer, crt, or pem file extension. These should be interchangeable, but some vendors are very particular about the file extension. Like anything, check the applicable documentation for recommendations.

Most vendors will require three files. Commonly I see the folllowing:

• Machine certificate
• Signing chain (Look at the vendor documentation for the chaining order! Some vendors require root + intermediates at the bottom and other will require the intermediates + the root at the bottom)
• Private key

To get the machine certificate and signing certificates, run the following command:

openssl pkcs12 -in certificate-name.pfx -out machine.pem -nodes -nokeys

To get the encrypted private key, run the following command:

openssl pkcs12 -in certificate-name.pfx -out machine.key -nocerts

If you view the file, you will see that it is encrypted. Most systems will not take an encrypted key and will require an RSA Private Key.

openssl rsa -in machine.key -out machine-rsa.key

Now if you view the new file, you will see it is an RSA Private Key.