0

I work at a place where the CA and all certificates are initially provided in .pfx format. I am able to successfully convert the pfx to key/pem or key/crt depending on my need. When testing this week, I discovered that the conversion process doesn't bring over the SANs that are on the certificates. Is there a way to accomplish this without having to manually configure a config file that includes the SANs? Here is what I'm doing now to convert from pfx:

openssl pkcs12 -in <pfx> -out <key> -nocerts -nodes
openssl rsa -in <key> -out <key>
openssl pkcs12 -in <pfx> -out <pem> -nokeys -clcerts
Mountainerd
  • 306
  • 2
  • 12

1 Answers1

1

The Subject Alternative Name values are part of the certificate. When you did your original pkcs12 operation you specified -nocerts so the certificates aren't emitted, just the key objects.

Since keys don't have SANs you've discarded the data at that step. You need to keep the certificates around.

bartonjs
  • 361
  • 1
  • 10