127

How can I convert a PFX certificate file for use with Apache on a linux server?

I created the PFX from Windows Certificate Services. The PFX contains the entire certificate chain. (Which is just a root and the main cert, no intermediate.)

Lead me, wise ones.

AaronJAnderson
  • 1,698
  • 4
  • 18
  • 25

5 Answers5

217

With OpenSSL you can convert pfx to Apache compatible format with next commands:

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes  -out domain.key

First command extracts public key to domain.cer.
Second command extracts private key to domain.key.

Update your Apache configuration file with: 

<VirtualHost 192.168.0.1:443>
 ...
 SSLEngine on
 SSLCertificateFile /path/to/domain.cer
 SSLCertificateKeyFile /path/to/domain.key
 ...
</VirtualHost>
Matej
  • 7,517
  • 2
  • 36
  • 45
  • This is missing the command to generate the certificate authority file. The answer below is more complete. – Hawkee Aug 01 '13 at 19:57
117

Additionally to 

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes  -out domain.key

I also generated Certificate Authority (CA) certificate:

openssl pkcs12 -in domain.pfx -out domain-ca.crt -nodes -nokeys -cacerts

And included it in Apache config file:

<VirtualHost 192.168.0.1:443>
 ...
 SSLEngine on
 SSLCertificateFile /path/to/domain.cer
 SSLCertificateKeyFile /path/to/domain.key
 SSLCACertificateFile /path/to/domain-ca.crt
 ...
</VirtualHost>
Andron
  • 6,413
  • 4
  • 43
  • 56
  • 10
    Note: if ca certificate will be empty - please don't include this line in config file. – Andron Mar 27 '13 at 10:37
  • @Andron when I use the third command to create the CA certificate the result is an empty crt file. I tried using both the serverSSL pfx file and the rootCA pfx file for input. (bitnami wamp) The final result is that firefox gives me a `The certificate is not trusted because the issuer certificate is unknown` `SEC_ERROR_UNKNOWN_ISSUER` error. – khargoosh Jun 29 '16 at 02:21
  • 1
    @khargoosh as I reported in the comment: if it is empty - just don't use/include this line. I had the same situation. – Andron Jun 30 '16 at 18:11
33

To get it to work with Apache, we needed one extra step.

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes  -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key

The final command decrypts the key for use with Apache. The domain.key file should look like this:

-----BEGIN RSA PRIVATE KEY-----
MjQxODIwNTFaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-----END RSA PRIVATE KEY-----
Michael Ferrante
  • 611
  • 7
  • 5
  • NICE! For Bitnami or others needing the CA crt as well, look at the answer from Andron to include the CA crt. Use the server-ca.crt (in place of domain-ca.crt in Andron's answer), and server.crt (in place of domain.cer), and server.key (in place of domain.key) nomenclature in Michael Ferrante's answer here. – OldGreg May 29 '14 at 16:56
3

Took some tooling around but this is what I ended up with.

Generated and installed a certificate on IIS7. Exported as PFX from IIS

Convert to pkcs12

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.

-----BEGIN PRIVATE KEY-----
Saved as certificate.key
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
Saved as certificate.crt
-----END CERTIFICATE-----

Added to apache vhost w/ Webmin.

AaronJAnderson
  • 1,698
  • 4
  • 18
  • 25
  • If you don't want the private key and the certs to end up in the same file, use `-nokeys` (not to extract the private key) and `-clcerts` (to extract the cert only). This is exactly what Matej said. – Bruno Jan 08 '12 at 18:19
0

SSLSHopper has some pretty thorough articles about moving between different servers.

http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html

Just pick the relevant link at bottom of this page.

Note: they have an online converter which gives them access to your private key. They can probably be trusted but it would be better to use the OPENSSL command (also shown on this site) to keep the private key private on your own machine.

Simon_Weaver
  • 140,023
  • 84
  • 646
  • 689