Create a PFX file containing the intermediate CA certificate using OpenSSL on Windows

Most private and public CA’s sign certificate requests with an Intermediate Certificate Authority.

See example below of a certificate signed by Thawte:

cert signed by intermediate

Sometimes you will have to add such a signed certificate on a sever or appliance on which you are unable to import the Intermediate Certificate Authority certificate.

In such a case I like to use OpenSSL to create a custom .pfx file that contains the Intermediate CA’s public certificate. OpenSSL is an open source application and is also available for Windows Platform.

To get your own  copy browse to the following link and download the  Win32 OpenSSL v0.9.8y Light or Win64 OpenSSL v1.0.0k Light depending on your Windows version.

Once you have installed OpenSSL you are able to create a custom .pfx file using one of following procedures:

  • If you have access to the private “.key” and public certificate “.cer” follow procedure 1
  • If you have access to the original.pfx file, follow procedure 2

Procedure 1

  • Download the intermediate CA’s public certificate

–          Open your signed .cer file

–          Select the Intermediate CA certificate

–          Click “View Certificate”

–          Click on “Details” and select “Copy to file”

–          Select Base-64 encoded x.509

–          Save the .cer file

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory
  • Startup OpenSSL
  • Create a custom .pfx file including the intermediate CA’s public certificate

custom pfx

pkcs12 -export -out webmail-xxxxxx-nl.pfx -inkey webmail- xxxxxx -nl.key -in webmail- xxxxxx -nl.cer -certfile ThawteDVSSLCA.cer

–          Provide the current .key password  and new one for the .pfx file (these can be the same)

  • Import the created .pfx file on you server/appliance

Procedure 2

If you have access to the original .pfx file you will first need to export the .key file. In order to do so you must have* access to the .pfx password. *If you don’t checkout my article on non-exportable certificates ;-).

  • Download the intermediate CA’s public certificate

–          Open your signed .cer file

–          Select the Intermediate CA certificate

–          Click “View Certificate”

–          Click on “Details” and select “Copy to file”

–          Select Base-64 encoded x.509

–          Save the .cer file

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory
  • Startup OpenSSL
  • Export the .key file from the orginal .pfx file

export.key

pkcs12 -in webmail-xxxxxxx.pfx -nocerts -out webmail- xxxxxxx -nl.key

-Provide the current .pfx password  and a new one for the .key file (these can be the same)

  • Create a custom .pfx file including the intermediate CA’s public certificate

custom pfx

pkcs12 -export -out webmail-xxxxxx-nl.pfx -inkey webmail- xxxxxx -nl.key -in webmail- xxxxxx -nl.cer -certfile ThawteDVSSLCA.cer

-Provide the current password of the .key file and new one for the .pfx file (these can be the same)

  • Import the created .pfx file on you server/appliance

Geplaatst op juli 21, 2013, in OpenSSL. Markeer de permalink als favoriet. Een reactie plaatsen.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s

%d bloggers liken dit: