Categorie archief: OpenSSL

Create a PFX file containing the intermediate CA certificate using OpenSSL on Windows

Most private and public CA’s sign certificate requests with an Intermediate Certificate Authority.

See example below of a certificate signed by Thawte:

cert signed by intermediate

Sometimes you will have to add such a signed certificate on a sever or appliance on which you are unable to import the Intermediate Certificate Authority certificate.

In such a case I like to use OpenSSL to create a custom .pfx file that contains the Intermediate CA’s public certificate. OpenSSL is an open source application and is also available for Windows Platform.

To get your own  copy browse to the following link and download the  Win32 OpenSSL v0.9.8y Light or Win64 OpenSSL v1.0.0k Light depending on your Windows version.

Once you have installed OpenSSL you are able to create a custom .pfx file using one of following procedures:

  • If you have access to the private “.key” and public certificate “.cer” follow procedure 1
  • If you have access to the original.pfx file, follow procedure 2

Procedure 1

  • Download the intermediate CA’s public certificate

–          Open your signed .cer file

–          Select the Intermediate CA certificate

–          Click “View Certificate”

–          Click on “Details” and select “Copy to file”

–          Select Base-64 encoded x.509

–          Save the .cer file

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory
  • Startup OpenSSL
  • Create a custom .pfx file including the intermediate CA’s public certificate

custom pfx

pkcs12 -export -out webmail-xxxxxx-nl.pfx -inkey webmail- xxxxxx -nl.key -in webmail- xxxxxx -nl.cer -certfile ThawteDVSSLCA.cer

–          Provide the current .key password  and new one for the .pfx file (these can be the same)

  • Import the created .pfx file on you server/appliance

Procedure 2

If you have access to the original .pfx file you will first need to export the .key file. In order to do so you must have* access to the .pfx password. *If you don’t checkout my article on non-exportable certificates ;-).

  • Download the intermediate CA’s public certificate

–          Open your signed .cer file

–          Select the Intermediate CA certificate

–          Click “View Certificate”

–          Click on “Details” and select “Copy to file”

–          Select Base-64 encoded x.509

–          Save the .cer file

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory
  • Startup OpenSSL
  • Export the .key file from the orginal .pfx file

export.key

pkcs12 -in webmail-xxxxxxx.pfx -nocerts -out webmail- xxxxxxx -nl.key

-Provide the current .pfx password  and a new one for the .key file (these can be the same)

  • Create a custom .pfx file including the intermediate CA’s public certificate

custom pfx

pkcs12 -export -out webmail-xxxxxx-nl.pfx -inkey webmail- xxxxxx -nl.key -in webmail- xxxxxx -nl.cer -certfile ThawteDVSSLCA.cer

-Provide the current password of the .key file and new one for the .pfx file (these can be the same)

  • Import the created .pfx file on you server/appliance

Create selfsigned certificates using OpenSSL on Windows

Sometimes you find yourself in the need to create a SSL certificate when there is no CA available.

In those cases I like to use OpenSSL. OpenSSL is an open source application and is also available for Windows Platform.

To get your own  copy browse to the following link and download the  Win32 OpenSSL v0.9.8y Light or Win64 OpenSSL v1.0.0k Light depending on your Windows version.

Once you have installed OpenSSL creating a selfsigned certificate can be achieved following the below steps:

  • Open a CMD prompt with administrative rights
  • Browse to your OpenSSL directory

OpenSSL Browse to directory

  • Startup OpenSSL

Start-up OpenSSL

  • Create a certificate request and your own private key

req -out rootsecurity.csr -new -newkey rsa:2048 -nodes -keyout rootsecurity.key

Create .csr & .key

  • Provide your country code
  • Provide your Province or State name
  • Provide your City name
  • Provide your Company name
  • Provide a OU name
  • Provide the Common Name! This is the name you like the certificate to use!
  • Optional provide Email address
  • Optional provide a challenge password
  • Optional provide an optional company name

Create .csr & .key - 2

  • Click enter
  • Check you have both a .csr and .key file within the OpenSSL\bin directory

Check .csr & .key

  • Sign your .csr file using your privatekey (In this example the certificate will expire in 365 days)

x509 -req -days 365 -in rootsecurity.csr -signkey RootSecurity.key -out rootsecurity.cer

Sign request

  • Check you have a .cer file within the OpenSSL\bin directory and see it created with the expected common name en expiration date

7

8

  • Create a PFX file by combining the .cer and .key files.

pkcs12 -export -out rootsecurity.pfx -inkey RootSecurity.key -in rootsecurity.cer

Create . pfx file

  • Provide an export password
  • Check you have a .pfx file within the OpenSSL\bin directory

Check .pfx