OpenSSL - Installing or Renewing SSL Certs with a .pfx file

Submitted by admin on

If you have a .pfx file, you'll need:

  • A password corresponding to the .pfx file
  • openssl command

Use openssl commands to extract the following four files from the PFX:

CA Chain / Intermediate SSL Cert (ca_intermed_chain.pem)

#Get CA/Intermediate Certificate Only

openssl pkcs12 -in fullchain.pfx -nokeys -cacerts -out ca_intermed_chain.pem

 

Client Cert / Root cert (client_cert.pem)

#Get Client Certificate Only

openssl pkcs12 -in fullchain.pfx -nokeys -clcerts -out cert.pem
 

 

Private Key (privkey.pem)

# Get Private Key

openssl pkcs12 -in fullchain.pfx -nocerts -nodes -out privkey.pem

 

 

Full chain (fullchain.pem)

# Get Certificates (Full Chain)

openssl pkcs12 -in fullchain.pfx -nokeys -out fullchain.pem #

 

After obtaining these files:

Verify the intermediate SSL certificate:

$ openssl verify -CAfile ca_intermed_chain.pem client_cert.pem


client_cert.pem: OK

 

Check the date of the new root cert:

$ cat client_cert.pem | openssl x509 -noout -dates


notBefore=Jan 27 15:05:30 2022 GMT
notAfter=Jan 19 14:22:25 2023 GMT

 

 

 

Tags
SSL