The Broadview Bonus

We’re Local. For more than 40 years, Broadview University has been an integral part of the local community connecting directly with local employers.

Fun With SSL Certificates

Published on April 24, 2017 by Staff Writer

SSL Certificates have been part of the Internet landscape since it’s inception. They’re designed to secure private data when two or more parties are communicating over a network. The simplest and most familiar usage of SSL certificates occurs on banking and eCommerce websites. However, there are myriad instances where SSL technology is utilized that don’t present themselves to the average user. Inter-server and network appliance communication over shared networks also implement SSL certificates as a means of identifying themselves and encrypting their traffic.

Administrators are charged with securing systems. Frequently, their duties are to request, revoke, renew and migrate certificates on a daily basis. The fortunate administrator lives in a homogenous world where all devices operate some blend of Windows, and installation or migration can be delivered via Domain Policy. For the rest of us who coexist with Apple, Cisco, and Linux/Unix, we need to be creative.

Every administrator has their own method for organizing and maintaining the catalog of certificates within their jurisdiction. I have the luxury of relying on a bigIP device to track expiration dates, create requests and store the multiple chains and roots of EV and UC certs. The one feature it lacks, however, is the ability to convert and export a PEM cert in PKCS #12 (PFX) format. PFX allows for combining, transporting, and simple installation of the chain and private key which make up the SSL cert. I use openSSL to accomplish this task.

I begin by initiating a certificate request on the bigIP, and place that request with our Certificate Authority. Then, I pick up the resulting SSL certificate and the associated chain and root pieces, and complete the request back on the bigIP. All totaled, this will net 5 PEM files. Finally, I combine the root and chain pieces into a single file and use openSSL to combine the 5 PEM files into a single PFX file.

Example #1 openSSL command-line syntax for creating a PFX from a public/private key combo.

cert.pfx is the name of the PFX file openSSL will create
key.txt and cert.txt are the private and public keys, respectively

openssl pkcs12 -export -out cert.pfx -inkey key.txt -in cert.txt

Example #2 openSSL command-line syntax for creating a PFX from public and private keys, in addition to root and all intermediary pieces.

cert.pfx is the name of the PFX file openSSL will create
key.txt and cert.txt are the private and public keys, respectively
bundle.txt is the file containing all root and intermediary certs

openssl pkcs12 -export -out cert.pfx -inkey key.txt -in cert.txt -certfile bundle.txt

Additionally, openSSL will require the PFX be password protected. This helps prevent unauthorized individuals from implementing your certificate.

In Windows, when opening a PFX file, the Certificate Import wizard opens, and steps through the process of placing each component into the correct store. This removes any guess-work if the installation is being performed by someone another individual.

Watch this on YouTube: Demonstrating how to create a PFX from a 2-part SSL cert that’s comprised of a public and private key with no root or intermediaries. And, how to install the PFX and open the Certificate console to verify the install was successful.

TAGS: , , , ,
The Broadview Bonus

We’re Career-Focused. Broadview University specializes in hands-on programs to build skills that help graduates advance their careers.