Common Certificate Conversions

Kyle

Every organization I work with use certificates to secure web pages or VPN’s or the like. Sometimes I request the certificates, sometimes someone else does. Certificates are one of those things no one gives much thought to until suddenly it’s expiring (or expired!) and everyone’s freaking out (rightfully so!) about the certificate warnings end users are seeing on the “secured” pages. PKI (Public Key Infrastructure; what makes certificates work) is one of the most fickle security measures to deal with. Every misstep is a land mine that explodes and immediately takes your webpage into the red zone. In the best cases a little massaging fixes the issue. In the worst cases a whole new cert has to be requested and that takes time. These are a couple of massages I gave to a site last week that I’ve given to others before and suspect I will give to others again later.

Password with quotes to no quotes

Ever had to install a cert you didn’t request yourself? Ever been in a mixed environment where most of the boxes are Windows Servers but there a smattering of Cisco ASA’s and maybe an Apache or two hidden in the weeds? Windows doesn’t care much what you throw in the passphrase field when selecting one for your .pfx file. Cisco does though. So does Apache. Anything Linux-based does so I suspect Apple does as well but I don’t know for sure.

I was moving quickly that morning (remember I hinted sometimes an organization thinks about certificates when they’ve already expired?) and started to load their cert onto an ASA that served as their VPN endpoint for users in the field. {insert landmine sound here}

Hastily I was copying and pasting things I would need so I could access them quickly. The passphrase went in to a notepad window without a second glance. There was a quotation mark just about halfway through it. Believe it or not the exact same thing had been done just a couple years prior. By the exact same person. I’d warned this would be an issue every time and therefore when the new cert was requested they should avoid quotes.

There are a couple ways to untangle this knot. Here are just two. :

Method 1 – you have the .cer or .pem or .crt of the cert, the unencrypted .key file, and OpenSSL

Launch your command-line and run the following:

openssl pkcs12 -export -out cert.pfx -inkey keyfile.key -in certificate.crt

So you know what you are doing with this command …

  • “openssl” – runs OpenSSL.
  • “pkcs12 -export -out cert.pfx” – tells OpenSSL we’ll use the PKCS12 module to output a file and call it cert.pfx when we’re done.
  • “-inkey keyfile.key” – this is the private key we want meshed with the certificate file we have.
  • “-in cert.crt” – this is the certificate we want meshed with the key. It may also end in .pem or .cer if that’s the format you have available.
*Notice you get to enter a new password here. Leave out the quotes this time.

Method 2 – You just have the .pfx and its password and OpenSSL:

This is a multi-step process. What you’ll do is extract the private key and certificate(s) from the .pfx file, separate the encrypted private key, decrypt the private key, then repackage it with the certs using a password without quotes in it.

From your command-line:

openssl pkcs12 -out keys_out.txt -in cert.pfx
  • “openssl” – runs the program.
  • “pkcs12 ” – loads the PKCS12 module and tells it we want the output of this command in keys_out.txt.
  • “-in cert.pfx” – tells the program what PKCS12 file we are about to crack open.
The “Import Password” you are prompted for should be the password you used when you created the .pfx file. Most of the time it’s the same as the key file passphrase but your mileage may vary. The “PEM pass phrase” is the key file pass phrase. Not sure why it’s called something else to be honest.

So now there’s a text file with the certificate and an encrypted key file meshed together. To split it apart open it with notepad++ or whatever your favorite editor is and copy everything from —–BEGIN ENCRYPTED PRIVATE KEY—– to —–END ENCRYPTED PRIVATE KEY—–. Make sure you grab that header and footer and their dashes. Paste it in a new file and save it with a name that’s memorable (I used keyfile.key for this example) because we need to decrypt it now.

The body of your new file should look like this when complete. There may be other info ahead of or following the key begin/end tags. Just ignore it. This is the only ingredient you need.

From your command-line:

openssl rsa -in keyfile.key -out keyfile_decrypted.key
  • “openssl” – runs the program
  • “rsa -in keyfile.key” – loads the rsa module and tells it to decrypt the key file.
  • “-out keyfile_decrypted.key” – tells the rsa module where to dump the decrypted key file.
Now there’s a decrypted key file available. Let’s make ourselves a .crt file to combine with it.

Open the keys_out.txt (or whatever you’ve named it) with your editor again. Copy everything from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– (including that header and footer again, ignore the extra stuff) and paste it in a new file. Save that new file with a .crt extension.

Now that you have a .crt file with your certificate’s info inside and an unencrypted key file you may take them and follow the steps above for Method #1. Following those steps you’ll combine the two and create a .pfx file with the password of your choosing. Sans quotes.

Converting .pfx to .pem

Pretty frequently I run in to devices that require certificates in a different format than what I’ve downloaded. Avocent Cyclades KVM’s come to mind. Or are they Emerson? Vertiv? I can never keep it straight. Especially since the branding seems to change every few firmware updates. Conversion is a quick command-and-password-entry away. Just substitute the path to your certificate and the certificate name as-needed in the following. 

openssl pkcs12 -in cert.pfx -out cert.pem
  • “openssl” – runs OpenSSL.
  • “pkcs12 -in cert.pfx” – loads the pkcs12 module and opens the .pfx to manipulate.
  • “-out cert.pem” – saves the file in the .pem format.

Leave a Reply

Your email address will not be published. Required fields are marked *