If you want to do a conversion to separate the individual PEM files out of the PFX file. Follow these steps below to get the three files.
- Private Key (.key)
- Certificate Body (.pem or .crt)
- CA Cert (.cer).
openssl pkcs12 -in filename.pfx -nocerts -out keyfile.key
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
Can also use extension crt instead of pem.
openssl pkcs12 -in filename.pfx -cacerts -nokeys -chain -out cacerts.cer
Will have "ENCRYPTED PRIVATE KEY" in the keyfile.key file, not all CA's use them but some do. Usually uses the PEM password:
openssl rsa -in keyfile.key -out keyfile-no-password.key
This will convert PEM files to a PFX files.
- Open a command windows (cmd) elevated.
- Navigate to the directory with the PEM file.
Replace the PEM file name with the existing pfx file you want to convert, and replace the PFX file name with the name of the pem file that gets generated. Remember, Certificate Body can have the extension of .pem or .crt eihter will work. The -certfile is only used if you have a RootCA or an Intermediate and RootCA cert file (either stacked in one file or in two separate files.)
openssl pkcs12 -export -out CertificateName.pfx -inkey privateKey.key -in CertificateBody.crt -certfile cacerts.cer
Breaking down the command:
openssl– the command for executing OpenSSLpkcs12– the file utility for PKCS#12 files in OpenSSL-export -out CertificateName.pfx– export and save the PFX file as CertificateName.pfx-inkey privateKey.key– use the private key file privateKey.key as the private key to combine with the certificate.-in CertificateBody.crt– use CertificateBody.crt as the certificate body the private key will be combined with.-certfile cacerts.cer– This is optional, this is if you have any additional certificates you would like to include in the PFX file, Such as the RootCA or an Intermediate and RootCA files.
To check the PFX File:
openssl pkcs12 -info -in CertificateName.pfx
To check the PEM/CRT FIle:
openssl x509 -in CertificateBody.crt -text -noout
If you want to get the Thumbprint of the PFX cert do:
openssl pkcs12 -in "certificate.pfx" -nodes | openssl x509 -noout -fingerprint
If you want the Subject Alternative Names (SAN) from a PFX Cert do this:
- Requires GREP to be installed. If don't have GREP then omit GREP from the command line and look in the output for
DNS.
openssl pkcs12 -in certificate.pfx -nodes | openssl x509 -text -noout | Grep DNS
To find out the start and expiration date of the PFX certificate. Note: You will need the PFX Password.
openssl pkcs12 -in certificate.pfx -nokeys | openssl x509 -noout -startdate -enddate
The certificate body file can have a .pem or a .crt they are the same thing. Extension is interchangable.
openssl x509 -noout -fingerprint -inform pem -in CertificateBody.pem
- Requires GREP to be installed. If don't have GREP then omit GREP from the command line and look in the output for
DNS.
openssl x509 -in CertificateBody.pem -text -noout | Grep DNS
If you want to get details on a specific websites SSL certificate you can use these examples.
This will work with any website that has an SSL cert. Do note, If a Proxy server, such as a WAF provider like Akamia, is in use by the website. You may not get the SSL cert details of the Web server or Load balancer, but that of the Proxy server. They do not need to be the same. So long as the Proxy has a Subject Alternative Name (SAN) for the website it is serving.
This will pull the CA Issuer, Thumbprint of the certificate, and also the active dates of the certificate.
openssl s_client -servername smartsystem.mrisimmons.com -connect smartsystem.mrisimmons.com:443 | openssl x509 -noout -subject -issuer -fingerprint -dates
To get the SAN for the certificate, as there can be more than one we will use GREP to pull out all the entries:
openssl s_client -servername smartsystem.mrisimmons.com -connect smartsystem.mrisimmons.com:443 | openssl x509 -noout -text | Grep DNS