12 November 2014

SSL Certificate pfx to pem conversion with OpenSSL

OpenSSL is a tool used to manipulate SSL certificates. It also has the ability to extract and convert certificates between the various certificate formats that are required for various systems.

This tutorial will cover converting a PFX that contains the certificate chain into a plain text consolidated pem file for import into a WebLogic server.


openssl pkcs12 -in MyCert.pfx -out Mycert.pem

this will then ask for the import password that you specified during export
you will then be asked for a phassphrase
you will have to confirm the passphrase

The resultant file contains the extended properties and the various companents in the following order

Privatekey
Server Certificate
Root Certificate Authority
Intermediate Certificate Authority

Weblogic requires the pem file to be in the following order without any of the exterded properties

Privatekey
Server Certificate
Intermediate Certificate Authority
Root Certificate Authority

To do this we simple edit the pem file in a text editor

The various certificate elements are delimited as follows  

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

The export would look like this

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: le-734abccd-41eb-4767-8413-bb71a89936ff
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BE2FBBD6CCFE6

3NrzDbQJjulQcMG6z9SHm4gEColMcXymYJJOcuUwELrFDzGImlF/uKXeaTjonk5z
1ECPImFEK2SwedgQ5bI+4zRBudw6sOnCMLSEdBZUFTPKaWikMTcO86QNoVL+Regf
HNMm3Xnyi0rOdyQYrCY0d1Qz3VmRpJmGt/7Sk4lLH2FamRLXFDQtImSEtq3L4HrB
2636Q2D+/sgtQSPpJV+M06eUpmJwkBk9Pf2794WGznxencYSgGIk5hYx5tfQJue6
n9cLD3sIrtKwhzwEnSDZu3NREKqmqRkyd4r+z60UhrJNRcQRSUvh71n7Y/w5+z04
-----END RSA PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00 
    1.3.6.1.4.1.311.17.3.92: 00 08 00 00 
    1.3.6.1.4.1.311.17.3.20: FF 07 5C 24 46 71 0D 5E 17 C5 1C C0 B5 93 8E D6 A0 57 80 9E 

    1.3.6.1.4.1.311.17.3.71: 54 00 4D 00 47 00 30 00 38 00 2E 00 77 00 6F 00 6F 00 6C 00 77 00 6F 00 72 00 74 00 68 00 73 00 2E 00 63 00 6F 00 2E 00 7A 00 61 00 00 00 
    1.3.6.1.4.1.311.17.3.75: 44 00 30 00 31 00 39 00 37 00 43 00 44 00 31 00 32 00 33 00 31 00 32 00 39 00 41 00 36 00 44 00 34 00 36 00 36 00 43 00 35 00 46 00 30 00 46 00 43 00 31 00 35 00 38 00 34 00 45 00 41 00 32 00 5F 00 00 00 
subject=/C=ZA/L=Cape Town/O=Wool (Pty) Ltd/CN=psnet.domain.co.za
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgIETCR4XzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
cNk2pVK9lJzwU2WwmXfFWW3jNrAE/3OpVAsi6/45ZNLPsiD20Qpk6mZ3oY/5McLz
fDm5EzHNd8yXBZoEIZRKJpL4bmZl87TEEK8st38pDXZ1UhC+2OI355yqz2UmPW+S
c2MH1JAnaLSZxM80oOxBPIejTUiDqZ3ak5LmSR0vfjNGTpM/DFpevQ5izSoKVQRG
jzyKUQB6H/yI9zMb
-----END CERTIFICATE-----

Delete all of the extended attribute text leaving only the certificate hash between delimiters.  You should end up with the following:

-----BEGIN RSA PRIVATE KEY-----
3NrzDbQJjulQcMG6z9SHm4gEColMcXymYJJOcuUwELrFDzGImlF/uKXeaTjonk5z
1ECPImFEK2SwedgQ5bI+4zRBudw6sOnCMLSEdBZUFTPKaWikMTcO86QNoVL+Regf
HNMm3Xnyi0rOdyQYrCY0d1Qz3VmRpJmGt/7Sk4lLH2FamRLXFDQtImSEtq3L4HrB
/FwgoJHiSVb30nyVzVwpP49WDXOYJk1eXvTVEVHCUwH65Xjx78J6kex8OBryKnuh
2636Q2D+/sgtQSPpJV+M06eUpmJwkBk9Pf2794WGznxencYSgGIk5hYx5tfQJue6
n9cLD3sIrtKwhzwEnSDZu3NREKqmqRkyd4r+z60UhrJNRcQRSUvh71n7Y/w5+z04
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgIETCR4XzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
E5/k2t9zC4exvIYDn0hGDlX4rtBDcL5GIYri3x+vCtz7EvISjzbPuJ5PmDttdwXX
ZYwTsWxRmSAzrQIDAQABo4IBhTCCAYEwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LmVudHJ1c3QubmV0L2xldmVsMWMuY3JsMGQGCCsGAQUFBwEBBFgwVjAjBggrBgEF
BQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwLwYIKwYBBQUHMAKGI2h0dHA6
Ly9haWEuZW50cnVzdC5uZXQvMjA0OC1sMWMuY2VyMEoGA1UdIARDMEEwNQYJKoZI
hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MAgGBmeBDAECAjAhBgNVHREEGjAYghZwc29mdC53b29sd29ydGhzLmNvLnphMB8G
A1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBT/B1wkRnEN
XhfFHMC1k47WoFeAnjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQCB8kP1
0Xrtf7DFKvSSMl7mu909AfSlohJ02CYfjDszHEKBLS9cjKeHg/tP78qfSYpXD5sN
EUPtYFLTQ4RRqpOfm5BzS0QDDTRijySl8hKjQP8PmIAYdZe9VZvV8y5H2FK6cQWE
cNk2pVK9lJzwU2WwmXfFWW3jNrAE/3OpVAsi6/45ZNLPsiD20Qpk6mZ3oY/5McLz
fDm5EzHNd8yXBZoEIZRKJpL4bmZl87TEEK8st38pDXZ1UhC+2OI355yqz2UmPW+S
c2MH1JAnaLSZxM80oOxBPIejTUiDqZ3ak5LmSR0vfjNGTpM/DFpevQ5izSoKVQRG
jzyKUQB6H/yI9zMb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE8jCCA9qgAwIBAgIEOGPp/DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
d3cuZW50cnVzdC5uZXQvcnBhMB0GA1UdDgQWBBQe8auJBvhJDwEzd+4Ueu4ZfJMo
TTAfBgNVHSMEGDAWgBRV5IHREYC+2Im5CKMx+aEkCRa5cDANBgkqhkiG9w0BAQUF
AAOCAQEAB/ZfgoR/gEDHkDRGQiQDzi+ruoOeJXMN7awFacaH7aNc8lfBsUl2mk3y
P93kDv4LPrmY2TKVHTL0Ae6cyMjlP+BTdmL83attPZSQ8sCzPJgnNl4olyL8G0DT
Kw2ttVdt3w/jS+9zAhBl+hvQrDHV4w/oujIwg+5K0L/fIpB6vuw6G8RJBB3xroB3
PEII26c7KKaAAQPmOaPr34BZG/MsvtxyRHmgbAelbU1EjkJoypR8Lja6hZ7NqsRe
PFS+/i/qaZ0cHimbltjI/lGQ8SSmkAaz8Cmi/3gud1xFIdlEADHzvjJP9QoyDfz8
uhZ2VrLWSJLyi6Y+t6xcaeoLP2ZFuQ==
-----END CERTIFICATE-----

The only thing left to do now is to swap around the last two certificates and you are set.  Save the file as consolidated.pem and import that into Weblogic


It may also be required to have a separate .pem that only contain the certs and .key file that only contains the private key. To get this you would follow a similar process.

Extract the pfx to pem exclusing the certs

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Extract the pfx to pem excluding the key

 penssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Convert the key pem to a .key file

openssl rsa -in key.pem -out server.key 


No comments:

Post a Comment