Converting Certificates using OpenSSL

Certificates are an integral part of every IT infrastructure and service since they can be used to encrypt data, secure the communications, verify identities and provide trust. In this article I'm going to demonstrate a number of conversions you may have to perform in order to prepare a certificate to be imported to a system. Before moving on to the actual part about the conversion, a few words about the certificates and their file extensions.

Encodings
There are two different kinds of encoding for an X509 certificate, DER and PEM. DER encoded files are binary in contrast to PEM which are Base64 encoded and human readable.

File Extensions
The most commonly used file extensions for certificate and key files are:
  • .crt - Used for certificates in DER or PEM format.
  • .cer - Also used for certificates, alternative to crt
  • .key - Used for private key files
  • .pfx - Used for certificate and private key bundles. Used different format from the others (pkcs12)
Conversion
When it comes to certificate conversions, OpenSSL is the tool to use. Since the pkcs format is most probably the format you are going to receive your certificate, we'll start with that.

To export the certificate without the private key to PEM format use the command:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer


To export the certificate chain in PEM format:
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out chain.cer


To export the private key use:
openssl pkcs12 -in certificate.pfx -nocerts -out privatekey.key


During the private key export, you'll be asked for a passphrase to protect the key. To remove the passphrase use:
openssl rsa -in privatekey.key -out key.key


The last conversion would be to convert the pkcs file to pem without splitting it into multiple files:
openssl pkcs12 -in certificate.pfx -out certificate.pem


If the private key must not be encrypted in the PEM file, add the "-nodes" parameter.


That's pretty much it when converting from pkcs, let's move on to DER.

To convert a certificate file from PEM to DER use the command:
openssl x509 -outform der -in certificate.pem -out certificate.der


The other way around would be:
openssl x509 -inform der -in certificate.cer -out certificate.pem


If you created the certificate signing request yourself and have the certificate and private key in separate files, you can bind them together in a pkcs file using the command:
openssl pkcs12 -export -in certificate.cer –inkey privateKey.key -out certificate.pfx


You can get copies of the OpenSSL binaries for Windows from here.

I hope you find the information and commands useful!

Popular posts from this blog

Domain Controller Machine Password Reset

Image
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources. This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute:  repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline. First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4. There may be some tickets in the cache so we should also clear them using klist purge Now it's time to change the machine password of the domain controller using the command netdom resetpwd /s:dc3 /ud:lab\administrator /pd:* Replace the "lab\administrator" with an account on your...
Keep reading

Managing Active Directory User Certificates using PowerShell

I first came across user certificates when I was working with email certificates a few years ago and I have to admit that I had trouble updating the certificates on the objects! Most organizations have a Microsoft Active Directory Certification Authority that issues the certificates used internally. When a certificate is issued to a user, the Microsoft Certificate Service saves the public key in Active Directory. The userCertificate attribute is a multi-valued attribute that contains the DER-encoded X509v3 certificates issued to the user. Although we rarely need to pay attention to this attribute, there are cases where we have to update it. To make things easier, I've written PowerShell functions to Get, Remove, Import and Export the certificates on that field. To get the list of certificates for an object, use the Get-ActiveDirectoryObjectCertificate function: PS C:\> Get-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local DistinguishedName  ...
Keep reading

Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates. Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate. In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector. We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet: [PS] C:\> Get-ExchangeCertificate Thumbprint                               Subject ----------                               ------- 241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ... D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A 960171662EB26116...
Keep reading