How to Convert and Use PKCS#12/PFX Certificate on Apache

pfx certificate convertWhen we have multiple servers and we need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard SSL certificates, you will need to transfer the certificates between the servers. Normally, server to server SSL transfer will be easy if it's between servers of the same kind like Linux servers or Windows Servers.

But the process becomes a bit harder when it comes to a Windows to a Linux server. In this case, we need to export the SSL certificates from the Windows server and store to .pfx file. After that, we need to copy this .pfx (PKCS#12/)file to the Linux server and convert that file to an Apache-compatible file format like individual certificate, CA bundle and private key files and use it.

This may also be necessary when you switch hosting companies. I will explain the exact process with step-by-step instructions in this article on how you can successfully use a .pfx certificate from the Windows server on a Linux server running Apache.

Difference between .pfx and .crt file

Before, starting with our conversion process, let me give you a quick description about the difference between the .pfx and .crt file. Basically, a certificate (.crt file) is a container for the public key. It includes the public key, the server name, some extra information about the server, and a signature computed by a certification authority (CA).  While SSL handshaking, the server sends its public key to a client, which actually contains its certificate, with a few other chains of certificates.

In other hands, a .pfx file is a PKCS#12 archive resembling a bag which can contain a lot of objects with optional password protection. Normally, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and its corresponding private key.

Let's begin with our conversion process now.

Step 1: Transfer the pfx certificate from the Windows server to our Linux Server

First of all, I've exported my certificate to a .pfx certificate from the Windows server for my domain puebe.com. And I've copied that pfx file to my Linux server using SCP from my local system to the folder "/transfered_certificates/". You can use FTP, SCP, wget or use any of these methods to transfer the pfx certificate to your Linux server.

# transfered_certificates]# ll
-rw-r--r-- 1 root root 5409 Oct 9 10:02 c667cafbf01ffd7310db952e50eaf2b2.pfx

Step 2:  Convert the .pfx file using OpenSSL

Our next step is to extract our required certificate, key and CA bundle from this .pfx certificate for the domain puebe.com. We can use OpenSSL command to extract these details from the pfx file. Let's see the commands to extract the required information from this pfx certificate.

  • Extracting the Certificate from the pfx file

We can use this command to extract the certificate details for the domain puebe.com from the pfx file.

# openssl pkcs12 -in c667cafbf01ffd7310db952e50eaf2b2.pfx -clcerts -nokeys -out puebe.com.crt
Enter Import Password:
MAC verified OK

This will provide us with our domain certificate file namely puebe.com.crt with a compatible format which supports in Linux.

  • Extracting the Key file from the pfx file

We can use this command to extract the key details for the domain puebe.com from the pfx file.

# openssl pkcs12 -in c667cafbf01ffd7310db952e50eaf2b2.pfx -nocerts -nodes -out puebe.com.key
Enter Import Password:
MAC verified OK

This will provide us with our domain key file namely puebe.com.key

  • Extracting the Chain of certificates from the pfx file

We can use this command to extract the chain of certificate details from the pfx file.

# openssl pkcs12 -in c667cafbf01ffd7310db952e50eaf2b2.pfx -out puebe.com-ca.crt -nodes -nokeys -cacerts
Enter Import Password:
MAC verified OK

This will provide us with our chain of certificates for our domain puebe.com in the file puebe.com-ca.crt.

I copied these extracted files to my cert folder under "/etc/pki/tls/certs/". You can do this if required, but if not then you can directly specify the folder path in the Apache configuration to which you have extracted these files.

[[email protected] certs]# ll puebe.com*
-rw-r--r-- 1 root root 3689 Oct 9 10:10 puebe.com-ca.crt
-rw-r--r-- 1 root root 1954 Oct 9 10:06 puebe.com.crt
-rw-r--r-- 1 root root 1828 Oct 9 10:07 puebe.com.key

Step 3: Assigning the domain SSL certificate to Apache

After you have converted the .pfx file, you will need to copy the newly created files to the Apache server and edit your Apache configuration file to use them. I've created a Virtual host for my domain under the  /etc/httpd/conf.d/ folder to enable SSL and included these extracted files as required. Please see my Virtual host details below:

[[email protected] conf.d]# cat puebe_ssl.conf
<VirtualHost puebe.com:443>
DocumentRoot "/var/www/html/puebe.com/public_html/"
ServerName www.puebe.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

SSLCertificateFile /etc/pki/tls/certs/puebe.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/puebe.com.key
SSLCertificateChainFile /etc/pki/tls/certs/puebe.com-ca.crt

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
 SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
 SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

You can modify the names of the files and paths to match your certificate files:
SSLCertificateFile should be your primary certificate file for your domain name.
SSLCertificateKeyFile should be the key file extracted.
SSLCertificateChainFile should be the intermediate certificate chain file.

Just make sure to run a configuration test and restart the Apache service once you're done with this.

# apachectl configtest
Syntax OK
# service httpd restart

Now you can confirm your domain SSL certificate using any of the SSL checker tools available. Or you can just browse the URL >>https://puebe.com/. I've verified my SSL installation in the link >>https://www.sslshopper.com/ssl-checker.html#hostname=puebe.com

 

This is how we can easily transfer certificates from a Windows server to a Linux Distro. I hope this article is informative and useful for you. Please post your valuable comments and suggestions on this.

Saheetha Shameer 2:30 am

About Saheetha Shameer

I'm working as a Senior System Administrator. I'm a quick learner and have a slight inclination towards following the current and emerging trends in the industry. My hobbies include hearing music, playing strategy computer games, reading and gardening. I also have a high passion for experimenting with various culinary delights :-)

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.