Combine CRT and KEY Files into a PFX with OpenSSL

Say for example you have a .crt and a .key file which had the private key in it. What if you have to combine the .crt and .key file into a password protected .pfx file so that you can import the certificate and private key onto the servers? That’s what I had to do. I’ve tried to make this entry as no-nonsense as possible, so I put together sample screenshots of what the process looks like.

Example files when starting:

vdi.elgwhoppo.com.crt

vdi.elgwhoppo.com.key

First we need to extract the root CA certificate from the existing .crt file, because we need this later. So open up the .crt and click on the Certification Path tab.

clip_image002

Click the topmost certificate (In this case VeriSign) and hit View Certificate. Select the Details tab and hit Copy to File…

clip_image004

Select Base-64 encoded X.509 (.CER) certificate

clip_image006

Save it as rootca.cer or something similar. Place it in the same folder as the other files.

clip_image008

Rename it from rootca.cer to rootca.crt

Now we should have 3 files in our folder from which we can create a PFX file.

clip_image010

Here is where we need OpenSSL. We can either download and install it on Windows, or simply open terminal on OSX.

Open terminal on OSX and CD to the directory the files are in. For Windows users, copy and paste the above three files into the default OpenSSL install location on Windows: C:\OpenSSL-Win32\bin. Then open a command prompt and change directories to C:\OpenSSL-Win32\bin. From this point the commands are the same.

We can see the three files.

clip_image012

The command syntax for my example is:

openssl pkcs12 -export -out vdi.elgwhoppo.com.pfx -inkey vdi.elgwhoppo.com.key -in vdi.elgwhoppo.com.crt -certfile rootca.crt

clip_image014

If everything was entered correctly, you should be prompted to create a password for the PFX file. Enter a password and confirm it. When finished you should have a working PFX file to import on your Windows boxes either via the MMC or IIS. You will need the password when importing the pfx.

clip_image016

Advertisements
Posted in Uncategorized
5 comments on “Combine CRT and KEY Files into a PFX with OpenSSL
  1. A says:

    Batch file below to help with instructions above on a windows machine.

    @echo off
    REM This will check the common folders where openssl.exe is installed and copy the .exe over to c:\temp
    REM add the “IF Exist” lines as necessary.
    IF EXIST “C:\Program Files (x86)\GnuWin32\bin\openssl.exe” copy “C:\program files (x86)\gnuwin32\bin\openssl.exe” “C:\temp” /y
    cls

    TITLE Disclaimer and Instruction
    echo ## This script will merge a cert file and a key file to create a new PFX file.
    echo ## This scripts automates some steps and instructions mentioned on…..
    echo ## https://elgwhoppo.com/2013/04/18/combine-crt-and-key-files-into-a-pfx-with-openssl/
    echo ## It is assumed by the script that openssl.exe is installed in temp, if its not, then copy it over manually
    pause
    c:
    cd\
    cd temp

    set pfxname=
    Title Please Enter the name of PFX file you would like to create without extension
    set /P pfxname=Please Enter PFX File Name Without Extension: %=%
    cls
    set keyname=
    Title Please Enter the name of existing certificate key file name without extension
    set /P keyname=Please Enter Key File Name Without Extension: %=%
    cls
    set certname=
    Title Please Enter the name of existing certificate file name without extension
    set /P certname=Please Enter Cert File Name Without Extension: %=%
    cls
    set rootcacertname=
    Title Please Enter the name of existing rootca certificate file name without extension
    set /P rootcacertname=Please Enter RootCA Cert File Name Without Extension: %=%
    cls
    openssl pkcs12 -export -out %pfxname%.pfx -inkey %keyname%.key -in %certname%.crt -certfile %rootcacertname%.crt
    cls
    start c:\temp
    TITLE PFX file has been created
    echo PFX file has been created
    pause

  2. ordinarynimda says:

    Great article, precise & concise. Everything (including the setting up of an SSL-enabled web site through IIS’s import PFX wizard) worked like a charm from the first try!

  3. Max says:

    But where do i get a .key file?!? Comodo only sent me a .crt file? God this certificate industry is stupid!

  4. as says:

    fantastic!! in simple language with clear pics many thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Papers
People
Map

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 31 other followers

%d bloggers like this: