Extracing public and private certs from PFX files

19-12-2023

Using openssl (on WSL / linux):

# PFX -> PEM (certificate only)
openssl pkcs12 -in filename.pfx -out cert.pem -clcerts -nokeys
 
# PFX -> PEM (key only, with passphrase) -> PEM (key only, without passphrase)
openssl pkcs12 -in filename.pfx -out key_with_passphrase.pem -nocerts -nodes
openssl rsa -in key_with_passphrase.pem -out key.key -passin pass:passphrase

Using portecle:

  • File -> Open Keystore File
    • looks for ks, jks, jceks, p12, pfx, bks, ubr, bcfks, cacerts
    • view details
      • this will show you all certificates in the certificate chain (there are usually three)
        • end-entity cert, intermediate cert, root cert
      • Extensions - this shows metadata (including subject alternative name)
      • PEM Encoding - this shows the certificate string
    • to export public keys (right-click, export)
      • Head Certificate (which is used on servers)
      • PEM Encoded
      • output formats = (X.509 Certificate Files; cer, crt, cert, pem)
    • to export private keys (right-click, export)
      • Private Key and Certificates
      • PEM Encoded (we use PKCS#8 encoding, which is marked by -----BEGIN PRIVATE KEY-----)
      • output formats = (PEM files; pem) - note, this uses PKCS#1 encoding (ie BEGIN PRIVATE RSA KEY, which is slightly outdated)
  • Examine -> Examine Certificate
    • looks for cer, crt, cert, pem, p7b, spc, pkipath
    • this is for public certificates (which can be obtained after converting PFX to PEM)

Public networks vs internal networks:

  • public services
    • use certs from well-known CA's (Let's Encrypt, DigiCert etc), which are publically-trusted and need to maintain various standards
    • python comes with a CA bundle containing many certificates from certificate authorities
      • the certifi package has a cacert.pem file with ~145
  • internal services
    • unable to access public CA's, often using self-signed certs

Update certs on Windows server (pampar / IAMLFILIVE):

  • open windows menu, open run, run mmc.exe
  • press File, then press Add/Remove Snap Ins
  • follow the steps outlined in the pictures
    • click Certificates, click Add, click Computer account, click Local computer, click Finish
  • click on Trusted Root Certificate Authorities
  • right-click on the panel, select All Tasks, select Import...
  • follow the steps to select the PFX file and import