Monday, July 19, 2021

Generating pfx file with multiple certificates.

One pfx file can have multiple certificates inside it. In order to create such file, the easiest way is to copy paste all the *.crt files into one file so the file content will be similar to this one:

-----BEGIN CERTIFICATE----- MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz 91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2 RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11 GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDDD -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- GGGEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- AAAEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBZZZ -----END CERTIFICATE-----


This is just an example, the certificate section for each certificate will be larger. Let's call such file bundle.crt<\i>. In order to sign it we need a key - key is just a file with a content similar to the *.crt file - some people call it pem files. Generally speaking *.crt, *.pem, *.cert are files that have this same content in this same format, the only difference is just a file extension. To create a pfx file we need an openssl application. You can get the windows binaries from here: ssl binaries. I used the openssl-1.0.2r-x64_86-win64.zip.

To generate pfx I run:
openssl pkcs12 -export -out Private.pfx -inkey C:\cert.key -in C:\bundle.crt

You will need to provide a password for this key and retype it.


If you want to see what is inside pfx you can run:
certutil -dump Private.pfx

certutil is a tool that is by default installed on Windows machine. If you have openssl installed you can run:
openssl pkcs12 -info -in Private.pfx

You need the password in order to run these commands.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)