How can I convert a PFX certificate file for use with Apache on a linux server?
With OpenSSL you can convert pfx to Apache compatible format with next commands:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.ceropenssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key First command extracts public key to domain.cer.
Second command extracts private key to domain.key.
Update your Apache configuration file with:
<VirtualHost 192.168.0.1:443> ... SSLEngine on SSLCertificateFile /path/to/domain.cer SSLCertificateKeyFile /path/to/domain.key ...</VirtualHost>
Additionally to
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.ceropenssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.keyI also generated Certificate Authority (CA) certificate:
openssl pkcs12 -in domain.pfx -out domain-ca.crt -nodes -nokeys -cacertsAnd included it in Apache config file:
<VirtualHost 192.168.0.1:443> ... SSLEngine on SSLCertificateFile /path/to/domain.cer SSLCertificateKeyFile /path/to/domain.key SSLCACertificateFile /path/to/domain-ca.crt ...</VirtualHost>
To get it to work with Apache, we needed one extra step.
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.ceropenssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.keyopenssl rsa -in domain_encrypted.key -out domain.keyThe final command decrypts the key for use with Apache. The domain.key file should look like this:
-----BEGIN RSA PRIVATE KEY-----MjQxODIwNTFaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq-----END RSA PRIVATE KEY-----