Thursday, September 15, 2016
by Brian Hooper
Sometimes there are cases when you have a separate private key and certificate pair (perhaps with an intermediate certificate or two) that need to be combined into a single file. This merge can be performed on the command line using OpenSSL.
The OpenSSL pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed.
openssl pkcs12 -export -in myCertificate.pem -inkey myPrivate.key -out myNewPFX.pfx # OPTIONS EXPLAINED # -in <filename> # specifies filename of the PKCS#12 file to be parsed. # -inkey <filename> # Specifies the file to read the private key from. # If not present then a private key must be present in the input file. # -out <filename> # Specifies the filename to write certificates and private keys to. # They are PEM format by default. # Although there are a large number of options most of them are very rarely used. # See the Man Page for more.
Let’s say you ever need to test an external facing REST API over HTTPS that is secured via a Client SSL Certificates… you know, just to validate a renewed Client SSL Certificate before you ship it over to the client. ;)
The cURL command below will allow you to use your new .pfx file to authenticate and resolve the service via Public IP. Simply change out the <parameters> for your test.
curl -H "Content-Type: application/json" -X GET -v --cert "<myNew.pfx:pa55word>" <https://rest.api.com/12345> --resolve <rest.api.com>:443:<ipaddress> --tlsv1.2 # Note: When you create the PFX you will be prompted to create a password. # In this example our password is 'pa55word'