SSL Certificates

1 minute read

As touched on in a previous post I would like to expanding on working with TLS/SSL certificates.

When securing the Command Center sometimes I am provided with a .pfx file. This is a binary file that is typically used in Windows. It contains the private key and the entire certificate chain. It can’t be used with Apache, however, so it isn’t natively useful. Below are some commands to make it useful.

To extract the private key and import it into the keystore run the following command on the Command Center server. This will create the jks file to reference in Apache as well as import the keystore.

keytool -importkeystore -srckeystore D:\Certs\ myPfxFile.pfx -srcstoretype pkcs12 -destkeystore C:\CVInstall\keys\ myNewJKSFile.jks -deststoretype jks

Next it will be necessary to convert the cert chain into a non-binary format useful with Apache. You can run the following command.

openssl pkcs12 -in MyBinaryCertChainFile.pfx -nokeys -out MyNewNonBinaryCertChainFile.crt

Open the CRT file just created and there will be three certificates included. Copy the first certificate at the top of the file and include ------BEGIN CERTIFICATE----------, everything in between, and ———END CERTIFICATE-------------. Repeat for all three cert entries and create three files. The top cert is for tomcat, the middle is for the intermediate cert, and the bottom is the root cert. You can now import the certs.

The command below can be used to verify if the Subject Alternative Name (SAN) field is populated correct

openssl x509 -noout -text -in MyNewNonBinaryCertChainFile.crt | grep DNS: