A lot of platforms use what are called PFX bundles when dealing with SSL certificates. The cool thing about PFX bundles is that it keeps everything the SSL connection needs certificate wise in one tidy file. I recently had the pleasurable experience of having to create about 30 of these bundles, so I will share my thoughts on the best way I found to create a PFX certificate bundle using openssl.
First generate a Key and CSR to use to request your new certificate:
openssl genrsa -des3 -out www.domain.com.key 2048
openssl req -new -key www.domain.com.key -out www.domain.com.csr
Next you need to decode your private key:
openssl rsa -in www.domain.com.key -out www.domain.com.key.pem
Now that you have the CSR generated got back to you Certificate Authority and request your certificate. Additionally gather the CA’s root, and intermediary certificates and cat them all into one file consecutively called www.domain.com-ca.chain
cat ca.crt > www.domain.com-ca.chain
cat ca-intermediary.crt >> www.domain.com-ca.chain
cat ca-tertiary.crt >> www.domain.com-ca.chain
Here is where the magic happens when you export it all to a PFX Certificate Bundle:
openssl pkcs12 -export -out www.domain.com.pfx -inkey www.domain.com.pem -in www.domain.com.cer -certfile www.domain.com -ca.chain
Now you can import the pfx file for each internal certificate used into your platform.
Happy PFX’ing!
Leave a Reply