Version: 1.1.6

Export certificate from Windows to .pfx format

Step 1: View certificate information using mmc.exe

Please use the machine where the certificate is installed.
Right click on Start, choose Run, type mmc.exe and hit Enter
From Console Root – click on File and then on Add/Remove Snapin…
Select the Certificates from the list and click on Add
If you are not sure if the certificate is under the user or computer account, you can add them both.
Click ok to load the interface.
Locate the certificate that you want to use, usually present under the Personal – Certificates folder

View of program mmc.exe

To view more information about the certificate, please double click the name to open the certificate information.

Example of certificate info

From the General tab we can see that the certificate has the private key associated with it and is able to validate anything.comodoservices.com but will not be able to validate comodoservices.com

To confirm we can go to the Details tab Subject Alternative Name section

Subject Alternative Name

In this section we can see two entries.
The first entry will validate anything.comodoservices.com and the second entry will validate the main domain comodoservices.com.
If you are using a multidomain certificate, in this section you will be able to see all the FQDN’s/IP’s that the certificate is able to cover.
In our case this wildcard certificate will suit our needs.

From the Certificate Path tab, we can view the certificate chain and confirm that the certificate – End Entity Certificate is able to link to a trusted root certificate using one or two intermediate certificates.
Please review the bellow print screen.
(In this case we have only one intermediate certificate)

Certificates


Step 2: Export the certificate to .pfx format

From the Certificates windows, right click on the certificate name – All Tasks – Export…

Getting certificates info in program mmc.exe

Click Next

Certificate Export Wizard

Please choose “Yes, export the private key” and click Next

Export the private key

Please choose “Include all certificates in the certification path if possible” and click Next This option will include the certificate chain.

Option with including the certificate chain

Provide a password and click Next

Providing a password

Please provide a name, choose where to save it and click Next

Providing name

The last step is to click on Finish to export the certificate to a .pfx file

Finishing export the certificate to a .pfx file

Options to prepare Endpoint Manager (ITSM) server and Tigase certificates using openssl

You have 2 options available to extract the certificates that you will be using on Endpoint Manager (ITSM) server and Tigase server:

  1. Option 1: Use the script scriptpfx.sh to create cert.crt, cert.key and in this case comodoservices.com.pem
  2. Option 2: Manually create cert.crt, cert.key and comodoservices.com.pem from a .pfx file

Option 1: Use the script scriptpfx.sh to create cert.crt, cert.key and in this case comodoservices.com.pem

Create a folder on the itsm or tigase server using for example FileZilla.
Copy the .pfx file to the folder.
Create file scriptpfx.sh in the created folder (near .pfx file) with following content:

#!/bin/bash
openssl pkcs12 -in $1 -nocerts -nodes -passin pass:$2 | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > clientcert.key
openssl pkcs12 -in $1 -clcerts -nokeys -passin pass:$2 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > clientcert.crt
openssl pkcs12 -in $1 -cacerts -nokeys -chain -passin pass:$2 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts.crt
a="$(openssl crl2pkcs7 -nocrl -certfile cacerts.crt | openssl pkcs7 -print_certs -text -noout | sed -n 's/^.*CN=//p' | sed -n 1p)"
b="$(openssl crl2pkcs7 -nocrl -certfile cacerts.crt | openssl pkcs7 -print_certs -text -noout | sed -n 's/^.*CN=//p' | sed -n 2p)"
if [ "$a" == "$b" ]; then
	cabundle="$(cat cacerts.crt | wc -l)"
	if [ "$cabundle" -gt 1 ]; then
		cat cacerts.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' > rootca.crt
		cat cacerts.crt > intermediatefile.crt
		nr="$(cat rootca.crt | wc -l)"
		sed -i 1,"${nr}"d intermediatefile.crt
		cat rootca.crt > newcertificatechain.crt
		cabundle1="$(cat intermediatefile.crt | wc -l)"
		if [ "$cabundle1" -gt 1 ]; then
			cat intermediatefile.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' > intermediate1.crt
			cat intermediate1.crt >> newcertificatechain.crt
			nr1="$(cat intermediate1.crt | wc -l)"
			sed -i 1,"${nr1}"d intermediatefile.crt
			cabundle2="$(cat intermediatefile.crt | wc -l)"
			if [ "$cabundle1" -gt 1 ]; then
				cat intermediatefile.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' > intermediate2.crt
				cat intermediate2.crt intermediate1.crt rootca.crt > newcertificatechain.crt
				rm intermediate2.crt
				rm intermediate1.crt
				rm rootca.crt
				rm intermediatefile.crt
			else
				cat intermediate1.crt rootca.crt > newcertificatechain.crt
				rm intermediate1.crt
				rm rootca.crt
				rm intermediatefile.crt
			fi
		else
			cat rootca.crt > newcertificatechain.crt
			rm rootca.crt
			rm intermediatefile.crt
		fi
		cat clientcert.key > cert.key
		cat clientcert.crt newcertificatechain.crt > cert.crt
		cat clientcert.key clientcert.crt newcertificatechain.crt > $3
		rm clientcert.key
		rm clientcert.crt
		rm cacerts.crt
		rm newcertificatechain.crt
	else
		echo The certificate chain is not included in the $1.
		echo Please create again the $1 and include the certificate chain.
	fi
else
	cat clientcert.key > cert.key
	cat clientcert.crt newcertificatechain.crt > cert.crt
	cat clientcert.key clientcert.crt cacerts.crt > $3
	rm clientcert.key
	rm clientcert.crt
	rm cacerts.crt
fi

  1. Run chmod +x scriptpfxtest.sh to make the file executable
  2. Run ./scriptpfxtest.sh test.pfx 1234 comodoservices.com.pem to generate cert.crt, cert.key and comodoservices.com.pem
    Format to use the command:
    ./scriptpfxtest.sh Parameter1 Parameter2 Parameter3
    Where:
    • Parameter1: test.pfx – is the name of the .pfx file
    • Parameter2: 1234 – is the password for the .pfx file
    • Parameter3: comodoservices.com.pem – is the FQDN.pem that you want to use

Example of running script scriptpfx.sh

The script execution will create:

  • cert.key
  • cert.crt
  • comodoservices.com.pem

To confirm that the files are generated correctly you can use the following commands:

openssl crl2pkcs7 -nocrl -certfile cert.crt | openssl pkcs7 -print_certs -text -noout | sed -n 's/^.*CN=//p'

This will confirm if the certificate chain is in the correct order from top to bottom.

Example of right order of certificates for Endpoint Manager server

You can use the same command on the tigase certificate.(Example: comodoservices.com.pem) The difference between Endpoint Manager (ITSM) certificate and tigase certificate is that the tigase certificate will have on top the private key.
To verify this, we can use the following command:
cat comodoservices.com.pem | sed -n 1p

Cut first block of file

We can verify the private key using this command:
openssl rsa -in cert.key -check

Verify the private key

To confirm that the private key is associated with the certificate we can use the following command:
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5

By receiving the same number, we confirm that private key is associated with the certificate

Verify the private keyis associated with the certificate

Option 2: Manually create cert.crt, cert.key and comodoservices.com.pem from a .pfx file

Copy the .pfx file on a folder on Endpoint Manager (ITSM) or Tigase server using for example FileZilla

To create cert.key please run this command:
openssl pkcs12 -in test.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > cert.key

To extract only the certificate run this command:
openssl pkcs12 -in test.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > clientcert.crt

To extract the certificate chain, use this command:
openssl pkcs12 -in test.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts.crt

To confirm that the cacerts.crt has the correct order, please run this command:
openssl crl2pkcs7 -nocrl -certfile cacerts.crt | openssl pkcs7 -print_certs -text -noout | sed -n 's/^.*CN=//p'

If the certificate chain is as order, bottom to top instead of top to bottom you can use script to reverse the order
Create file scriptorder.sh (in the folder near .pfx file) with following content:

#!/bin/bash
cabundle="$(cat $1 | wc -l)"
if [ "$cabundle" -gt 1 ]; then
	cat $1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' > rootca.crt
	cat $1 > intermediatefile.crt
	nr="$(cat rootca.crt | wc -l)"
	sed -i 1,"${nr}"d intermediatefile.crt
	cat rootca.crt > newcertificatechain.crt
	cabundle1="$(cat intermediatefile.crt | wc -l)"
	if [ "$cabundle1" -gt 1 ]; then
		cat intermediatefile.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' > intermediate1.crt
		cat intermediate1.crt >> newcertificatechain.crt
		nr1="$(cat intermediate1.crt | wc -l)"
		sed -i 1,"${nr1}"d intermediatefile.crt
		cabundle2="$(cat intermediatefile.crt | wc -l)"
		if [ "$cabundle1" -gt 1 ]; then
			cat intermediatefile.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' > intermediate2.crt
			cat intermediate2.crt intermediate1.crt rootca.crt > newcertificatechain.crt
			rm intermediate2.crt
			rm intermediate1.crt
			rm rootca.crt
			rm intermediatefile.crt
		else
			cat intermediate1.crt rootca.crt > newcertificatechain.crt
			rm intermediate1.crt
			rm rootca.crt
			rm intermediatefile.crt
		fi
	else
		cat rootca.crt > newcertificatechain.crt
		rm rootca.crt
		rm intermediatefile.crt
	fi
else
	echo The file is empty.
	echo Lines = $cabundle
fi
  1. Run the script. To make the script executable use this command:
    chmod +x scriptorder.sh
  2. Once the script is executable, we can run it providing the cacerts.crt as parameter:
    ./scriptorder.sh cacerts.crt
    See Example below.

Manually executing

If you don’t want to use the script, you can use the following commands to extract the certificates in order:

  • This command will extract the first certificate from the file, in our case the root:
    cat cacerts.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p; /-END CERTIFICATE-/q' > rootca.crt
  • The second command will delete the certificate from the cacerts.crt to be able to extract the second certificate available
    nr="$(cat rootca.crt | wc -l)";sed -i 1,"${nr}"d cacerts.crt

You can use these three commands to extract your certificate chain and after that you can use cat to concatenate them in the correct order.

Example to create comodoservices.com.pem:
cat cert.key clientcert.crt intermediate.crt root.crt > comodoservices.com.pem

Example to create cert.crt:
cat clientcert.crt intermediate.crt root.crt > cert.crt

To confirm that the certificate files have been created/extracted correctly, you can use the options from Option 1 to verify them.