Generate pfx cert from private key and certificate .crt files with OpenSSL

PFX is the format that have both cert (public) and private key.

Sometimes we have the .crt and private key .pem file and we have to generate the .pfx file to import into the server, usually Microsoft product like Azure and IIS.

Combine the certificates into the full chain

If you have chain (series) of certificates, you need to combine it into one certificate.

This is very easy by RFC specification that you just concat the cert

cat my_domain.crt intermidiate.crt root.crt > fullchain.crt

# Real Example from DigiCert
cat my_domain.crt DigiCertCA.crt TrustedRoot.crt > fullchain.crt

How to check the combined cert (chain)

When open with KeyChain (Mac) or Certificate (Window) and click view certificate, you can see the green tick like below screenshot.

Convert .crt to .pem

OpenSSL command only accept .pem file.

After conversion, the series of ---BEGIN... is combined into single certificate.

openssl x509 -in fullchain.crt -out fullchain.pem -outform PEM

Combine cert and private key into the pfx format

PFX or PKCS12 is the combination of

1. Private key
2. Certificates
   All cert including intermediate as a chain

openssl pkcs12
-inkey privatekey.pem
-in fullchain.pem
-export -out mycert.pfx

Note this since this has private key, you must enter the password that use to import the cert.

Checking the pfx

Run the OpenSSL command with specified input file -in

openssl pkcs12 -in mycert.pfx -info

Now you can see the information.

Here we go, now we can use pfx to import to the target system e.g., Azure Application Gateway.

See you next time.

References

This tutorial is equivalent of doing this from Digicert site

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm#:~:text=Creating%20a%20.pem%20with%20the%20Entire%20SSL%20Certificate%20Trust%20Chain&text=Open%20a%20text%20editor%20(such,The%20Root%20Certificate%20%2D%20TrustedRoot.crt