sslsd-logo

How to Convert an SSL Server Certificate from Apache to PKCS12/PFX

Depending on your network you may have to move your SSL/TLS server certificate and its private key from one system to another. This article covers how to move your SSL certificate, its private key, and its intermediate CA from Apache to pfx also known as a pkcs#12 file. This will require a conversion using OpenSSL that is on the Apache System.

Apache systems are very customizable. The directory location and naming of the individual files needed vary depending on your personalized system. Below are generalized instructions.

We will start by assuming that you have already successfully installed the SSL certificate on the Apache web server.

To move your certificate keypair from Apache to PFX perform the following:

Step 1: Finding your SSL Certificate, its Private key, and Intermediate CA file on Apache:

  1. Referencing the httpd.conf or ssl.conf  file on the Apache system look for the location and directories of the three files necessary on the Apache system that has the installed SSL certificate.
    • SSLCertificateFile /usr/local/ssl/crt/public.crt
      SSLCertificateFile tells Apache how to find the the SSL certificate file.
    • SSLCertificateKeyFile /usr/local/ssl/private/private.key
      SSLCertificateKeyFile tells Apache how to find the private key file.
    • SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
      SSLCertificateChainFile or SSLCACertificateFile tells Apache the location of the Intermediate file.

      apache
  2. Once you have found the location of these files you can either move them to a single location somewhere in your drive or leave them in their current location and specify their locations in the command line when converting.
  3. Convert the Apache certificate your sever certiifcate, its private key and chain intermediate files into a single PFX/PKCS#12 by performing the following OpenSSL command – change the file paths as appropriate if needed:
    Note: In this example public.crt would be your SSL Server Certficiate, private.key would be your Private Key, intermediate.crt would be the intermediate ca chain file, and certificate.pfx would be your new converted pkcs12 ssl certificate file.

    openssl pkcs12 -export -in /path/to/public.crt -inkey /path/to/private.key -certfile /path/to/intermediate.crt -out certificate.pfx
    

    Another Example:

    opessl pkcs12 -export -out certificate.pfx -inkey private.key -in public.crt -certfile intermediate.crt
    
  4. The end result is that you will have a pfx file named certificate.pfx

Congrats you have converted your SSL certificate from Apache to a pfx/pkcs#12.

Note: That pfx files are used heavily in Microsoft environments. If you are having difficulties converting a Server Certificate from Apache to pfx or are having trust issues after conversion of the Apache environment to .pfx, you may want to consider generating the certificate keypair in the natural environment used by pfx files. Use a Microsoft IIS system > Generate the keypair /Generate CSR > perform a reissue or get a certificate from your CA > perform installation of server certificate > export certificate as pfx file from that IIS system.

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »