Using openssl to manage pkcs12 certs

If you have a Microsoft IIS website or you know someone who does, you should know that IIS uses a pkcs12 format for their certificates and private keys.  These are binary encoded files with .pfx or .p12 extension and have a private key and certs encoded together in the file.  If you are wanting to convert your IIS website to an apache website, you will need to covert these pkcs12 files to the PEM format that apache uses.  Openssl is the tool you need to use for this.

To extract the cert and private key from a pkcs12 file, to be output into a PEM style file.  You will be prompted for the password if a password was used on the input file, and a password to encrypt the private key.  If you don’t want to encrypt the private key, use the -nodes option.

$ openssl pkcs12 -in cert.pfx -out cert.pem

Openssl will extract the cert and private key to stdout by default.  This often enough if you looking to merely copy and paste and ASCII formatted output.

$ openssl pkcs12 -in cert.pfx

To create a pkcs12 style file from your already existing cert and private key.  The pkcs12 format associates a name with contents of the file.  Use the -name option to set the name.  If you are converting your private key and cert from your apache server to the pkcs12 format, it expects the file you import to be in PEM format.  You will be prompted to set a password.

$ sudo openssl pkcs12 -export -out cert.pfx -in server.pem -name "My Cert"

However, you can import private key and web cert separately using the -inkey and -in options.  Use -in to specify the file that contains your cert, and -inkey to specify the file that contains your key.

$ openssl pkcs12 -export -out cert.pfx -inkey server.key -in server.crt -name "My Cert"

Openssl is the most useful and most versatile tool for dealing with crypto issues.  It is your crypto Swiss army knife.  Look for many future posts demonstrating openssl performing other tasks.


Mounting partitions by UUID

Mounting a partition consistently every time can be a problem when dealing with removable media or after adding or removing a partition on your drive.  These type of changes cause the device names to change on reboot as devices are rediscovered and renumbered.  These issues are solved by mounting partitions by UUID rather than by device name.  The UUID will stay the same for the lifetime of the partition.

A useful command to help you find the proper UUID is blkid.

$ sudo blkid
/dev/sda3: UUID="3868B51068B4CDBE" TYPE="ntfs"
/dev/sda5: UUID="65086436-bb2d-477a-ba83-46171f8091fe" TYPE="swap"
/dev/sda6: UUID="0f0b40d3-7bd8-4cee-8f7a-4ab7ee567b4e" TYPE="ext4"
/dev/sda7: UUID="98beaa74-34e5-4cee-94ac-234246d8ef33" TYPE="ext4"
/dev/sda9: UUID="d7ca81a4-6422-4b0b-812d-605679858cd2" TYPE="ext4"

After finding the UUID, add it to your fstab.  For example, to mount /dev/sda3 as /srv/ntfiles add the following line to your /etc/fstab.

UUID=3868B51068B4CDBE /srv/ntfiles    ntfs    defaults    0 0