Skip to content

Instantly share code, notes, and snippets.

@mediaupstream
Last active December 4, 2024 17:30
Show Gist options
  • Save mediaupstream/a2694859b1afa59f26be5e8f6fd4806a to your computer and use it in GitHub Desktop.
Save mediaupstream/a2694859b1afa59f26be5e8f6fd4806a to your computer and use it in GitHub Desktop.
extract ca-certs, key, and crt from a pfx file
#!/bin/bash
#
# Usage:
# ./make_certs.sh test.example.com
#
# The required input to make_certs.sh is the path to your pfx file without the .pfx prefix
#
# test.example.com.key
# test.example.com.crt (includes ca-certs)
#
filename=$1
# extract ca-certs
echo "> Extracting ca-certs..."
openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt
echo "done!"
echo " "
# extract key
echo "> Extracting key file..."
openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key
echo "done!"
echo " "
# extract crt
echo "> Extracting crt..."
openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt
echo "> Combining ca-certs with crt file..."
# combine ca-certs and cert files
cat ${filename}-ca.crt ${filename}.crt > ${filename}-full.crt
# remove passphrase from key file
echo "> Removing passphrase from keyfile"
openssl rsa -in ${filename}.key -out ${filename}.key
# clean up
rm ${filename}-ca.crt
mv ${filename}-full.crt ${filename}.crt
echo "done!"
echo " "
echo "Extraction complete! 🐼"
echo "created files:"
echo " 🔑 ${filename}.key"
echo " 📄 ${filename}.crt"
@mediaupstream
Copy link
Author

you will likely be prompted for the pfx passphrase during this process

@mediaupstream
Copy link
Author

not a lot of error checking happening in here, so this script could be better... but it should work 🗡️

@mediaupstream
Copy link
Author

This will also remove the passphrase from the key (as required by nginx)

@mediaupstream
Copy link
Author

Save this in a file called, for example: make_certs.sh and make the file executable

chmod +x make_certs.sh

then you can run it, example:

./make_certs.sh path/to/pfxfile

@burakEC
Copy link

burakEC commented Apr 25, 2019

Handy script! Thanks.

@attiqmscs004
Copy link

Really handy script. A little modification. Full certificate chain should contain root first and ca-bundle later.

echo "> Combining ca-certs with crt file..."

combine ca-certs and cert files

cat ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt

@mbomb007
Copy link

mbomb007 commented Jan 3, 2023

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment