extract ca-certs, key, and crt from a pfx file

make_certs.sh

#!/bin/bash

#
# Usage:
# ./make_certs.sh test.example.com
# 
# The required input to make_certs.sh is the path to your pfx file without the .pfx prefix
# 
# test.example.com.key
# test.example.com.crt (includes ca-certs)
#

filename=$1

# extract ca-certs
echo "> Extracting ca-certs..."
openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt
echo "done!"
echo " "

# extract key
echo "> Extracting key file..."
openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key
echo "done!"
echo " "

# extract crt
echo "> Extracting crt..."
openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt

echo "> Combining ca-certs with crt file..."
# combine ca-certs and cert files
cat ${filename}-ca.crt ${filename}.crt > ${filename}-full.crt

# remove passphrase from key file
echo "> Removing passphrase from keyfile"

openssl rsa -in ${filename}.key -out ${filename}.key

# clean up
rm ${filename}-ca.crt
mv ${filename}-full.crt ${filename}.crt

echo "done!"
echo " "
echo "Extraction complete! 🐼"
echo "created files:"
echo " 🔑  ${filename}.key"
echo " 📄  ${filename}.crt"

you will likely be prompted for the pfx passphrase during this process

not a lot of error checking happening in here, so this script could be better... but it should work 🗡️

This will also remove the passphrase from the key (as required by nginx)

Save this in a file called, for example: make_certs.sh and make the file executable

chmod +x make_certs.sh

then you can run it, example:

./make_certs.sh path/to/pfxfile

Handy script! Thanks.

Really handy script. A little modification. Full certificate chain should contain root first and ca-bundle later.

echo "> Combining ca-certs with crt file..."

combine ca-certs and cert files

cat ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt

I found a better version: https://gist.github.com/whereisaaron/21e9caf02f97143bb338ec4f6f7f5aec