Русский
English
When it comes to purchasing SSL certificates, there's a common challenge—sometimes, the certificate chain is provided separately from the certificate itself. This separation can lead to compatibility issues, as many systems require the complete certificate chain to establish trust. In this guide, we'll show you how to seamlessly add a certificate chain to your SSL certificate using OpenSSL. Additionally, we'll demonstrate how to extract the certificate and private key from a PKCS12 certificate, making it a comprehensive resource for managing SSL certificates.
Why OpenSSL:
OpenSSL is a versatile tool available on most Linux systems, and there's also a Windows version. It's essential for handling SSL certificates, ensuring they're correctly configured and compatible with various systems.
Step-by-Step Guide: Adding the Certificate Chain
1. Preparation:
- Copy your SSL certificate to a dedicated folder.
- Ensure you have OpenSSL installed (typically available by default on Linux).
2. Extracting the Certificate and Private Key:
- Use the following commands:
openssl pkcs12 -in yourcert.pfx -nocerts -out yourcert.key openssl pkcs12 -in yourcert.pfx -clcerts -nokeys -out yourcert.crt
- You'll be prompted to enter your certificate's password.
3. Creating a New Certificate File:
- Open yourcert.crt in a text editor.
- Copy everything between '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----,' including these lines, to a new file with the .crt extension (e.g., yourcert1.crt). For example:
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
4. Managing the Certificate Chain:
- Copy the certificate chain that your SSL certificate relies on into the same folder.
- If you're unsure where to obtain the chain, you can easily extract it from a Windows machine's certificate details.
5. Preparing the Certificate Chain:
- Convert the chain certificates to the PEM format using these commands:
openssl x509 -in intermediate.cer -out intermediate.pem openssl x509 -in root.cer -out root.pem openssl x509 -in yourcert.crt -out yourcert.pem
If your certificatte is in der format, you can convert it to base64 with a command:
openssl x509 -inform der -in root.cer -out root.pem
6. Combining Certificates:
- Merge all certificates into a single file:
cat yourcert.pem intermediate.pem root.pem >> yourcert-chain.pem
7. Creating a PKCS12 Certificate:
- Generate a PKCS12 certificate with the following command:
openssl pkcs12 -export -out yourcert-fullchain.p12 -inkey yourcert.key -in yourcert-chain.pem
- You'll need to set a password for the certificate.
8. Verification:
- To ensure success, run the following command to display all certificates in the file:
keytool -list -v -keystore yourcert-fullchain.p12 -storepass [your_password] -storetype PKCS12 | more
Conclusion: By following these steps and using OpenSSL, you can easily add a certificate chain to your SSL certificate, resolving compatibility issues and ensuring the trustworthiness of your SSL-protected websites.
Remember: Properly configuring SSL certificates is crucial for maintaining a secure online presence and building trust with your website visitors. With OpenSSL as your trusted companion, you can navigate this process with ease.
Share the article with your friends in social networks, maybe it will be useful to them.
If the article helped you, you can >>thank the author<<
