Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # Author: Michael Lefkovits
- # Date: 23.5.18
- # This script extracts the client certificate and private key, as well as the entire certificate chain, from a .pfx file.
- # The script will prompt the user for the pfx password.
- # Disclaimers:
- # 1. Developed and tested on Ubuntu 16.04 server.
- # 2. Requires 'openssl' installed on the server.
- # 3. Didn't handle password argument for simplicity (also receiving the password as an inline argument isn't secure because its shown on the process)
- # Arguments:
- # 1st arg - relative path to the .pfx file
- # Output:
- # .key file - contains private key
- # .crt file - contains client certificate
- # intermediate.crt - contains intermediate and root certificates
- # .chained.crt - contains the entire certificate chain. This is the final crt file used along with .key on the web server.
- # Variable Assignment
- PFXFILE=$1
- CERTNAME=$( basename $1 .pfx )
- # Extract private key from pfx
- openssl pkcs12 -in $PFXFILE -nocerts -nodes | \
- sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > $CERTNAME.key
- # Extract client certificate from pfx
- openssl pkcs12 -in $PFXFILE -clcerts -nokeys | \
- sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTNAME.crt
- # Check validity of crt and key
- echo '=== Print md5 checksum of crt and key to verify validity. Must match ! ==='
- echo $( openssl x509 -noout -modulus -in $CERTNAME.crt | openssl md5 )
- echo $( openssl rsa -noout -modulus -in $CERTNAME.key | openssl md5 )
- echo '=========================================================================='
- # Extract root and intermediate certificates from pfx (certificate chain)
- openssl pkcs12 -in $PFXFILE -cacerts -nokeys -chain | \
- sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > intermediate.crt
- # Bundle client and intermediate.crt to final crt file
- cat $CERTNAME.crt intermediate.crt > $CERTNAME.chained.crt
Add Comment
Please, Sign In to add comment