Converting a PKCS #12 Certificate

Prerequisites

To convert the exported PKCS #12 file you need the OpenSSL utility, openssl.exe. If the utility is not already available run DemoCA_setup.msi to install the Micro Focus Demo CA utility, which includes the OpenSSL utility. Ensure that you have added the OpenSSL utility to your system PATH environment variable. If you want to install DemoCA, see Installing Micro Focus Demo CA for more information. If you install OpenSSL as part of DemoCA, then the typical installation directory is C:\Program Files (x86)\Micro Focus\DemoCA.

Converting a Certificate

1. Convert the RACF generated PKCS #12 file from base64 to binary. At an Enterprise Developer command prompt, type:

   openssl base64 -d -a -in <PKCS#12file> -out <PKCS#12file.bin>

   Note: Ignore the warning that the openssl config file can not be opened.
2. Validate the output certificate to ensure that it is a valid PKCS #12 format. To perform the validation, type:

   openssl pkcs12 -in <PKCS#12file.bin> -noout

   The following message is displayed:

   Enter Import Password:

3. Type the pass phrase of the certificate. This should have been provided by your system programmer. If the certificate is validated the following message is displayed:

   MAC verified OK

4. To convert the verified PKCS #12 binary certificate to PEM format, type:

   openssl pkcs12 -in <PKCS#12file.bin> -out <PKCS#12file.pem>

   The following message is displayed:

   Enter Import Password:

   Type the pass phrase of the certificate used in the earlier steps.

   You are then prompted to type a new pass phrase for the PEM certificate:

   Enter PEM pass phrase:

   Note: Keep a note of the pass phrase used for the PEM certificate.
5. The content of the PEM certificate must be split into three separate files. Open the PKCS #12 PEM file in a text editor and copy each section of the file into its own file:

   1. The first block is the root certificate, copy the text between and including the begin and end markers:

      -----BEGIN CERTIFICATE-----
      MIICIzCCAYygAwIBAgIBADANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwl6MTE0
      IFJBQ0YwHhcNMTUwNDMwMDQwMDAwWhcNMjAwNTAxMDM1OTU5WjAUMRIwEAYDVQQD
      Ewl6MTE0IFJBQ0YwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM1/erilx5sW
      rLh33cEg2rcG5ParEOl3gGc0DmNNFzzldAFje8hMyTfrONUtOaP071o9MrTNXqYl
      s1XxMi5FTWRdpyaCpVoz/SijfDcZn5yhHS4MnjHJMSIGGmdL6GWRI8b6XOQAb/NT
      49rGUyZ7AEesOcFzP5QJPHUHY7uq35ONAgMBAAGjgYQwgYEwPwYJYIZIAYb4QgEN
      BDIWMEdlbmVyYXRlZCBieSB0aGUgU2VjdXJpdHkgU2VydmVyIGZvciB6L09TIChS
      QUNGKTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR7TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
      iR3ggglnf2gzjIINBnXt0pLsqC0wDQYJKoZIhvcNAQEFBQADgYEAmIxFhG//qowm
      etlJFYgmlSljwJ8ADUHK7vokLTTloSdcqPkkfLwRMINu0EFqrQAwy3JhSB3CqWWI
      j6Dzi4vco87LQ3K7xZz6YswhE+6/JowDIijR7eEXBdNYgn/9RzWyz9/gLrSL/wBO
      9pubetQcKseLbJ5Be/q3Frm7GnLjoYs=
      -----END CERTIFICATE-----
      

      Paste the copied text into a file and save the file with a name that clearly identifies it; for example, servername-root-cert.pem.

   2. The second block is the user certificate. Copy the text between and including the second begin and end markers.

      Paste the copied text into a file and save the file with a name that clearly identifies it; for example, servername-user-cert.pem.

   3. The third block is the private key. Copy the text between and including the third begin and end markers.

      Paste the copied text into a file and save the file with a name that clearly identifies it; for example, servername-user-key.pem.

6. The private key file must be converted from PEM to DER format, at the Enterprise Developer command prompt, type:

   openssl pkcs8 -topk8 -nocrypt -in <servername-user-key.pem> -out <servername-user-key.der> -outform der

   You are then prompted to type a new pass phrase for the PEM certificate:

   Enter pass phrase for servername-user-key.pem:

   You can use a new pass phrase, or you could reuse the original pass phrase supplied with the PKCS #12 file.

   You now have the following three files:

   • servername-root-cert.pem
   • servername-user-cert.pem
   • servername-user-key.der