Posts

How to convert a certificate PFX file to CRT/KEY using openssl

Your PFX certificate file is protected with a password. It can be converted to CRT and KEY files using SSL:

openssl pkcs12 -in certfile.pfx -nocerts -out keyfile-encrypted.key

When you enter this command you will be asked to type in the pfx file password in order to extract the key. You will be asked to enter a passphrase for the encrypted key. The key will be stored in keyfile-encrypted.key.

The exported keyfile is encrypted but you might need it in unencrypted format. To unencrypt the key, do:

openssl rsa -in keyfile-encrypted.key -out keyfile.key

You will be asked for the passphrase that you entered in the previous step. The unencrypted key will be stored in keyfile.key.

Then it is time to extract the certificate:

openssl pkcs12 -in certfile.pfx -clcerts -nokeys -out certfile.crt

Again, you will need to enter the pfx file password in order to extract the certificate. The certificate will be stored in certfile.crt.

Fix the Heartbleed Bug on Ubuntu

OpenSSL on Ubuntu can be vulnerable to the Heartbleed Bug. Not all versions of OpenSSL are affected though. 

OpenSSL version 1.0.1 to 1.0.1f are vulnerable.
OpenSSL version 1.0.1g are not vulnerable.
OpenSSL branches 1.0.0 and 0.9.8 are not vulnerable.

To fix this issue on Ubuntu systems: 

Check your OpenSSL version to see if it is vulnerable to the bug:

openssl version

If it says 1.0.1 check the build date:

openssl version -b

If it says anything before Apr 7 2014 you need to update OpenSSL. Proceed as follows:

sudo apt-get update
sudo apt-get install openssl
sudo apt-get install libssl1.0.0

Now verify that you are running the updated OpenSSL libraries:

openssl version
openssl version -b

The build date should now come out Apr 7 2014 or later.

Now you need to regenerate your SSL certificates as they might been compromised. A guide can be found here: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04