Using SSL - Client has provided a PFX file

Ignition
1

N00b question here…

I need to enable SSL on a customer’s gateway. They’ve pointed me to a personal certificate in the Windows Certificate Manager and I can export a PFX file that contains the private key. I can export any of these (including the greyed out option):
Cert Manager:

image
image1618×183 16.2 KB

Export options:
image

But from these options, I don’t get what the first part of the certificate wizard in Ignition is asking for:
image

I’ve found that I might be able to extract this using OpenSSL (/source/index.html), however the site only provides the unbuilt application :frowning: Should I even trust this?

Any ideas? Do I need to build the OpenSSL app, or is there a built version somewhere, or am I on the wrong path?

2

I managed to figure it out… If anyone has any comments on the below, please feel free to let me know!

  1. Export a “pfx” file from the Windows Computer Certificates manager that includes the private key. Uncheck all options e.g. uncheck include all certs in cert path, don’t delete private key, etc.
    Set a password but don’t enable group or usernames.
    If you don’t have the option to export a private key, then you need to get a certificate from your customer that does.

  2. Using the PFX, created a PEM file using OpenSSL
    (https://docs.citrix.com/en-us/citrix-gateway/current-release/install-citrix-gateway/certificate-management-on-citrix-gateway/convert-pfx-certificate-to-pem.html#openssl-utility)
    3/4 way down under “OpenSSL Utility” steps 1-5 which should produce the PEM file.
    I used the openssl.exe included as part of installed git.

  3. Export a “cer” file from the WCCM that doesn’t include the private key.

  4. Obtain the certificate chain PEM file from the customer. Open it in notepad and copy the very last certificate in the file for reference later.

Then using the files from steps 1-3, drag the files produced from these steps into the corresponding steps in the Ignition gateway web server Certificate Wizard. For step 3, paste the certificate using the Manual button within the step.

3 Likes
3

I was also able to do the same process with .pfx file and OPENSSL using this:

# Extracting ca-certs..."
  openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt

# Extracting key file..."
  openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key

# Extracting crt..."
  openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt

for the last CA-bundle step i opened the ca-certs in notepad, and manually entered the last certificate from notepad, then Ignition prompted me to add ca- certificate again (the first one was changed to intermediate), then i just copy pasted the certificate above the one i had just entered.

This worked!