🔒 Certificate conversion with openssl and private key recovery

Also certificate signing requests and certificate export

I bought a wildcard certificate for use with multiple servers and subdomains. The file was a PKCS#7 certificate file (p7b). I needed different formats with and without separate key files (pem, pfx, and crt).

All of this happened on a Windows 10 machine.

The private key is stored on the machine that created the certificate signing request (csr).

To create the request I used certreq on windows with this inf file:

;----------------- request.inf -----------------
[Version]

Signature="$Windows NT§"

[NewRequest]

Subject = "CN=*.example.com,O=Example Company,OU=IT,ST=Schleswig-Holstein,L=Town,C=DE"
KeyLength =  4096
KeySpec = AT_KEYEXCHANGE
Exportable = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
HashAlgorithm = SHA256
MachineKeySet = True
SMIME = False
UseExistingKeySet = False
RequestType = PKCS10
KeyUsage = 0xa0
Silent = True
FriendlyName = "Example Company Certificate 2022"

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

[Extensions]

2.5.29.17 = "{text}"
_continue_ = "dns=example.com&"

;-----------------------------------------------

OID=1.3.6.1.5.5.7.3.1, by the way, means {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) serverAuth(1)}
2.5.29.17 is {joint-iso-itu-t(2) ds(5) certificateExtension(29) subjectAltName(17)}

certreq.exe -new csr.inf csr256.req

I installed the certificate that I received from my CA on the machine that’s got the private key – the machine that created the csr. It was installed on the local computer. From there on I was able to export the certificate as a pfx (Personal Information Exchange), also with the certificate management in Microsoft Management Console. The export was done including the private key, which was needed for the other machines. This is also the step where the password for the key in the pfx is chosen.

From now on I used openssl to convert the pem to various different files.

Export of the key of a pfx to a pem:

openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

Export of the certificate of a pfx to a pem:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

Export of the certificate and the certificate chain of a pfx to a pem:

openssl pkcs12 -in cert.pfx -cacerts -nokeys -chain -out cert.pem

Export of all certificates in the pfx to a pem:

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

If a pem is needed that includes the key, the key (from -----BEGIN PRIVATE KEY-----MIIJQw...) can just be inserted above the -----BEGIN CERTIFICATE----- of the cert.pem. If the file contains headers, such as Bag Attributes local key... it should be inserted above that.

Openssl can also be used to get a crt from the pem:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt

Key recovery

Here’s what to do when you install the new certificate on your machine, but it appears that you don’t have the private key, i. e. the key symbol is missing in mmc.

Open the certificate and copy the serial number. Then, in cmd as admin, use certutil to try to recover the key:

C:\Windows\System32>certutil.exe -repairstore my [SERIAL]

This is the output:

C:\Windows\System32>certutil.exe -repairstore my [SERIAL]
my "Eigene Zertifikate"
================ Zertifikat 0 ================
Seriennummer: [SERIAL]
Aussteller: CN=D-TRUST SSL Class 3 CA 1 2009, O=D-Trust GmbH, C=DE
 Nicht vor: 15.03.2024 09:18
 Nicht nach: 18.03.2025 09:18
Antragsteller: CN=[...], O=[...], L=[...], S=[...], C=DE, SERIALNUMBER=[...]
Kein Stammzertifikat
Zertifikathash(sha1): [...]
  Schlüsselcontainer = [...]
  Eindeutiger Containername: [...]
  Anbieter = Microsoft Enhanced Cryptographic Provider v1.0
Verschlüsselungstest wurde durchgeführt
CertUtil: -repairstore-Befehl wurde erfolgreich ausgeführt.

After this, the key should be recovered.