How to: obtain certificates and convert them with OpenSSL

In this blog post I gonna dive into on how to obtain certificates with Let’s Encrypt and convert them with OpenSSL.


Reasons to use certificates from Let’s Encrypt

The reason I use certificates from Let’s Encrypt is for testing purposes, to configure an Exchange Hybrid configuration in your lab for example. Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides certificates for encryption at no charge.

Great, they are free (open source)! The only downside is that they have to be renewed every three months, so that’s why I only use them for testing purposes.

Prerequisites for using Let’s Encrypt and OpenSSL

  • An ACME client
  • OpenSSL installed

OpenSSL is available for most Unix-like operating systems. But there many different ways using both applications, you can download an OpenSSL binary and ACME client for your OS.

In this blogpost I will use a local Debian VM (without the GNOME experience), with OpenSSL and the ACME client Certbot installed. Which is also recommended by Let’s Encrypy. I connect to my Debian VM over SSH.

Install OpenSSL and Certbot

Before you begin, you need to have sudo privileges on your system.

Install OpenSSL:

apt-get install openssl -y

Install Let’s Encrypt (CertBot) with a DNS challenge:

apt-get install certbot -y

Installing the DNS challenge:

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
chmod +x acme-dns-auth.py

When installed and the script is executable with the chmod commando, edit the Python file on the first line of the script. The first line will be like “#!/usr/bin/env python3”. This is required to ensure that the script uses the latest supported version of Python 3.

nano acme-dns-auth.py

Move acme-dns-auth.py into the Certbot Let’s Encrypt directory so that Certbot can load it.

sudo mv acme-dns-auth.py /etc/letsencrypt/

Obtain your first certificate

You’ll need to complete an initial setup and accept the term of conditions of Let’s Encrypt, when using Let’s Encrypt for the first time.

Obtain different types of certification.

Single domain (you can also use a subdomain):

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d yourdomain.com

SAN certificate:

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d yourdomain.com -d yourdomain2.com -d sub.yourdomain.com

Wildcard certificate:

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.yourdomain.com

The output will be a CNAME record, that you need to validate on your provided domain(s).

Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.yourdomain.com CNAME xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx.auth.acme-dns.io.
Waiting for verification...

When the validation is complete the following output will be prompted.

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourdomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.com/privkey.pem

You can renew your certificate by running:

certbot renew

It is not recommended to delete the certificate in the letsencrypt/live folder. The best way to delete it, is by running:

 certbot delete

Convert the .pem to .crt\.key or.pxf with OpenSSL

First copy the two .pem files to a directory like /tmp.

cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /tmp
cp /etc/letsencrypt/live/yourdomain/privkey.pem /tmp

Convert the .pem files to a .pfx file (you will be prompted to give this file a password):

openssl pkcs12 -inkey /tmp/privkey.pem -in /tmp/fullchain.pem -export -out /tmp/yourcertname.pfx

Convert the .pem files to .crt and .key (private key file) in RSA format:

openssl x509 -in /tmp/fullchain.pem -out /tmp/yourcertname.crt
openssl rsa -in /tmp/privkey.pem -out /tmp/yourkeyname.key 

Remove the .pem cert and private key from the tmp folder:

rm /tmp/fullchain.pem
rm /tmp/privkey.pem

Note: It is very important to be careful where you keep the certificates.

Now you can use the certificates within your Linux server for example in SendMail MTA or your Apache client.

Export certificates to your host OS.

Your Linux VM is accessible with SFTP which has the same port as SSH (port 22). My host machine is running Windows 10 and I use WinSCP as SFTP client.

Let’s go back to the step where you converted the certificate and private key in .pem format to an .pfx file. You want to export this .pfx to host machine, before you do that, you need to change to ownership from root to your username in within the Linux kernel.

chown username /tmp/filename.pfx

Now you can copy and paste the .pfx file to a preferred location. When you’ve done that remove the .pfx file from your temp folder.

rm /tmp/filename.pfx

Import certificates and using OpenSSL

As mention earlier you can use OpenSSL with a binary that fits your OS, but if you are like me and want to use OpenSSL in the Linux kernel (the official way). You may want to use OpenSSL within this kernel.

Alright then, copy a certification file into the temp folder like an .pfx and run the following commands.

openssl pkcs12 -in /tmp/filename.pfx -nocerts -out /tmp/key.pem
openssl pkcs12 -in /tmp/filename.pfx -clcerts -nokeys -out /tmp/cert.pem
 openssl rsa -in /tmp/key.pem -out /tmp/private.key 

No you’ve got the certificate as an .pem and the private key as an .key file. You can move those files back into your host machine. You may want to change the .pem format into an .crt format. You can easily change the file extension type.

Please note that you remove everything above the two files, open the files in notepad and check if they only begin with:

-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----

Last but not least, remove the .pfx file from your Linux VM.

rm /tmp/filename.pfx

Lets Encrypt Root & Intermediate Certificate Bundles

You may need to use for some application a file like ca-bundle.crt. You can obtain the Root & Intermediate Certificate bundle from the Let’s Encrypt website.

Just download the active Root and Intermediate Certificate as .pem files and combine those two files together with a notepad and save it as a file like ca-bundle.crt. The file will look like this:

-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----

Share this: