1

I am trying to enable an Azure Front Door instance on the front of my website using my EV cert (Extended Validation Certificate).

However, from Azure Front Door Cert Instructions,

Azure Front Door Service currently only supports certificates uploaded with a PFX without a password.

I have this cert chain in .cer format and .pfx format with a password, how do I convert it in to the necessary format?

Z.T.
  • 7,768
  • 1
  • 20
  • 35
Aaron
  • 218
  • 1
  • 2
  • 9

3 Answers3

4

Combining two of the answers above, to create a PFX without a password for Azure Front Door from an existing PFX with a password, I did:

          openssl pkcs12 -in input.pfx 
               -nodes | openssl pkcs12 
               -export -keypbe NONE 
               -certpbe NONE 
               -out output.pfx
Hightechrider
  • 141
  • 3
3

I was able to run this command using openssl and get a PFX cert file without a password as required by FrontDoor:

openssl pkcs12 -export -keypbe NONE -certpbe NONE -in cert.crt -inkey cert.key -out out.pfx

Then press enter on the password prompt twice.

Aaron
  • 218
  • 1
  • 2
  • 9
2

I'm not sure what Azure means by 'without a password'. OpenSSL can create a PKCS12 with the contents unencrypted, but it still has a PBMAC which uses a password -- but which a reader that violates the standard can ignore.I don't know how I missed it, but since 1.0.0 -nomac DOES avoid the PBMAC. To suppress both encryption and MAC, if you have the separate key and cert both in PEM:

 openssl pkcs12 -export -keypbe NONE -certpbe NONE -nomac -in cert.pem -inkey key.pem -out out.p12 
 # if you need to add chain cert(s), see the man page or ask further

otherwise since you have an existing pfx:

 openssl pkcs12 -in old.pfx -nodes | openssl pkcs12 -export -keypbe NONE -certpbe NONE -nomac -out new.p12

But my previous answer without -nomac apparently worked for at least some people because the reader can ignore a MAC that it can't verify without the password, but can't use the encrypted bags without the password.

dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28
  • When you say "if you have the separate key and cert both in PEM" What does that mean? As I said I have .cer format and .pfx format with a password? I think that .cer is a version of PEM, so I'll try that, but is the entire chain (from the .cer) file included? – Aaron Oct 19 '18 at 13:56
  • So Dave I don't have a separate key file, only the one .cer file, and then also I exported a .pfx file from digicert that includes a password. – Aaron Oct 19 '18 at 19:30
  • I re-exported the key to separate .crt and .key files, then ran a slightly mofiied version of your command that was able to do it: `openssl pkcs12 -export -keypbe NONE -certpbe NONE -in cert.crt -inkey cert.key -out out.pfx` – Aaron Oct 19 '18 at 19:38
  • `.cer` is generally used for both DER and PEM (especially in MS), but only the latter works for this command, while `.key` is used for many formats, only a few of them PEM and workable here, which I wanted to emphasize. You can use whatever extensions you want for your own files, at the risk of misleading other people. PFX and PKCS12 or P12 are the same thing and don't need to be distinguished. More substantively, a PFX/P12 is normally encrypted and later decrypted with a password (sometimes more than one), but it does not _contain_ the password(s); that would be completely insecure. – dave_thompson_085 Oct 22 '18 at 09:33