Practical SSL

Various SSL related information and tools


This section lists the most frequently used certification convertions to perform with openssl.

OpenSSL Convert PFX to PEM
openssl pkcs12 -in cert.pfx -out cert.crt -nodes
OpenSSL Convert PEM to PFX
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca.crt


Often you will need to chain two certificates into what is known as a certificate list.

[RFC4346 snippet]

    This is a sequence (chain) of X.509v3 certificates.  The sender's
    certificate must come first in the list.  Each following
    certificate must directly certify the one preceding it.  Because
    certificate validation requires that root keys be distributed
    independently, the self-signed certificate that specifies the root
    certificate authority may optionally be omitted from the chain,
    under the assumption that the remote end must already possess it
    in order to validate it in any case.

Important Note: Order matters!

For public certificates, e.g. for webservers, avoid putting the CA certificate in the certificate list. We just need the server certificate and any intermediates.

With all this out of the way, combining the files is as easy as:

cat server.pem intermediate.pem > fullchain.pem

And that’s it. Once deployed, you can always test using SSL Labs.

Service configuration

When it comes to implementing services with decent SSL/TLS configuration, a good place to start is Mozilla’s SSL Configuration Generator website. Here you can easily generate a working and up-to-date config for a range of services and security-levels.

Mozilla SSL config