Various SSL related information and tools
This section lists the most frequently used certification convertions to perform with
OpenSSL Convert PFX to PEM
openssl pkcs12 -in cert.pfx -out cert.crt -nodes
OpenSSL Convert PEM to PFX
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca.crt
Often you will need to chain two certificates into what is known as a certificate list.
[RFC4346 snippet] certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
Important Note: Order matters!
For public certificates, e.g. for webservers, avoid putting the CA certificate in the certificate list. We just need the server certificate and any intermediates.
With all this out of the way, combining the files is as easy as:
cat server.pem intermediate.pem > fullchain.pem
And that’s it. Once deployed, you can always test using SSL Labs.
When it comes to implementing services with decent SSL/TLS configuration, a good place to start is Mozilla’s SSL Configuration Generator website. Here you can easily generate a working and up-to-date config for a range of services and security-levels.