« Can Netscaler perform SSL Offload for Secure Gateway? | Main | ClientName issue resolved? »

Certificate conversion tool: pfx2pem

Here's a pretty typical stubmling block you might run into if you want to migrate from Secure Gateway servers to an Access Gateway appliance: Your Secure Gateway server running Windows already has a certificate installed and you'd like to re-use that certificate on the Access Gateway appliance instead of paying for a new certificate. But the Secure Gateway certificate is buried in the local machine store of a Windows box and the Access Gateway expects a certificate and private key in the UNIXy PEM format. How can you get that certificate and private key off the Windows box and onto the CAG?

Hopefully, when you originally requested the certificate for your Windows server, you enabled the "Mark keys as exportable" option. If not, you are out of luck here because the private key associated with your server certificate is now imprisoned on that Windows box. But assuming the private key is exportable, you should be able to view the certificate in the Certificates MMC snap-in and export it out to a file.

When you export the certificate, you'll be asked whether you want to export the private key as well, and prompted for a password to protect that private key. (This option is greyed out when the key is not exportable.)

This export process produces a file that has a .PFX extension. PFX is short for Personal inFormation eXchange. I'm not sure why Microsoft didn't just go ahead and use the .PIE extension here. I mean, everybody loves PIE, right?

The PFX file format is also known as a PKCS#12. It's a secure envelope that contains both the certificate (public key) and its corresponding private key in a single file. Guard these sorts of files carefully, because if they fall into the wrong hands, they can be used to impersonate your server on the Internet. That's why you are prompted for a password when the file is created--when you know the password you can install this certificate onto any other server.

Access Gateway expects certificates in PEM format, which is a Base64-encoded text file. Open up a DER-encoded certificate or a PFX file in Notepad and you will see jibberish because those are binary file formats. But a PEM-formatted certificate is readable and easy to send over e-mail, like this:


When you upload a certificate to Access Gateway, it expects it to be in this PEM format. AG also expects the private key to be in the PEM file as well, so a proper PEM file for AG 4.2 would look something like this:

Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: 8d790ff1becfddffad82a49ecf38a234_ef64343b-cae7-4db9-8025-eec430840df7
Key Attributes
X509v3 Key Usage: 10
Bag Attributes
localKeyID: 01 00 00 00
subject=/C=US/ST=Florida/L=Fort Lauderdale/O=Citrix Systems/OU=Technical Support/CN=sg.company.com
issuer=/DC=ctx/DC=gemini/CN=Citrix iForum 2004

Access Gateway 4.2 and earlier require that you use certificates with an unencrypted private key. This will change in 4.5, where the encrypted private keys will be supported and encouraged. Netscaler expects PEM formatted certificates too, and supports the upload of password-protected private keys.

The AG Administrator's Guide advises you to use OpenSSL to convert your certificate into PEM format. Just find a UNIX system or find a Win32 port of OpenSSL, go out to a command prompt and type:

openssl pkcs12 -in cert.pfx -out newcert.pem -nodes

(BTW, that -nodes flag is not the plural of node, it means "no DES encryption".)

But that's a hassle. You don't want to spend all day at a command prompt cd'ing into the right directory and typing fully qualified file paths and such. So here's pfx2pem, a little Windows shell wrapper that will generate and execute the OpenSSL command for you:

Download pfx2pem.zip

To use pfx2pem, just drag and drop your PFX file onto the pfx2pem.wsf icon. It prompts you for the password and then spits out a PEM file right next to the original PFX file.

There are two versions of the tool included:

  1. pfx2pem - generates a PEM file with an unencrypted private key. Use this for CAG 4.2.x and earlier.
  2. pfx2pem-des - generates a PEM file with an encrypted private key. Use this for Netscaler and future versions of CAG.


TrackBack URL for this entry:


Great note of warning for AG users, but a quick question. What would you suggest being the ebst move for going from one AG to another AG? I can copy the configuration of one over the the other, but the certificate is registering as invalid when users log on afterwards. I tried reinputting the certificate afterwards to no avail.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)