Table of Contents
Overview
I often have to break Personal Information Exchange (PFX) files up because I need the certificate and the enclosed private key. Occasionally, I have needed to take all the separate files and export them as a PFX.
Modern Browsers and Subject Alternative Name (SAN)
Modern browsers, such as Google Chrome, stopped supporting certificates without the Subject Alternative Name (SAN) field [aka subjectAltName] since Google Chrome 58 in April 2017! (https://developer.chrome.com/blog/chrome-58-deprecations#remove_support_for_commonname_matching_in_certificates)
Google’s decision to enforce the SAN is actually 17 years later than the originally published RFC 2818 in May 2000 that deprecated the fallback to SAN.
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
A Proper Certificate Request (CSR)
This comes up quite often when I am working with customers. Certificates are either incorrectly requested wholly or partial information is in the request.
The Subject Alternative Name (SAN) field seems to be the biggest area of contention I encounter. A good Certificate Authority (CA) will allow 100 individual entries in the SAN field, more than enough for a typical installation.
Here are my recommendations depending on the scenario. Organizations should have their own criteria and that should be followed in an Enterprise.
Single Server Web Certificate
The Common Name (CN) should include the fully qualified domain name for the server. The Subject Alternative Name (SAN) should also include the fully qualified domain name, short name, and optional IP addresses. If there are DNS Canonical Names (CNAMES) in use, the fully qualified and short names should also be added to the Subject Alternative Name.
| Attribute | Value |
|---|---|
| Common Name | my-web-server.aaronrombaut.com |
| Subject Alternative Name – DNS | my-web-server.aaronrombaut.com |
| Subject Alternative Name – DNS | my-web-server |
| Subject Alternative Name – IPv4 | 192.168.1.100 |
| Subject Alternative Name – IPv6 | 2001:0DB8:542a:6ec8:b41f:1307:1ca0:83cf |
Multiple Server Web Certificate
When there is more than one server participating, all of the servers are usually behind a load balancer. For this situation, the load balancer is the front-end while the participating servers are the back-end. The most important thing to remember for this situation is that the load balancer as well as all of the participating servers need to be in the Subject Alternative Name. If there are DNS Canonical Names (CNAMES) in use, the fully qualified and short names should also be added to the Subject Alternative Name.
| Attribute | Value |
|---|---|
| Common Name | my-web-server-lb.aaronrombaut.com |
| Subject Alternative Name – DNS | my-web-server-lb.aaronrombaut.com |
| Subject Alternative Name – DNS | my-web-server-1.aaronrombaut.com |
| Subject Alternative Name – DNS | my-web-server-2.aaronrombaut.com |
| Subject Alternative Name – DNS | my-web-server-3.aaronrombaut.com |
| Subject Alternative Name – DNS | my-web-server-lb |
| Subject Alternative Name – DNS | my-web-server-1 |
| Subject Alternative Name – DNS | my-web-server-2 |
| Subject Alternative Name – DNS | my-web-server-3 |
| Subject Alternative Name – IPv4 | 192.168.1.100 |
| Subject Alternative Name – IPv4 | 192.168.1.101 |
| Subject Alternative Name – IPv4 | 192.168.1.102 |
| Subject Alternative Name – IPv4 | 192.168.1.103 |
| Subject Alternative Name – IPv6 | 2001:0DB8:542a:6ec8:b41f:1307:1ca0:8300 |
| Subject Alternative Name – IPv6 | 2001:0DB8:542a:6ec8:b41f:1307:1ca0:8301 |
| Subject Alternative Name – IPv6 | 2001:0DB8:542a:6ec8:b41f:1307:1ca0:8302 |
| Subject Alternative Name – IPv6 | 2001:0DB8:542a:6ec8:b41f:1307:1ca0:8303 |
Combining Certificates to make a Personal Information Exchange (PFX) File
If you have individual certificates and private keys and want to combine into a Personal Information Exchange (PFX) file for easy transport, here is the openssl command to follow.
openssl pkcs12 -export -out <name-your-certificate>.pfx -inkey <private-key-filename>.key -in <certificate-filename>.crt -certfile <name-of-file-with-additional-certificates>.crtExtracting Certificates from a Personal Information Exchange (PFX) File
If you have a Personal Information Exchange (PFX) file but need to extract components, i.e. the machine certificate, the signing certificates, or the private key, then here are the openssl commands to follow.
Extract the client certificate
openssl pkcs12 -in <name-of-pfx-file>.pfx -out <name-of-certificate>.crt -clcerts -nodes -nokeysExtract the signing chain certificates
openssl pkcs12 -in <name-of-pfx-file>.pfx -out <name-of-certificate-chain>.crt -cacerts -nodes -nokeysExtract the private key
openssl pkcs12 -in <name-of-pfx-file>.pfx -out <name-of-private-key>.key -nocerts
Leave a Reply