1. Home
  2. LogonBox SSPR
  3. Administration
  4. Certificates
  5. Adding a certificate trust chain to a PFX file

Adding a certificate trust chain to a PFX file

Can't find what you're looking for?
Request Supporthere

Christopher Dakin 18 November, 2020

Introduction

When installing an SSL certificate to LogonBox, one of the supported options is to be able to load up a PKCS12 (pfx) file of your own.

Very often though a PCKS12 file will not contain the full trust chain that LogonBox needs and therefore will return an error on upload.

This article details one method to getting the correct trust chain and repackaging into a new file.

 

Extracting files from the pfx

This first step can be completed via a terminal or SSH session on your LogonBox server.

First, SFTP the pfx file to your LogonBox server (or a Linux system with openssl installed.

 

Assuming the certificate is called mycert.pfx, perform the following:

Export the key: openssl pkcs12 -in mycert.pfx -out key.txt -nodes -nocerts
Enter the password for the pfx when prompted.

 

Export the certificate: openssl pkcs12 -in mycert.pfx -out cert.cer -nodes -nokeys
Enter password for the pfx when prompted.

 

Creating the certificate chain bundle

SFTP the cert.crt file from the linux system to a windows machine.
Double click the certificate to open it in Windows.

Click the Certification Path tab, your certificate will be at the bottom of the chain and most likely an intermediate above that, then a root certificate at the top.

 

Double click the intermediate certificate to open it, click the Details tab, then Copy to File.

Click Next, select Base-64 encoded X.509, then Next.


Give it a name like intermediate.cer, click Save, then Next then Finish.

Click OK then OK again to close the certificate.

 

Double click the Root certificate at the top of the list to open it, then click the Details tab, then Copy to File.

Click Next, select Base-64 encoded X.509 and click Next.

Give it a name like root.cer, click Save, then Next then Finish.

Click OK to close the root certificate, then OK again to close the main certificate.

Now edit both the intermediate and root certificates in a text editor.

Copy the contents of the root and paste it below the existing text in the intermediate file.

 

Save the intermediate file and rename this to something like bundle.cer. SFTP the bundle.cert back to the LogonBox/Linux system.

 

Creating the new pfx file

On the LogonBox system, we can now create a new PFX file with:

openssl pkcs12 -export -out newcert.pfx -inkey key.txt -in cert.cer -certfile bundle.cer

Enter a new password for the export and confirm this.

You now have your new certificate which you will be able to upload in the LogonBox UI without error.