Technical Tip: Convert SSL cert file from .crt to .pfx format

btan · ‎02-19-2023

Description

FortiClient EMS only accepts SSL cert in .pfx format. This article describes how to convert SSL cert to .pfx format so that it can be uploaded to EMS.

Scope

Certain third-party CA does not provide SSL cert in .pfx format. for EMS 7.0+ to convert .crt cert to .pfx format.

Solution

In this example, let's say an SSL cert from Zero is purchased:

https://zerossl.com/

Zero will provide 3 items in a zip file:

ca_bundle.crt
certificate.crt
private-key.key

With these 3 items, it is possible to export a .pfx file using OpenSSL:

Download and install OpenSSL. Refer to: https://stackoverflow.com/questions/50625283/how-to-install-openssl-in-windows-10
In the CMD, navigate to the folder where the 3 items are located.

Example:

cd C:\Users\username\Desktop\cert-folder

Run the below command:

openssl pkcs12 -export -out new-pfx-cert.pfx -inkey private-key.key -in certificate.crt -certfile ca_bundle.crt

Enter the password chosen.
Enter the password once again for validation.
Once done, new-pfx-cert.pfx will be created in the same folder.
Go to EMS -> System Settings -> SSL certificate -> Upload.
Upload new-pfx.cert.pfx to EMS, and enter the password in 4), save the change.
EMS Apache service will restart, and EMS is now using the trusted cert.

The red circle shows the files from Zero.
The green circle is the output of the OpenSSL command.