I’ve been doing some research and testing related to tracing/APM in my home lab over the last few days. In doing so, I repeatedly ran into an administrative task I don’t exactly spend a lot of time dealing with, but one that felt like I could script pretty quickly. So I set aside an hour or so and banged this out — it’s certainly not rocket surgery, but every now and then it’s enjoyable to whip up a little something that I know I’ll find at least somewhat convenient to have around. Maybe you will too.
In my lab, mainly to keep up my “muscle memory” in this area, I maintain an Active Directory Certificate Authority and use it to create SSL certs for the various services I run. Windows, by default, exports the certs and private keys in PFX format, from which the PEM certificate(s) and private keys must be extracted for use. Usually, but not always, I use them in TLS Secrets for services/ingresses in my Kubernetes cluster, on which I haven’t (yet) implemented cert-manager. While it’s definitely not an everyday task for me, it can be a bit tedious to run the same commands over and over, copy and paste the values around, etc. etc. And regardless I figure perhaps somebody out there might find it useful.
What I’ve done with this script is to just wrap some openssl commands to make the process easier. Give the certificate a friendly name, point it at your PFX file, and you’ll get the following output to a destination you specify:
- The server certificate in PEM format
- Any signing chain certificates in the bundle
- The private key, encrypted with a passphrase of your choosing
- The private key, unencrypted
- YAML for a TLS Secret
Tested on Ubuntu Jammy, though I assume it should be pretty universal. I’m definitely not the world’s best bash guy, so I more than welcome feedback/PRs. Have a look if you’re interested!
https://github.com/mconnley/ExtractPFX