On Thu, Jan 13, 2011 at 03:36:41PM -0800, Gary Smith wrote:
> # Export certificate
> openssl pkcs12 -in original.pfx -out hsserver01.cer -nodes
This takes in PKCS12 and outputs an unencrypted PKCS12. Not a good idea,
your private key is compomised, unless your umask was 077.
> # Export public key -- no important here it seems
> openssl pkcs12 -in original.pfx -out hsserver01.pub -clcerts -nokeys
This still the leaf X.509v3 certificate, but not the key.
> # Export private key
> openssl pkcs12 -in original.pfx -out hsserver01.pem -clcerts
This outputs a PKCS12 with the private key and no CA certs.
You need a file with the private key in PEM format to use as
smtpd_tls_key_file. For that:
(
umask 077
openssl pkcs12 -nodes -nocerts -out certkey.pem -in certkey.p12
)
Then you can append the certificate chain:
openssl pkcs12 -nokeys -in certkey.p12 >> certkey.pem
--
Viktor.
