Convert PEM to PFX certificates to use with VMware UAGs
Although the VMware Universal Access Gateways can use either PEM certificates or PFX ones, I prefer to use PFX. The problem is that some issuers (I’m looking right at you GoDaddy), don’t issue PFX certificates right from their dashboards and we, as admin, have to figure out how to convert them to our format of choice. After searching this and forgetting this, time and time again, I finally decided to just write out all the steps for handy reference in the future!
The basic steps in doing the conversion that we will use revolve around the OpenSSL program. This Open Source utility is the gold standard for converting certificates between various formats. You have quite a few options on where to get the binaries (and source code) for the openssl program but I just used the softpedia site.
Creating the CSR
Once you’ve stepped through the process of installing OpenSSL on your machine (setup, next, next, finish), you will need to generate a CSR in order to create a private KEY file. This will be the private file that is used for binding and for the final conversation to PFX.
openssl req -new -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr
The command above will generate a Certificate Signing Request or CSR that you will use to request the certificate from either GoDaddy or your certificate issuer. After running the command, you’ll have to enter some additional information such as Country Code, State, City, Org. Name, Org. Unit, Common Name, Email, Password and Company Name. Some of these fields are optional and will be noted as such.
This will generate two files in our example, domain.com.key and domain.com.csr
- For GoDaddy, you sign into the UI and sign the freshly generated domain.com.csr.
- Once approved and processed, choose Other when you download the CRT files. It should provide you with your signed GoDaddy.crt (random character string) and their public gd_bundle.crt.
Converting to PFX
With these two files in hand as well as your Private KEY file generated from the CSR, you run the following command:
openssl pkcs12 -export -chain -CAfile gd_bundle.crt.crt -in c2ae9ec9eee57940.crt -inkey domain.com.key -out domain.com.pfx -name domain.com -passout pass:handyblogpost
This will create the domain.com.pfx with the associated password. With this new PFX file and password combination, you can upload it to your UAG servers for SSL compatibility.
Now that they are SSL secured, why not finish the security audit by jumping to this post:
How to get an A+ from Qualys SSLLabs on your Horizon UAG deployment.
So after a recent deployment of VMware’s Universal Access Gateway appliance (v3.3.0), it seems that out of the box, this appliance gets a B grade from SSLLABS.COM. Obviously you want to make sure you get an A rating from a security perspective so here are the steps we took to achieve an A+ rating on […]