PROWAREtech

articles » current » asp-net-core » kestrel » convert-crt-to-pfx

ASP.NET Core: Convert CRT file to PFX File for Kestrel Server

How to convert a .crt file to a .pfx (pkcs12) file for use with the ASP.NET Kestrel server.

This article uses Linux (Ubuntu) to create a .CSR (certificate request) file and then converts a .CRT (coming from the certificate authority) to a .PFX file. It requires OpenSSL which is available for Windows.

Already have a .CRT file (and its private key)? Skip to the creation of the PFX file.

CSR Information

Fill out the CSR code details correctly (see below). The validation process for business SSL certificates requires that details be entered accurately.

  • Common Name (the domain name the Certificate will be issued for)

    For example - acme.com

    Note! For Wildcard certificates, the Common Name should be represented with an asterisk in front (e.g. *.acme.com).

  • Country (two-letter code)

    Country (C) – the two-letter code of the country where the company or applicant is located (for example, GB for Great Britain or US for the United States; you can check your country code here.)

  • State (or province)

    State (S) – the state, county or region the company or applicant is located in (e.g. California).

  • Locality (or city)

    Locality (L) – the city where the company or applicant is located (e.g. Los Angeles). This parameter should not be abbreviated.

  • Organization (your company name. Feel free to put "NA" here for any Domain Validated certificate)

    Organization (O) – the officially registered name of the organization that is applying for a certificate (e.g. Acme Inc.). For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate; however, it should at least be filled in with "NA".

  • Organizational Unit (department. Feel free to put "NA" here for any any Domain Validated certificate)

    Organization Unit (OU) – the name of the department or division within the submitted organization (e.g. SSL Support).

  • Email address (put a valid email address here)

    Email Address – an email address of the company or the applicant. This field is optional.

    Note! This email address won’t be used during the verification process, unless a mistake is found with any of the submitted details. However, this email will be considered an admin contact, unless you change it during the activation process. The SSL will be issued to the admin contact email address once it is activated.

  • Challenge Password and Optional Company Name - do not use challenge password and leave Optional Company Name field empty. These values are now obsolete.

RSA Key Algorithm

The RSA algorithm is an asymmetric cryptography algorithm. This basically means that there are two keys involved while communicating, i.e., the Public key and Private key. The RSA key algorithm is the algorithm most widely used in digital security. You can refer to this article for more information.

Run the following command on a Linux machine to generate the CSR. Running this command in the folder where you will store the SSL files to avoid confusion later on.

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out server.csr

The results should be similar to the following:

openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out server.csr
.+....+......+......+..+..................+...+....+..+......+.......+........+
..+....+......+..................+...+..+.+.....+......+.++++++++++++++++++++++
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme, Inc.
Organizational Unit Name (eg, section) []:NA
Common Name (e.g. server FQDN or YOUR name) []:acme.com
Email Address []:support@acme.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Finally, Convert CRT to PFX

To convert a CRT file received from a certificate authority into a PFX file requires the private key generated during the above steps (during the creation of the certificate request).

Run the following command replacing "file.crt" with the name of the certificate file received from the certificate authority and "private.key" with the name of the private key file created during the creation of the request.

openssl pkcs12 -export -out file.pfx -inkey private.key -in file.crt

The generated PFX file is ready to be used with the ASP.NET Kestrel server as detailed in this article.


PROWAREtech

Hello there! How can I help you today?
Ask any question

PROWAREtech

This site uses cookies. Cookies are simple text files stored on the user's computer. They are used for adding features and security to this site. Read the privacy policy.
ACCEPT REJECT