PROWAREtech
ASP.NET Core: Convert CRT file to PFX File for Kestrel Server
This article uses Linux (Ubuntu) to create a .CSR (certificate request) file and then converts a .CRT (coming from the certificate authority) to a .PFX file. It requires OpenSSL which is available for Windows.
Already have a .CRT file (and its private key)? Skip to the creation of the PFX file.
CSR Information
Fill out the CSR code details correctly (see below). The validation process for business SSL certificates requires that details be entered accurately.
-
Common Name (the domain name the Certificate will be issued for)
For example - acme.com
Note! For Wildcard certificates, the Common Name should be represented with an asterisk in front (e.g. *.acme.com). -
Country (two-letter code)
Country (C) – the two-letter code of the country where the company or applicant is located (for example, GB for Great Britain or US for the United States; you can check your country code here.) -
State (or province)
State (S) – the state, county or region the company or applicant is located in (e.g. California). -
Locality (or city)
Locality (L) – the city where the company or applicant is located (e.g. Los Angeles). This parameter should not be abbreviated. -
Organization (your company name. Feel free to put "NA" here for any Domain Validated certificate)
Organization (O) – the officially registered name of the organization that is applying for a certificate (e.g. Acme Inc.). For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate; however, it should at least be filled in with "NA". -
Organizational Unit (department. Feel free to put "NA" here for any any Domain Validated certificate)
Organization Unit (OU) – the name of the department or division within the submitted organization (e.g. SSL Support). -
Email address (put a valid email address here)
Email Address – an email address of the company or the applicant. This field is optional.
Note! This email address won’t be used during the verification process, unless a mistake is found with any of the submitted details. However, this email will be considered an admin contact, unless you change it during the activation process. The SSL will be issued to the admin contact email address once it is activated. - Challenge Password and Optional Company Name - do not use challenge password and leave Optional Company Name field empty. These values are now obsolete.
RSA Key Algorithm
The RSA algorithm is an asymmetric cryptography algorithm. This basically means that there are two keys involved while communicating, i.e., the Public key and Private key. The RSA key algorithm is the algorithm most widely used in digital security. You can refer to this article for more information.
Run the following command on a Linux machine to generate the CSR. Running this command in the folder where you will store the SSL files to avoid confusion later on.
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out server.csr
The results should be similar to the following:
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out server.csr .+....+......+......+..+..................+...+....+..+......+.......+........+ ..+....+......+..................+...+..+.+.....+......+.++++++++++++++++++++++ You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Los Angeles Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme, Inc. Organizational Unit Name (eg, section) []:NA Common Name (e.g. server FQDN or YOUR name) []:acme.com Email Address []:support@acme.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Finally, Convert CRT to PFX
To convert a CRT file received from a certificate authority into a PFX file requires the private key generated during the above steps (during the creation of the certificate request).
Run the following command replacing "file.crt" with the name of the certificate file received from the certificate authority and "private.key" with the name of the private key file created during the creation of the request.
openssl pkcs12 -export -out file.pfx -inkey private.key -in file.crt
The generated PFX file is ready to be used with the ASP.NET Kestrel server as detailed in this article.