How to Convert a .pfx (or .p12) file and Import the Keyring and Certificate for use in a Reverse Proxy ProxySG Deployment


Article ID: 169357


Updated On:


ProxySG Software - SGOS


A .pfx (or .p12) file is an archive container format which can contain many cryptographic objects (like private keys and certificates) in a single file.

To import the information in a .pfx or .p12 file, the first thing you have to do is to extract both in PEM format, which is the format the ProxySG requires. To do this, use OpenSSL which is installed an almost all Linux distributions by default. There are also pre-compiled Windows binaries available, in case you do not have access to a Linux machine (or do not want to use one). The commands are identical on both Linux and Windows:

openssl pkcs12 -in inputfile.pfx -out outputfile.pem -nodes
You will be prompted for the password that was used to encrypt inputfile.pfx (in order to protect the private key).

When you open outputfile.pem to a text editor, you will see:
  1.  The private key (copy this to clipboard, including the lines ---BEGIN PRIVATE KEY--- and ---END PRIVATE KEY---)
  2. A certificate or multiple certificates (most often this is the certificate chain)

You will need the private key first in order to create the keyring on the ProxySG.
  1. Navigate to Configuration > SSL > Keyrings
  2. Click Create
  3. Name the keyring and select the Private key visibility. This setting determines whether or not you will be able to export the private key from the ProxySG (for example for backup purposes)
  4. Select Import existing private key and paste the private key from outputfile.pem into the text field:

If the private key is encrypted with a password, tick the "Private key password" box and enter the password. Otherwise simply remove the check from that checkbox.
  1.  click OK, then Apply

Now that you have the keyring installed on the ProxySG, you need to import the certificate that will be presented to clients. In a reverse proxy deployment, this is a web server certificate. That is, the one that has the domain name as the Common Name (CN).

In order to import the certificate:
  1. Select only the webserver certificate from outputfile.pem, and copy to clipboard (including the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- lines)
  2. On the ProxySG, navigate to Configuration > SSL > Keyrings
  3. Select the keyring you just created and click Edit.
  4. Click Import under Certificate (not Certificate Signing Request) and paste the certificate PEM
  5. Click OK, Close, then Apply

You now have a keyring with a certificate that you can reference in your reverse SSL proxy listener/service (under Configuration > Services).