Converting a PFX file to seeq-key.pem and seeq-cert.pem

Seeq requires the private key and all the certificates to be in two separate files, so the exported PFX file has to be converted to seeq-key.pem (the private key) and seeq-cert.pem (the certificate, intermediate certificates and certificate authority certificate if not issued by a known certificate authority). OpenSSL is an excellent tool for converting between different certificate formats, and it's included in OSX/Mac OS and Linux. OpenSSL for Windows can be downloaded from https://wiki.openssl.org/index.php/Binaries .

Extracting the private key

Run the following OpenSSL command to extract the private key from a PFX file to a PEM file:

openssl pkcs12 -in yourpfxfile.pfx -nocerts -out seeq-key.pem -nodes

If there is a password on the .pfx file, add the -passin parameter:

openssl pkcs12 -in yourpfxfile.pfx -nocerts -out seeq-key.pem -nodes -passin pass:yourpassword

Extracting all certificates

Run the following OpenSSL command to extract the certificate from a PFX file to a PEM file:

openssl pkcs12 -in yourpfxfile.pfx -nokeys -out seeq-cert.pem -nodes

If there is a password on the .pfx file, add the -passin parameter:

openssl pkcs12 -in yourpfxfile.pfx -nokeys -out seeq-cert.pem -nodes -passin pass:yourpassword

This will extract all the certificates found in the PFX file, but unfortunately there's no guarantee that they are in the right order. The order should be server/client certificate first, then any intermediate certificate and finally CA certificate, but if the certificate is issued by an official/trusted certificate authority, only the server/client certificate needs to be in the seeq-cert.pem file. After extracting the certificates, open the seeq-cert.pem file in a text editor and make sure it only contains certificate blocks (beginning with a -----BEGIN CERTIFICATE----- marker and ending with a -----END CERTIFICATE----- marker). If there's any text between the marker for the end one certificate and the marker for the beginning of another certificate (this could for example be a description of the certificate, bag attributes, information about certificate subject or issuer etc), it must be deleted.

The generated seeq-cert.pem file can be verified using the methods described in Verifying the seeq-cert.pem certificate file.

Extracting only the client certificate (Advanced)

To only extract the client certificate from the PFX file, use the following command. Note that this command should only be used if you want to manually assemble the final seeq-cert.pem file.

openssl pkcs12 -in yourpfxfile.pfx -nokeys -out seeq-cert-client.pem -nodes -clcerts

Extracting only the CA certificate (Advanced)

To only extract the CA certificate from the PFX file, use the following command. Note that this command should only be used if you want to manually assemble the final seeq-cert.pem file.

openssl pkcs12 -in yourpfxfile.pfx -nokeys -out seeq-cert-ca.pem -nodes -cacerts

Once you have these two files generated (“seeq-key.pem” and “seeq-cert.pem”), you must now place these two files in the keys folder under the Seeq global folder then restart Seeq. (please refer to this document for the next detailed steps.)

Keys Folder

The keys folder where the two certificate files are to be copied is not created by default. You to create it manually. To get the Seeq Global Folder you need to run the command below in the Seeq command prompt:

seeq config get folders

From the output, get the value for

Folders/Global

Navigate to the folder and create a folder named “keys” then copy the two cert files into it. Upon restarting Seeq, the certificate should be picked by the system and valid.

Troubleshooting

For troubleshooting and verification information, see Troubleshooting Secure Configuration (SSL/TLS)