In [None]:
openssl pkcs12 -in your_certificate.pfx -nocerts -nodes -out cert_key.pem -passin pass:
openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out cert_cert.pem -passin pass:
openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out cert_cert.pem -passin pass:
openssl pkcs12 -in your_certificate.pfx -cacerts -nokeys -out cert_chain.pem -passin pass:
openssl verify -CAfile cert_chain.pem cert_cert.pem

In [None]:
openssl verify -CAfile cert_chain.pem cert_cert.pem

In [None]:
def extract_and_validate_certificates(pfx_file, output_dir='certificates', base_name='cert'):
    """
    Extracts the private key, public certificate, and certificate chain from a .pfx file without a password.
    Validates the certificate chain.

    Parameters:
    - pfx_file: Path to the .pfx file.
    - output_dir: Directory to save the extracted certificates.
    - base_name: Base name for the output files.
    """
    # Ensure the output directory exists
    if not os.path.exists(output_dir):
        os.makedirs(output_dir)

    # Define output file paths
    key_path = os.path.join(output_dir, f'{base_name}_key.pem')
    cert_path = os.path.join(output_dir, f'{base_name}_cert.pem')
    chain_path = os.path.join(output_dir, f'{base_name}_chain.pem')
    fullchain_path = os.path.join(output_dir, f'{base_name}_fullchain.pem')

    try:
        # Step 1: Extract the private key (unencrypted)
        print('Extracting the private key...')
        subprocess.run([
            'openssl', 'pkcs12', '-in', pfx_file,
            '-nocerts', '-nodes', '-out', key_path, '-passin', 'pass:'
        ], check=True)

        # Step 2: Extract the public certificate
        print('Extracting the public certificate...')
        subprocess.run([
            'openssl', 'pkcs12', '-in', pfx_file,
            '-clcerts', '-nokeys', '-out', cert_path, '-passin', 'pass:'
        ], check=True)

        # Step 3: Extract the CA certificate chain
        print('Extracting the CA certificate chain...')
        # Using a temporary file to handle cases where there is no CA chain
        with tempfile.NamedTemporaryFile(delete=False) as tmp_chain:
            subprocess.run([
                'openssl', 'pkcs12', '-in', pfx_file,
                '-cacerts', '-nokeys', '-out', tmp_chain.name, '-passin', 'pass:'
            ], check=True)
            tmp_chain_path = tmp_chain.name

        # Check if the temporary chain file is not empty
        if os.path.getsize(tmp_chain_path) > 0:
            os.rename(tmp_chain_path, chain_path)
            chain_exists = True
        else:
            # If there's no chain, remove the temporary file
            os.unlink(tmp_chain_path)
            chain_exists = False

        # Step 4: Combine the certificate and the chain
        print('Combining the certificate and the chain...')
        with open(fullchain_path, 'w') as outfile:
            with open(cert_path, 'r') as infile:
                outfile.write(infile.read())
            if chain_exists:
                with open(chain_path, 'r') as infile:
                    outfile.write(infile.read())

        # Step 5: Validate the certificate chain
        print('Validating the certificate chain...')
        if chain_exists:
            subprocess.run([
                'openssl', 'verify', '-CAfile', chain_path, cert_path
            ], check=True)
        else:
            # If there's no chain, use the system's default CA certificates
            subprocess.run([
                'openssl', 'verify', cert_path
            ], check=True)

        print('Certificate chain is valid.')
        print(f'Certificates have been saved in the "{output_dir}" directory.')
    except subprocess.CalledProcessError as e:
        print(f'An error occurred: {e}')
    except Exception as e:
        print(f'Unexpected error: {e}')


In [None]:
# Path to the .pfx file (without a password)
pfx_file = 'path/to/your_certificate.pfx'

# Call the function
extract_and_validate_certificates(pfx_file)


In [None]:
a. Locate the System Trusted Certificates Directory
On Red Hat-based systems (like CentOS or Fedora), the trusted CA certificates are usually located in:

Certificates Directory: /etc/pki/ca-trust/extracted/pem/
CA Bundle File: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Anchors Directory (for custom certificates): /etc/pki/ca-trust/source/anchors/

In [None]:
ls -l /etc/pki/ca-trust/extracted/pem/
ls -l /etc/pki/ca-trust/source/anchors/
less /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
grep -A 1 -B 1 "Common Name" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
grep -A 1 -B 1 "My Company Proxy" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem


In [None]:
sudo cp proxy_cert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
grep -A 1 -B 1 "My Company Proxy" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem


In [None]:
import requests
print(requests.certs.where())
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/usr/lib/python3.6/site-packages/certifi/cacert.pem


In [None]:
import requests

# Path to the system CA bundle
system_ca_bundle = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'

# Create a session that uses the system CA bundle
session = requests.Session()
session.verify = system_ca_bundle

# Use the session for your requests
response = session.get('https://your_service')


In [None]:
openssl s_client -connect your_service:443 -proxy your_proxy:proxy_port -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
openssl s_client -connect vendor_service.com:443 -proxy proxy.company.com:8080 -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem


In [None]:
openssl verify -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem server_cert.pem


In [None]:
from cryptography.hazmat.primitives.serialization import pkcs12, Encoding, NoEncryption, PrivateFormat
from cryptography.hazmat.backends import default_backend
import os
from typing import Optional
import getpass

def process_pfx_file(pfx_file: str, pfx_password: Optional[str] = None, output_dir: str = 'certificates', base_name: str = 'certificate', proxy_cert: Optional[str] = None):
    """
    Processes a .pfx file to extract the private key, public certificate, and intermediate/root certificates.
    Combines the certificates in the correct order and optionally adds the proxy certificate.

    Parameters:
    - pfx_file: Path to the .pfx file provided by the vendor.
    - pfx_password: Password for the .pfx file. If not provided, it will be requested from the user.
    - output_dir: Directory where the extracted certificates will be saved.
    - base_name: Base name for the extracted files.
    - proxy_cert: Path to the proxy certificate in PEM format (optional).
    """
    # Request the password for the .pfx file if not provided
    if pfx_password is None:
        pfx_password = getpass.getpass('Enter the password for the .pfx file (leave blank if none): ')
        if pfx_password == '':
            pfx_password = None
        else:
            pfx_password = pfx_password.encode()
    else:
        pfx_password = pfx_password.encode()

    # Create the output directory if it doesn't exist
    if not os.path.exists(output_dir):
        os.makedirs(output_dir)

    # Read the .pfx file
    with open(pfx_file, 'rb') as f:
        pfx_data = f.read()

    # Load the PKCS12 data
    private_key, certificate, additional_certificates = pkcs12.load_key_and_certificates(pfx_data, pfx_password)

    # Paths for the output files
    key_path = os.path.join(output_dir, f'{base_name}_key.pem')
    cert_path = os.path.join(output_dir, f'{base_name}_cert.pem')
    chain_path = os.path.join(output_dir, f'{base_name}_chain.pem')
    fullchain_path = os.path.join(output_dir, f'{base_name}_fullchain.pem')
    ca_certificates_path = os.path.join(output_dir, f'{base_name}_ca_certificates.pem')

    # Save the private key
    if private_key is not None:
        print('Saving the private key...')
        with open(key_path, 'wb') as f:
            # Save without encryption - be cautious with the private key file
            f.write(private_key.private_bytes(
                encoding=Encoding.PEM,
                format=PrivateFormat.PKCS8,
                encryption_algorithm=NoEncryption()
            ))
    else:
        print('No private key found in the .pfx file.')

    # Save the public certificate
    if certificate is not None:
        print('Saving the public certificate...')
        with open(cert_path, 'wb') as f:
            f.write(certificate.public_bytes(Encoding.PEM))
    else:
        print('No certificate found in the .pfx file.')

    # Save additional certificates (chain)
    if additional_certificates is not None and len(additional_certificates) > 0:
        print('Saving intermediate and root certificates...')
        with open(chain_path, 'wb') as f:
            for cert in additional_certificates:
                f.write(cert.public_bytes(Encoding.PEM))
    else:
        print('No additional certificates found in the .pfx file.')
        chain_path = None

    # Combine the certificates in the correct order
    print('Combining certificates in the correct order...')
    with open(fullchain_path, 'wb') as outfile:
        if certificate is not None:
            with open(cert_path, 'rb') as infile:
                outfile.write(infile.read())
        if chain_path is not None:
            with open(chain_path, 'rb') as infile:
                outfile.write(infile.read())

    # Combine the chain with the proxy certificate if provided
    if proxy_cert:
        print('Adding the proxy certificate...')
        with open(ca_certificates_path, 'wb') as outfile:
            if chain_path is not None:
                with open(chain_path, 'rb') as infile:
                    outfile.write(infile.read())
            with open(proxy_cert, 'rb') as infile:
                outfile.write(infile.read())
        print(f'CA certificates combined in: {ca_certificates_path}')
    else:
        ca_certificates_path = chain_path  # Use only the vendor's certificate chain

    print('Process completed successfully.')
    print(f'Certificates have been saved in the directory: {output_dir}')
    print('Generated files:')
    if private_key is not None:
        print(f'- Private key: {key_path}')
    if certificate is not None:
        print(f'- Public certificate: {cert_path}')
    if chain_path is not None:
        print(f'- Certificate chain: {chain_path}')
    print(f'- Full certificate chain: {fullchain_path}')
    if proxy_cert:
        print(f'- CA certificates (including proxy): {ca_certificates_path}')
    elif chain_path is not None:
        print(f'- CA certificates: {ca_certificates_path}')


In [None]:
if __name__ == '__main__':
    # Path to the .pfx file provided by the vendor
    pfx_file = 'your_certificate.pfx'  # Replace with your actual .pfx file name

    # Password for the .pfx file (optional)
    pfx_password = None  # It will be requested if not provided

    # Directory where the extracted certificates will be saved
    output_dir = 'extracted_certificates'

    # Base name for the extracted files
    base_name = 'vendor_cert'

    # Path to the proxy certificate (optional)
    proxy_cert = None  # Or 'path/to/proxy_cert.pem' if you have it

    # Call the function
    process_pfx_file(pfx_file, pfx_password, output_dir, base_name, proxy_cert)


In [None]:
from cryptography import x509
from certvalidator import CertificateValidator, ValidationContext

def validate_certificate_chain(cert_path, chain_paths):
    # Load the end-entity certificate
    with open(cert_path, 'rb') as f:
        cert_data = f.read()
    end_entity_cert = x509.load_pem_x509_certificate(cert_data)

    # Load the intermediate certificates
    intermediate_certs = []
    for chain_path in chain_paths:
        with open(chain_path, 'rb') as f:
            chain_data = f.read()
        certs = x509.load_pem_x509_certificates(chain_data)
        intermediate_certs.extend(certs)

    # Create a validation context
    context = ValidationContext(trust_roots=intermediate_certs)

    # Validate the certificate
    validator = CertificateValidator(end_entity_cert, intermediate_certs, validation_context=context)
    try:
        validator.validate_usage(set())
        print('Certificate chain is valid.')
    except Exception as e:
        print('Certificate validation failed:', e)
