In [None]:
openssl pkcs12 -in your_certificate.pfx -nocerts -nodes -out cert_key.pem -passin pass:
openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out cert_cert.pem -passin pass:
openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out cert_cert.pem -passin pass:
openssl pkcs12 -in your_certificate.pfx -cacerts -nokeys -out cert_chain.pem -passin pass:
openssl verify -CAfile cert_chain.pem cert_cert.pem

In [None]:
openssl verify -CAfile cert_chain.pem cert_cert.pem

In [None]:
def extract_and_validate_certificates(pfx_file, output_dir='certificates', base_name='cert'):
    """
    Extracts the private key, public certificate, and certificate chain from a .pfx file without a password.
    Validates the certificate chain.

    Parameters:
    - pfx_file: Path to the .pfx file.
    - output_dir: Directory to save the extracted certificates.
    - base_name: Base name for the output files.
    """
    # Ensure the output directory exists
    if not os.path.exists(output_dir):
        os.makedirs(output_dir)

    # Define output file paths
    key_path = os.path.join(output_dir, f'{base_name}_key.pem')
    cert_path = os.path.join(output_dir, f'{base_name}_cert.pem')
    chain_path = os.path.join(output_dir, f'{base_name}_chain.pem')
    fullchain_path = os.path.join(output_dir, f'{base_name}_fullchain.pem')

    try:
        # Step 1: Extract the private key (unencrypted)
        print('Extracting the private key...')
        subprocess.run([
            'openssl', 'pkcs12', '-in', pfx_file,
            '-nocerts', '-nodes', '-out', key_path, '-passin', 'pass:'
        ], check=True)

        # Step 2: Extract the public certificate
        print('Extracting the public certificate...')
        subprocess.run([
            'openssl', 'pkcs12', '-in', pfx_file,
            '-clcerts', '-nokeys', '-out', cert_path, '-passin', 'pass:'
        ], check=True)

        # Step 3: Extract the CA certificate chain
        print('Extracting the CA certificate chain...')
        # Using a temporary file to handle cases where there is no CA chain
        with tempfile.NamedTemporaryFile(delete=False) as tmp_chain:
            subprocess.run([
                'openssl', 'pkcs12', '-in', pfx_file,
                '-cacerts', '-nokeys', '-out', tmp_chain.name, '-passin', 'pass:'
            ], check=True)
            tmp_chain_path = tmp_chain.name

        # Check if the temporary chain file is not empty
        if os.path.getsize(tmp_chain_path) > 0:
            os.rename(tmp_chain_path, chain_path)
            chain_exists = True
        else:
            # If there's no chain, remove the temporary file
            os.unlink(tmp_chain_path)
            chain_exists = False

        # Step 4: Combine the certificate and the chain
        print('Combining the certificate and the chain...')
        with open(fullchain_path, 'w') as outfile:
            with open(cert_path, 'r') as infile:
                outfile.write(infile.read())
            if chain_exists:
                with open(chain_path, 'r') as infile:
                    outfile.write(infile.read())

        # Step 5: Validate the certificate chain
        print('Validating the certificate chain...')
        if chain_exists:
            subprocess.run([
                'openssl', 'verify', '-CAfile', chain_path, cert_path
            ], check=True)
        else:
            # If there's no chain, use the system's default CA certificates
            subprocess.run([
                'openssl', 'verify', cert_path
            ], check=True)

        print('Certificate chain is valid.')
        print(f'Certificates have been saved in the "{output_dir}" directory.')
    except subprocess.CalledProcessError as e:
        print(f'An error occurred: {e}')
    except Exception as e:
        print(f'Unexpected error: {e}')


In [None]:
# Path to the .pfx file (without a password)
pfx_file = 'path/to/your_certificate.pfx'

# Call the function
extract_and_validate_certificates(pfx_file)


In [None]:
a. Locate the System Trusted Certificates Directory
On Red Hat-based systems (like CentOS or Fedora), the trusted CA certificates are usually located in:

Certificates Directory: /etc/pki/ca-trust/extracted/pem/
CA Bundle File: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Anchors Directory (for custom certificates): /etc/pki/ca-trust/source/anchors/

In [None]:
ls -l /etc/pki/ca-trust/extracted/pem/
ls -l /etc/pki/ca-trust/source/anchors/
less /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
grep -A 1 -B 1 "Common Name" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
grep -A 1 -B 1 "My Company Proxy" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem


In [None]:
sudo cp proxy_cert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
grep -A 1 -B 1 "My Company Proxy" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem


In [None]:
import requests
print(requests.certs.where())
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/usr/lib/python3.6/site-packages/certifi/cacert.pem


In [None]:
import requests

# Path to the system CA bundle
system_ca_bundle = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem'

# Create a session that uses the system CA bundle
session = requests.Session()
session.verify = system_ca_bundle

# Use the session for your requests
response = session.get('https://your_service')


In [None]:
openssl s_client -connect your_service:443 -proxy your_proxy:proxy_port -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
openssl s_client -connect vendor_service.com:443 -proxy proxy.company.com:8080 -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem


In [None]:
openssl verify -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem server_cert.pem
