- Generate the CSR
- openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
- Sign the CSR with your Certificate Authority
- Send the CSR (or text from the CSA) to VeriSign, GoDaddy, Digicert, internal CA, etc.
- Download the CRT
- Grab a copy of the signed certificate from your CA and place both the signed certificate and the CA chain certificate inside the same folder as your csr
- Create the PKCS#12 file (.pfx .p12)
- openssl pkcs12 -export -out nameofpkcsfilewearegoingtogenerate.pfx -inkey yourdomain.key -in publiccertfromCA.crt -certfile CAcertificatechain.crt
- Enter in a password that will be used to protect your PKCS file's private key
That's all that's to it!
Note: If you have multiple certificate authorities, you will have to create a certificate chain. Use the following command for Step 4:
openssl.exe pkcs12 -export -in publiccertfromCA.crt -inkey yourdomain.key -name “MyCertYouCanChangeThisToWhateverItsAnAliasFriendlyName” -chain -CAfile certs.pem -passout pass:testpassword -out nameofpkcsfilewearegoingtogenerate.pfx
The certs.pem file will contain a list of your certificate authorities, starting from your intermediate authorities to the root authorities.