Skip to main content

Creating PFX certificate with full chain for MDM - Kennisbank / ESET Security Management Center / Mobile Device Management - ESET Tech Center

Creating PFX certificate with full chain for MDM

Authors list

Sinds V7 MDM is het verplicht om de volledige certificate chain in het certificaat te includen anders is het niet mogelijk om devices te enrollen. 


Windows:

Preparation:

- Download XCA and install it

- Download OpenSSL and install it(https://www.sslcertificaten.nl/support/OpenSSL/OpenSSL_-_Installatie_onder_Windows)

After that is done do the following:

1.) Create a empty file (C:\temp\cert-chain.txt) on your PC and past the following inside it:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate from C:\temp\your_domain_name.crt)
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate from C:\temp\TheIntermediateCA.crt)
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
(Your Root certificate part from C:\temp\TheTrustedRoot.crt)
-----END CERTIFICATE-----

2.) Now replace the content inside the brackets with your certificates (which you can export via XCA; PEM txt format). The order above is VERY important so do not mix it!

2.) Export the private key (unencrypted in text format) with XCA from your certificate and store it inside  C:\temp\server.pemkey

3.) Now merge everything together as pkcs12 (filename extension for PKCS #12 files is .p12 or .pfx). To do that open a CMD (run as admin) and perform:

cd C:\OpenSSL-Win32

openssl pkcs12 -export -inkey C:\temp\server.pemkey -in C:\temp\cert-chain.txt -password pass:ABCD -out C:\temp\certificate(chain_and_key).pfx

4.) Your PFX file is now ready to be used.


Linux: 

Preperation

  • PFX file zonder full chain of private key
  • OpenSSL Installed

1.) Create a empty file (cert-chain.txt) on your PC and past the following inside it:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate from your_domain_name.crt)
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate from TheIntermediateCA.crt)
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE-----
(Your Root certificate part from TheTrustedRoot.crt)
-----END CERTIFICATE-----

2.) Export private key from existing PFX: openssl pkcs12 -in <filename>.pfx -nocerts -out key.pem.

3.) openssl pkcs12 -export -inkey /path/to/server.pemkey -in /path/to/cert-chain.txt -password pass:ABCD -out /path/to/certificate(chain_and_key).pfx

4.) Your PFX file is now ready to be used.

Comment (1)

Jarno de Haan
Indien je reeds een signed certificaat hebt kun je deze exporteren inclusief de private key (bijv in Windows Server via de Certificate Computer MMC). Dit werkt alleen als je de gehele certificate chain mee exporteert, dus inclusief de root en intermediate certificaten en dan importeert in de server met de ESET MDM rol

Reactie toevoegen

Please log in or register to submit a comment.

Need a password reminder?