Using OpenSSL to convert SSL certificate format

OpenSSL Commands

Convert PEM to PFX
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile cert-ca.crt

Convert PFX to PEM
openssl pkcs12 -in cert.pfx -out cert.cer -nodes

Convert PEM to DER
openssl x509 -outform der -in cert.pem -out cert.der

Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile cert.cer -out cert.p7b -certfile cert-ca.cer

Convert DER to PEM
openssl x509 -inform der -in cert.der -out cert.pem

Convert P7B to PEM
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

Convert P7B to PFX
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
openssl pkcs12 -export -in cert.cer -inkey private.key -out cert.pfx -certfile cert-ca.cer

About each format (taken from

PEM Format
The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format. Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format
The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. The SSL Converter can only convert certificates to DER format. If you need to convert a private key to DER, please use the OpenSSL commands on this page.

PKCS#7/P7B Format
The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format
The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys. When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.


Moving SSL Certificates from IIS to Apache

Export your certificate from IIS, convert, and install in Apache

Steps for moving your secure certificate from IIS to Apache:

Apache web server

1) Export the certificate from IIS. The easiest way to do this is from the MMC Certificates snap-in. Instructions for adding the certificates snap-in to MMC are available at

2) Move the .pfx to your Apache web server.

3) Extract the SSL cert and key from the .pfx file:
# To export the private key from the pfx file:
openssl pkcs12 -in win_cert.pfx -nocerts -out key.pem

# To export the certificate from the pfx file:
openssl pkcs12 -in win_cert.pfx -clcerts -nokeys -out cert.pem

# To remove the password from the key:
openssl rsa -in key.pem -out key_with_no_pw.key

4) Install your certificate. Installing certificates in Apache is easy!


Installing and Configuring RT with mysql on CentOS 5

RT (Request Tracker) is an enterprise-grade ticketing system which enables a group of people to intelligently and efficiently manage tasks, issues, and requests submitted by a community of users. The RT platform has been under development since 1996, and is used by systems administrators, customer support staffs, IT managers, developers and marketing departments at thousands of sites around the world. Written in object-oriented Perl, RT is a high-level, portable, platform independent system that eases collaboration within organizations and makes it easy for them to take care of their customers.


Here are the basic steps for installing RT 3.8.4 (w/ mysql db) on a CentOS 5.2 server.

Repos: Enable the centosplus repo and install the rpmforge repo

Install mod_perl, CPAN module dependencies, etc.
yum install httpd-devel apr-devel mysql-devel mod_perl freetype-devel gd-devel libjpeg-devel libpng-devel

Install nctfp:
rpm -i ncftp-3.2.2-1.el5.i386.rpm

You can find ncftp for other distros/architectures here.

Add the rt group: group add rt

Edit /etc/group and add :apache like so:

Change Apache log permissions:
chmode -R 755 /etc/httpd/logs

Install Perl modules:
yum install perl-Apache-Session perl-Class-Container perl-Class-Data-Inheritable perl-Crypt-DES perl-Devel-StackTrace perl-Exception-Class perl-GD perl-GD-Graph perl-GD-Text-Util perl-Hook-LexWrap perl-HTML-Mason perl-HTTP-Server-Simple perl-HTTP-Server-Simple-Mason perl-Net-SNMP perl-Params-Validate perl-Socket6 perl-IO-Socket-SSL perl-IO-Socket-INET6 perl-XML-RSS perl-DBD-mysql
perl -MCPAN -e shell
cpan> install Bundle::CPAN
cpan> exit

Install RT:
tar -xzvf rt.tar.gz
cd rt-3.8.6
./configure --with-web-user=apache --with-web-group=apache --with-modperl2 --with-mysql
perl sbin/rt-test-dependencies --with-mysql --with-modperl2 --install

Check for missing dependencies:perl sbin/rt-test-dependencies --with-mysql --with-modperl2 --verbose|grep MISSING
and then
make install
Now you need to modify the installed [=etc/] to specify the connections to your DBMS engine and then type:
make initialize-database
For some database backends (MySQL at least) it is not able to create the database user. So you have to create that user beforehand and you have to give it rights for the database.
mysql>GRANT ALL PRIVILEGES ON rt3.* TO 'rt_user'@'localhost' IDENTIFIED BY 'rt_pass'
If you screw something up, simply make dropdb, fix it, and start back at make install
If you run into problems, check out step 5 of Best Practical's Manual Install instructions


Edit [=etc/] in your RT installation directory, by specifying any values you need to change from the defaults as defined in It is easiest to do this by copying to, and then uncommenting and changing anything you need to set, though perhaps this isn't quite the best approach.

In many cases sensible defaults have been included. In others, you must supply a value. Some values (such as the RT log directory) will come from values you supplied in the Makefile. You'll find further explanation inline in the file. You should look at and consider changing the following entries:

$DatabasePassword = 'rt_pass'

which is the password the DatabaseUser should use to access the database.

NOTE: Some MySQL users have had trouble with passwords of longer than 8 characters; if you cannot connect, try a password of 8 characters or fewer.

$CanonicalizeEmailAddressMatch = '$';
$CanonicalizeEmailAddressReplace = '';

The $CanonicalizeEmailAddress variables allow you to keep incoming messages consistent, such as when a site removes the subdomain from an email address. In the example presented by the defaults, if messages from your organization sometimes come from and sometimes from, you'd set $CanonicalizeEmailAddressMatch to and $CanonicalizeEmailAddressReplace to

$SenderMustExistInExternalDatabase = undef;

If $SenderMustExistInExternalDatabase is true, RT will refuse to auto-create non-staff accounts for unknown users filing new tickets by email if you are using the "LookupSenderInExternalDatabase" option elsewhere in Instead, an error message will be returned and RT will forward the user's message to $RTOwner as defined in If you are not using $LookupSenderInExternalDatabase, this option has no effect. If you define an AutoRejectRequest template, RT will use this template for the rejection message.

$CorrespondAddress = 'RT::CorrespondAddress.not.set';
$CommentAddress = 'RT::CommentAddress.not.set';

$CorrespondAddress and $CommentAddress are the default addresses that will be listed in both From: and Reply-To: headers of reply and comment mail, respectively, sent by RT, unless they are overridden by a queue-specific address.

$MailCommand = 'sendmailpipe';

$MailCommand defines which method RT will use to try to send mail. We know sendmailpipe works fairly well. If sendmailpipe doesn't work well for you, try sendmail. Note that you should remove the '-t' from $SendmailArguments if you use sendmail rather than sendmailpipe. Also note that sendmailpipe and sendmail aren't the names of commands on your system, but instructions that tell RT what mail delivery subsystem to try.

*Don't forget to restart the Apache webserver after doing changes in!* This is true of any change, but we mention it here since this is the configuration option you're most likely to have to experiment with.

$SendmailArguments = "-oi -t";

$SendmailArguments defines what flags to pass to $Sendmail, assuming you picked sendmail or sendmailpipe as the $MailCommand. If you picked sendmailpipe, then $SendmailArguments must include the "-t" flag. The default options are good for most sendmail wrappers and workalikes.

$SendmailPath = "/usr/sbin/sendmail";

If you selected sendmailpipe as $MailCommand, you must specify the path to your sendmail executable file in $SendmailPath. If you did not select sendmailpipe this has no effect.
In case of Exim, the following configuration works:

Set($MailCommand , 'sendmail');
Set($SendmailArguments , "-bm -- ");
Set($SendmailPath, "/usr/sbin/exim4");
Set($NotifyActor, 1);
$Timezone = 'US/Eastern';

$Timezone is used to convert times entered by users into GMT and back again. It should be set to a timezone recognized by your local Unix box, and -- in general -- you should pick the timezone the majority of your users reside in.

$UseFriendlyToLine = 0;

RT can set a "friendly", rather than blank, To: header when sending messages to Ccs or AdminCcs. This feature does not work with Sendmail(tm)-brand sendmail. If you are using sendmail, rather than postfix, qmail, exim, or some other program, you must disable this option (by setting it to 0 rather than 1).

$WebPath = "";

A variable used to help RT construct URLs that point back to RT. If you've put RT somewhere other than at the root of your webserver, you need to define a WebPath. RT uses this in the construction of relative URLs. $WebPath requires a leading / but no trailing /
Example: if your installation is at set this to "/rt".

$WebBaseURL = "http://not.configured:80";

A variable used to help RT construct URLs that point back to RT. $WebBaseURL is the base of the URL. it should usually include the scheme, the host, and the port if non-standard.
Example: "" or ""
$WebBaseURL doesn't need a trailing /

$WebURL = $WebBaseURL . $WebPath . "/";

A variable used to help RT construct URLs that point back to RT, [=$WebURL] is the combination of [=$WebBaseURL] and [=$WebPath]. Generally, you shouldn't change it.

$WebImagesURL = $WebURL . "/NoAuth/images/";

[=$WebImagesURL] points to the base URL where RT can find its images. If you're running the FastCGI version of the RT web interface, you should make RT's [=WebRT/html/NoAuth/images] directory available on a static web server and supply that URL as [=$WebImagesUrl] -- alternately, you can tell Apache not to run it through FastCGI.

Next, you'll want to configure Apache. Append the following to /etc/httpd/conf.d/perl.conf:

    DocumentRoot /opt/rt3/share/html
    AddDefaultCharset UTF-8
    PerlRequire /opt/rt3/bin/
    <directory html="" opt="" rt3="" share=""></directory>
        Order allow,deny        Allow from all
        SetHandler perl-script
        PerlResponseHandler RT::Mason



Installing Cacti via yum

A super-quick Cacti install using yum (as performed on a CentOS 5 LAMP server):

1) Use a DAG repository

2) Install Cacti along with the dependencies (net-snmp-utils, etc):
yum install cacti

3) Create a DB for Cacti:
mysql>create database cacti;
mysql>GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'cactidbpasswd';
mysql>flush privileges;

4) Move cacti directory to apache root (if necessary):
cd /var/www/
mv cacti/ html/

5) Edit /etc/httpd/conf.d/cacti.conf to include to correct directory and allow access to the web interface from select hosts.

6) Make the DB connection by editing a Cacti config file:
vi html/cacti/include/config.php

7) Browse to the web interface (http://yourserver/cacti) and go through the initial setup!

The default Cacti username and password is admin. You’ll be required to change the password after the initial login.



Apache Lock Down – control access by IP range

Edit (make a backup first!) httpd.conf to control what IP ranges have web access to what directories on your server. For example:

# Rules for web access to website1
<Directory "/var/www/html/website1">
Order deny,allow
Deny from All
Allow from
Allow from
Allow from
ErrorDocument 403 /index.html

You can also use the ‘Location’ directive for directories that don’t reside in Apache’s document root, for example:

# Rules for web access to website2
<Location "/nagios">
Order deny,allow
Deny from All
Allow from
Allow from
Allow from
ErrorDocument 403 /index.html

Just don’t mix up the directives or they won’t work!



Apache – Web Access to Linux user home directory

To allow web access to a user’s home directory on Linux, you’ll need to make some edits to your apache config (found at /etc/httpd/conf/httpd.conf).

You’ll need to edit the UserDir section of the file, as UserDir is disabled by default. Add a comment to

And remove the comments that are disabling access:

UserDir public_html

and uncomment the entire Directory /home/*/public_html section

Restart Apache and you should be good to go!