Entrusting .pfx certificate

English Applications
1

Hello. I have a .pem certificate that I need to use with Citrix SSO. This format is not supported by default, so I used this way to convert it to .pem

You can use the openssl command to convert nearly any certificate format to another. PFX is another name for a pkcs12 container.
If you can extract the cert in PEM format curl should be able to use it.

openssl pkcs12 -in cert.pfx -clcerts -out cert.pem

Looks like it was converted well. But after that I’m trying to open it by double-clicking the file and use KDE GUI. It looks like it can be imported there (“Import” button persists) but it demands a password to unlock the cert. And the password I used while decoding is not actual (I used the same password everywhere pasting it)
(sudo password is not fine too).
Is it okay to use the GUI to import the certificate (and what password do I need then?) Or better to use a terminal commands?

Anyway, I used the combo with

sudo cp *.pem /etc/pki/trust/anchors
sudo update-ca-certificates

And found the cert in

trust list
type=cert    type: certificate
    trust: anchor
    category: other-entry

But not sure if it’s okay because the cert’s password was not asked.

2

Sorry, need to change the topic.
it’s Entrusting .pfx certificate

3

Is not supported by whom?

so I used this way to convert it to .pem

You said you have PEM certificate but now you show how you convert PFX container. How is this PFX container related to PEM certificate you mentioned initially?

And please, always place computer code between [noparse]

...

[/noparse] tags. You put it as quote so it disappeared when answering so I cannot comment on it.

it demands a password to unlock the cert.

Certificates are not encrypted (that defeats the very purpose of certificate). Private keys are (usually) encrypted. PKCS#12 (or PFX) is container that can contain arbitrary number of certificates or private keys. We do not know what your PFX file contained and you did not show any output of your command. But if it contained private key, “openssl pkcs12” command should have asked you for key password, like

$ openssl pkcs12 -in cert.pfx -clcerts -out clcerts.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
$

The result will be encrypted using “PEM pass phrase”.

And the password I used while decoding is not actual

As can be seen there may be at least two passwords. Again we have no way to know what you did.

Anyway, I used the combo with

sudo cp *.pem /etc/pki/trust/anchors
sudo update-ca-certificates

And found the cert in

trust list
type=cert    type: certificate
    trust: anchor
    category: other-entry

But not sure if it’s okay because the cert’s password was not asked.

Again - certificate has no password. PEM file can include multiple objects (certificates and keys). Programs that only work with certificates will probably ignore keys in this file that are password protected.

But as I mentioned, PFX container can include arbitrary number of certificates. You requested extraction only of client certificates (-clcerts option) but placed the result in trusted root store. This may or may not be correct depending on what you need. I do not know how these certificates are used.

4

When open a .pfx certificate in KDE, the GUI window import button is locked and it said - certificate is unsupported.

You said you have PEM certificate but now you show how you convert PFX container.

Sorry, it is .pfx originally. Mistype.

5

OK, but it is still absolutely unclear what is inside of this PFX file, what are you trying to do with its content etc. Please understand that PFX is nothing more than (encrypted) archive. Your question is equivalent to “how do I install zip file”. It has no answer.

6

Using openssl…have a read of…
https://medium.com/@nirmaluchoudhari/converting-certificates-using-openssl-9957a743c66b

7

OP already knows how to “convert” PFX to PEM. But PFX may contain personal certificate, may contain CA certificate, may contain intermediate/host certificate, may contain private key or everything at the same time. Each of listed items is for different purpose; you “trust” personal certificate differently than you “trust” CA certificate and you cannot “trust” private key at all.

8

Well that’s up to the OP to examine…

openssl pkcs12 -info -in <path to cert>