Create a PFX certificate file using OpenSSL

I usually work with Linux-based operating systems for web development. However, my company does run a couple of Microsoft Windows(R) servers for internal financial systems. When securing connections to Windows services, it is often useful to have certificates available in PFX format.

To convert a private key, certificate, and (optionally) any trusted chains; you will need the following:

  • The private key file.
  • A PEM containing the corresponding certificate.
  • Additional trust chains to be included (may also be included in the PEM in bullet 2).
  • OpenSSL (I tested this with the Mac OS X High Sierra – LibreSSL 2.2.7).

Place all of the files in your home directory and start a terminal session. Execute the following command, replacing the file names where appropriate for the files you have prepared:

openssl pkcs12 -export -out trevweb.pfx -inkey trevweb.key -in trevweb.crt -certfile trust-chain.crt

Assuming everything executed correctly, you should now have a ‘trevweb.pfx’ file located in your home directory ready to be imported easily by Windows services. A PFX, or I think more accurately a PKCS #12, file is a binary file format that may contain multiple certificate bundles.

SMTP Service Auto-Start on Windows Server 2016

I recently installed the SMTP (Simple Mail Transfer Protocol) feature to Windows Server 2016. Everything seemed fine until I discovered that the SMTP service does not start automatically on system re-boot. Furthermore, the service is not listed under the Services management snap-in. Operating the SMTP service via the IIS Manager 6.0 manager manually works just fine.

This situation can be remedied at the command prompt using ‘sc’. i.e.

sc config smtpsvc start= auto

Note that there is a space between the parameter ‘start=’ and the value ‘auto’. This is intentional and all name/value pairs need to be separated like this.

All being well, a confirmation will be displayed:

[SC] ChangeServiceConfig SUCCESS

This does not solve the problem of the SMTP not being listed under the services management snap-in. If anyone can shed any light on that, please leave a comment.

I do know that the display name for the service is ‘Simple Mail Transfer Protocol (SMTP)’. This can be confirmed by executing:

sc getdisplayname smtpsvc